Tips on How In-House Counsel Can Build a Cybersecurity Strategy

Increasingly, in-house counsel and legal departments are being asked to quarterback their organization’s overall cybersecurity strategy. This is not surprising, given that a major cybersecurity incident can result in lengthy regulatory investigations and litigation, result in prolonged operational disruption, and financial losses, not to mention have long-lasting negative reputational consequences. With so much at stake, how should in-house counsel go about designing and implementing a robust cybersecurity strategy? While there is no “one-size-fits-all” solution, this article seeks to provide some practical advice on steps that can be taken to develop such a strategy and mitigate cybersecurity risks in an organization.[1]

Working Your Way Backwards

Imagine a scenario where an organization has been the victim of a devastating cyber-attack resulting in the theft of their customers’ personal data (e.g., name, email and postal addresses, credit card and other financial information) which was then either sold by criminals to other criminals) on the dark web[2] or leaked online for the world to access. Every step the organization takes from the moment it discovers the cybersecurity incident will potentially be scrutinized by the media, the public, shareholders and should litigation ensue, the courts. In such a scenario, the organization will have to demonstrate that (i) it had taken reasonable steps prior to the cybersecurity incident to limit the likelihood of a data breach; and (ii) upon its discovery, that it acted quickly, decisively and effectively to mitigate the potential negative consequences flowing from it.

While these two key requirements may, at first glance, seem straightforward and obvious, building a plan and keeping the necessary records to demonstrate it before the courts can prove to be challenging for many organizations given the types of data they hold, how they operate (e.g., sharing of customer data between affiliates), and the industries in which they operate (e.g., regulated versus non-regulated industries). Accordingly, the best way to proceed is to develop an “issues map” which allows for a clear and concise breakdown of key elements of a cybersecurity strategy. It also allows in-house counsel to have a reference tool that can be used to monitor compliance. The data collected can also serve to provide timely updates to senior leadership teams.

What to Have in Place before a Cybersecurity Incident

As a general proposition, corporate directors and officers have a duty to act reasonably. This duty of care applies across a directors’ and officers’ myriad of responsibilities, including handling the corporate digital data.[3] This standard of care requires the organization to have reasonable physical, technical and administrative security measures to ensure the confidentiality, integrity and availability of corporate data.

It should be underscored that corporate security requirements are fact-specific, requiring organizations to go through a “process” and determine what security measures are most appropriate in the circumstances. The emerging legal standard contemplates that organizations will create uniquely tailored security measures so long as they conduct ongoing reviews of their security mechanisms. This repetitive review process includes detecting and evaluating risks, implementing specific security responses to those risks, verifying the effectiveness of those security responses, and updating the measures as needed in reaction to developing security concerns.

Broadly speaking, the process-oriented approach to satisfying a “reasonable” standard of care for a duty to provide security is comprised of the following key elements:[4]

1. Have Clear Responsibilities. The Board of Directors (the “Board”) and Senior Leadership Teams (“SLT”) are responsible for identifying the organization’s overall risk profile, ensuring that there is a clear plan to mitigate and respond to a cybersecurity incident and allocating appropriate resources to this end. The Board and SLT should follow the five key principles outlined by the National Association of Corporate Directors.^[5]

In addition, the SLT should identify and task individuals to implement and monitor the organization’s overall cybersecurity strategy. These individuals should come from the following key areas within the organization: legal, information technology, human resources, as well as the business side.

1. Identify Digital Assets. This includes identifying an organization’s information assets that require protection, which include both the data itself (e.g., records containing personal information) and the computing system that store the personal information (e.g., servers, laptops, portable devices). This can sometimes be difficult, especially with an increasing number of organizations moving to the cloud.

2. Conduct Risk Assessments. Organizations should have a clear understanding of their cybersecurity posture. This includes conducting regular risk assessments to identify both internal and external risks to data security. It is equally important to evaluate the effectiveness of the organization’s current practices for safeguarding its digital assets. Preferably, this should be done by an external third party at the direction of legal counsel so as to ensure that appropriate level of privilege can be asserted on the contents of the risk assessment report.

3. Monitoring Effectiveness.  Organizations should regularly monitor, test, and reassess the security controls it has chosen to implement in order to ensure its security program is operating in a manner reasonably calculated to protect personal information. Where material deficiencies are identified, the SLT (and possibly the Board) should be immediately informed so that remedial steps can be taken.

4. Employee Training. The “human” factor remains the greatest point of vulnerability within organizations. Given the sophistication of cyber criminals and their increasing use of social engineering,[6] employees who are not vigilant may find themselves being the weakest link within the cybersecurity chain. To this end, regular training on emerging cyber risks should be dispensed to all employees.

5. Third Party Issues. Organizations should take reasonable steps to verify that any third-party service provider that has access to the organization’s data assets and personal information has itself implemented reasonable security measures. This is primarily achieved by contractual means. Key provisions should include at a minimum (i) immediate notification by the third-party of any security breach of the organization’s data that was in its custody; (ii) cooperation in any forensic investigation; (iii) adherence to internationally recognized security standards; (iv) the right to audit the third-party’s security measures during the course of the agreement; and (v) the third-party maintaining sufficient insurance in the event of a data breach.

While the above elements do not represent an exhaustive list, they provide a basic foundation on which in-house counsel can start building its “Pre-Incident Cybersecurity Strategy”. We provide below a visual map that helps conceptualize these elements and which can be expanded depending on an organization’s size, industry requirements, and specific needs.
           

How to Respond to a Cybersecurity Incident

One of the key responsibilities of in-house counsel is to determine whether a cybersecurity incident has indeed occurred, determine whether it meets a materiality threshold and take appropriate steps. This can be challenging since cybersecurity incidents can range from the theft of corporate data to ransomware attacks that can paralyze business operations to fraudulent wire transfers. Further, the first few hours following the discovery of the cybersecurity incident are often the most critical. Organizations will need to demonstrate that upon learning of the cybersecurity incident, they acted quickly, decisively and effectively.

To do this, organizations need to have a post-incident cybersecurity strategy that covers the following key elements:

1. Detecting an Incident. Signs of an incident fall into one of two categories: precursors (a sign that an incident may occur in the future) and an indicator (a sign that an incident may have occurred or may be occurring). While precursor signs are relatively rare, indicator signs are much more common (e.g., network intrusion detection alerts, antivirus software alerts, system administrator see a filename is unusual characters, etc.). Indicators can come from users of the organization’s network (e.g., loss of service, messages on screen, etc.) – both internally and externally. The organization should have a well-established process whereby indicators of a cybersecurity incident are brought to the attention of the in-house counsel, who is often the point of contact for the incident response team.

2. Analysis of Incident. The incident response team should work quickly to analyze and validate each incident, following a predefined process and documenting each step taken. Where it is determined that an incident has occurred, the team should rapidly perform an initial analysis to determine the incident’s scope (e.g., which networks, systems, or applications are affected; who or what originated the incident; and how the incident is occurring). The initial analysis should provide enough information for the team to prioritize subsequent activities, such as containment of the incident and deeper analysis of the effects of the incident. While the information on hand may be imperfect, the team should assign a severity level (e.g., critical, high, medium, low).

3. Containing the Incident. An essential part of containment is decision-making (e.g., shut down a system, disconnect it from a network, and disable certain functions). Such decisions are much easier to make if there are predetermined strategies and procedures for containing the incident. Organizations should define acceptable risks in dealing with incidents and develop strategies accordingly. Containment strategies vary based on the type of incident. For example, the strategy for containing an email-borne malware infection is quite different from that of a network-based DDoS[7] attack. Organizations should create separate containment strategies for each major incident type, with criteria documented clearly to facilitate decision-making.

4. Evidence Gathering and Documentation. While the primary reason for gathering evidence during an incident is to resolve the incident, it may also be needed for legal proceedings. In such cases, it is important to clearly document how all evidence, including compromised systems, has been preserved. Evidence should be collected according to procedures that meet all applicable laws and regulations that have been developed from previous discussions with legal staff and appropriate law enforcement agencies so that any evidence can be admissible in court.

5. After the incident has been contained, the team will need to focus its efforts on restoring systems to normal operation, confirm that the systems are functioning normally, and remediate vulnerabilities to prevent similar incidents in the future.

   Incident Notification. Where personal or confidential information is compromised as a result of the incident, the organization may be contractually and legally obligated to inform affected individuals, business partners along with regulators. Depending on the type of incident, organizations may need to offer credit monitoring and engage a crisis management firm to assist with public relations.

As was the case in the previous section, while the above elements do not represent an exhaustive list, they provide a basic foundation on which in-house counsel can start building its “Post-Incident Cybersecurity Strategy”. We provide below a visual map that helps conceptualize these elements and which can be expanded depending on an organization’s size, industry requirements and specific needs.

 

Mandatory Breach Notification and Record Keeping

In addition to the above, we note that in June 18, 2015 the federal government passed Bill S-4 – The Digital Privacy Act which introduced several key changes to Canada’s privacy law, the Personal Information Protection and Electronic Documents Act[8] (“PIPEDA”). Some of the changes anticipated to come into force later this year include mandatory data breach notification and mandatory record keeping for all breaches. The mandatory data breach notification will require organizations to notify affected individuals, certain other organizations and the Officer of the Privacy Commissioner of Canada (the “Commissioner”) of any data breach (referred to in PIPEDA as a “breach in security safeguards”), that is reasonably believed to create a “real risk of significant harm to the individual.”

The Breach of Security Safeguards Regulations will also require organizations to maintain a record of every data breach for a minimum of 24 months after it has determined that a breach has occurred. These records should be sufficiently detailed and include, among other things, the methodology used and factors considered in determining whether a particular breach met the threshold of ‘real risk of significant harm.’ These records will be used by the Commissioner as a means to verify compliance and inform further enforcement action, if required.

Conclusion

The role of in-house counsel and legal departments in the context of cybersecurity incidents cannot be overstated. Organizations, especially SLTs, will turn to in-house counsel to develop and implement a cybersecurity strategy, both from a risk mitigation and incident response standpoint. Each organization will have to develop its own unique strategy but the elements outlined above can serve as a solid foundation on which it can be built. That said, the cybersecurity strategy should be viewed as a “living document” and be regularly tested and updated. 

About the author

Imran Ahmad, Partner at Miller Thomson LLP 

Any article or other information or content expressed or made available in this Section, is that of the respective author and not of the OBA.

 

---