A Legal Perspective: Best Practices for Prevention and Immediate Response to a Breach

A Picture Of Blue Padlocks Closed And One Red Padlock Open

This blog originally appeared on Nov.20, 2019, as an article in LawyersWeekly.com.au, a site dedicated to independent news, analysis and opinion about the practice of law in Australia. It was written by Mark Goudie, CrowdStrike® Services Director for Asia Pacific, and is reproduced with the publisher’s permission.

Preparing for a cyberattack involves a broad set of stakeholders within a business, and it is becoming commonplace to have experienced investigation lawyers on hand to ensure that clients recover business operations as quickly as possible, while sustaining the least amount of legal, reputational, financial, and operational damage, writes Mark Goudie.

Effective incident response planning begins with robust preparation and strategic thinking. While a large part of the responsibility for incident prevention lies with the client and their technical teams, businesses need to be thinking more broadly about who else from the organization needs to be across the initial response.

In the age of regulation, organizations should ensure that experienced legal counsel is available when a data breach is first detected. This is a crucial step toward proactively building the incident response processes ahead of an incident and establishing roles necessary for responding to it.

A key role for a legal team is initially determining whether an incident involves compromise of company systems or data, and the implication of any legal or regulatory guidance such as the Notifiable Data Breach Scheme in Australia. The penalties for organizations that do not report a breach from the Australian Information Commissioner are up to $340,000 AUD ($233,036 USD) for individuals and $1.7 million AUD (~$1.2M USD) for organizations.

A longstanding challenge in this area is translating cybersecurity defenses into language that demonstrates how an organization is meeting regulatory expectations and legal requirements.

The industry response to this challenge has traditionally been checklists, as a way for the legal or compliance personnel to translate requirements into legible terms, and for IT professionals to then translate technology into something others can understand upon review. However, this alone is not sufficient without the below listed steps, which complete an effective response strategy.

Gaining Complete Situational Visibility

Clients and counsel must work together to ensure comprehensive visibility into the client’s electronic environment. Advanced tools like machine learning and antivirus platforms can provide continuous coverage of the environment, enabling responders to develop a timely, comprehensive, and complete narrative about the incident.

While discussions about comprehensive visibility of an organization’s network often focus on technical solutions, an experienced investigation lawyer can complement efforts to improve situational visibility across the organization. A legal team should coordinate with clients to proactively establish effective decision-making processes to support information flow from the technical team into the decision-making structure.

Speedy Remediation

During an incident, clients want and in many cases are legally required to have investigations that move quickly and offer insights about what mitigation strategies will be most effective. This need can be addressed by the 1-10-60 rule, where organizations should strive to detect malicious intrusions in a minute (or less), understand the context and scope of the intrusion in 10 minutes, and initiate remediation activities in less than an hour.

It is imperative that organizations can effectively remediate data breaches before attackers can progress and gain further access into a network. A thorough investigation with clear roles and responsibilities is key to enable faster, more complete remediation.

Having a Strong Pre- and Post-breach Strategy in Place

Data breaches are inevitable and waiting for a breach to occur before designing an incident response plan is a bad idea that will ultimately cost more money due to an ineffective response.

Both technical experts and legal counsel have roles to play in helping clients identify the weaknesses and strengths of the response plan.

Technical discoveries during a response can inform both better preventative measures and proactive hunting for potential adversary activity within the client’s environment. All parties involved in response can advise development of post-breach reports that help shape future behavior. A legal team can provide essential insights to help the client prevent potential legal and reputational damage.

Additional Resources

CrowdStrike Falcon Free Trial
 

Try CrowdStrike Free for 15 Days Get Started with A Free Trial