When a company suffers a data breach, anything from an innocent joke to a culpable incident report can have very costly consequences.
It emerges from a group of defense lawyers and former U.S. government attorneys who took to the virtual stage at the RSA 2021 conference this week to learn some of the more painful lessons companies have learned throughout their careers.
Many of these mistakes had resulted in companies facing fines and legal decisions running into the millions – and, on rare occasions, the possibility of criminal prosecution.
Not a fun business
One of the most common mistakes lawyers saw was that companies didn’t realize how much information is being gathered by lawyers after a data breach. When civil lawsuits are filed, as is often the case with customer database violations, the plaintiffs’ attorneys have access during the pre-trial investigation phase to anything up to and including internal emails and text messages sent before or during the attack.
As a result, panelist Ann Marie Mortimer, managing partner and co-head of the commercial litigation practice at the law firm Hunton Andrews Kurth LLP, advised companies to investigate their employees that any communications could be subject to legal scrutiny.
“Think, ‘How would I feel if this was blown up in giant letters in the middle of Times Square,'” suggested Mortimer. “It’s not just from the moment of the breach forward – litigation goes back in history.”
According to Mortimer, executives should especially tell their security teams to shed the gallows humor that often prevails in IT departments. A seemingly innocent joke or sarcastic comment about a company’s security status can be taken out of context and land workers in a dump, or worse.
“We’re talking about communications that happen in the heat of the moment of a security incident. When you’re using Slack or sending text, don’t write in invisible ink,” noted Mortimer. “You need to start disciplining yourself now so that an email you fired in the heat of the moment doesn’t get you into trouble.”
Panelist Brian Levine, former Justice Department attorney and current executive director of EY Parthenon, noted that attorneys may not be the only people looking to collect corporate communications. The hackers who carried out the attack often stay on a victim’s network after making their demands. Seeing a corporate panic could lead the criminals to comply with their demands.
“Sometimes it’s not the specific words that you use, but the tone. People can be nervous in these situations and some of that nervousness can be reflected in their texts or emails,” said Levine.
“If you have had a violation, it is possible that the criminal is monitoring your communications and this can affect your ability to negotiate effectively.”
Another common threat facing businesses is the incident report. Panellists noted that when reports are produced by security teams, either internally or through consultants, it is important not to open the company to further legal liability by placing too much blame.
That doesn’t mean companies should lie or leave out information, the lawyers said, but advise that reports stick to the facts and avoid blaming anyone, which could leave the door open to lawsuits. Whenever possible, Levine said, companies should try to investigate a large portion of their incidents and report them in meetings or video conferencing, with an officer or attorney in attendance to take notes and ensure that important information is recorded without being impromptu Comments or early conclusions are possible to be taken out of context.
Another effective way to reduce the legal threat, Levine said, is to draft the report from what is known as an “affirmative defense dispute”. In this approach, the incident report is written from the perspective of a company that will bring legal action against the attacker, with the blame directly on the intruder rather than on the steps the company took or did not take.
“It shifts the look from your guilt to a criminal act and you will take steps against the attacker,” Levine said.
Whatever you do, don’t hack back
One point of agreement for the panelists was that companies should never attempt to take revenge on the attacker, a practice known as “hacking back”.
While it may be tempting for companies to break into the hacker’s own servers to retrieve their stolen files, it is never a good idea and one of the few ways companies can turn a civil lawsuit into a potential criminal.
“If you hack back on that, you could be breaking federal and civil law and that could lead to legal action,” noted Levine.
“While you think you have reached the criminal’s computer, you are almost always reaching out to an innocent third party and hacking into their computer or server.”
There is also a potential liability for paying the ransom note. With the government now imposing sanctions on a number of foreign hacking groups, paying money in the form of ransom demands would be a violation of federal law.
In this respect, the panellists advised companies to get a clear picture of who they are dealing with and where their money would go, at least they will receive further penalties from the US Treasury Department.
What’s going right?
There were some good practices the lawyers had seen in their clients. Mortimer found that their customers are becoming increasingly proactive in their data breach strategy. Rather than waiting for an attack, Mortimer said companies are taking early action to prepare for incidents and train their teams.
“One of the good things companies do is prepare. For most companies, it’s not a question of if you will get hurt, but when,” said Mortimer. “Businesses need to build a certain amount of muscle memory so they can be prepared if and when it’s about them.”