September 21, 2017 By George Moraetes 3 min read

In recent years, several high-profile breaches involving customer data have led to long and costly litigations. These events demonstrated that data protection is more than just a cybersecurity concern.

When responding to a data breach, legal teams have to work closely with the chief information security officer (CISO) to ensure that security policies, regulatory compliance and response plans are adequate to effectively protect sensitive data. Together, these departments can develop a sound incident response strategy that protects both the organization’s data and its legal interests in the event of a breach.

Potential Legal Repercussions

In addition to the obvious operational and financial repercussions, a data breach can result in class-action lawsuits from customers, federal and state government actions, and even international ramifications. For instance, the cost of the infamous Target breach of 2013 reached nearly $300 million after the company settled with 47 state governments.

Corporate data repositories continually grow and can be on-premises or in the cloud, which adds significant legal complexities, especially when crossing international boundaries or jurisdictions. The CISO must consider these risks with regard to data integrity.

Additionally, the CISO must work with legal counsel to negotiate with government agencies investigating a breach. Breach investigations often involve personnel policies, security policies, corporate governance, cyber liability insurance, breach scenarios, negative publicity and government inquiries. Failure to diligently address all of the above when responding to a breach can result in costlier litigation and reputational damage.

When responding to a data breach, privilege maintenance is crucial. Knowing the differences between a possible incident, an actual incident and a confirmed breach will determine the appropriate response. This requires working with attorneys to help design a response plan that determines who speaks to whom, when and about what. Remember that once a breach is confirmed, litigation will be filed immediately. This represents a high risk factor to consider when formulating a response plan.

For example, it is not enough for a CISO to simply say the organization is in compliance with best practices and regulatory requirements. The government will look at how well-prepared the organization is to detect and appropriately respond to an intrusion. Are the attacks registered? Is the data encrypted? It is critical for the government to treat the breached organization as a victim of the attack to determine whether it had adequate security programs in place.

The Battle in the Boardroom

The CISO must communicate the business benefits of a comprehensive and well-rehearsed incident response plan to the board. Many board members are unwilling to invest time and money without understanding the return on investment (ROI). A risk-based assessment program adequately explained to executives, along with the corporate attorney’s support, can help generate security awareness among board directors.

CISOs can demonstrate the importance of risk management by comparing the security investment with the potential for significant financial exposure should they neglect data protection. Security leaders can also remind business executives of their fiduciary responsibilities and accountability should a breach occur. For example, the Target breach exposed the company’s board to ramifications that led to the departure of its CEO and shareholder demands to drop other board members.

Collaboration Is Crucial When Responding to a Data Breach

The CISO and legal department must work as a team right from the start to develop an incident response plan. From a risk approach, the added focus on risk assessment and management are vital to protecting the organization in the event of a breach.

The planning should take into account the organization’s total protection in areas such as:

  • Governance;
  • Compliance;
  • Data protection;
  • Litigation; and
  • Public relations.

One of the most important steps is to know where your data repositories are and protect them. When a breach occurs and a crisis erupts, management and mitigation are critical. This can only be achieved by engaging all departments within the business to contain the leak, communicating with customers and implementing the proper procedures to limit any reputational and legal damage.

Rehearsals of the plan should include the legal, IT and security teams to ensure all are working together. They must reach the common goal to mitigate the breach as quickly as possible and establish lines of communication early on. In the event that an incident results in litigation, the corporate attorney must be involved at the onset, along with close cooperation from other teams, to minimize the risk. If evidence needs to be collected for an internal investigation, close cooperation with the corporate attorney can help organizations avoid costly delays.

Breaches affect the entire organization, so an effective response to a cyber incident requires interdepartmental cooperation. Support from the C-suite and board are vital — otherwise, the CISO is fighting a losing battle. Involving the legal department in security can help CISOs gain the executive support they need to adequately protect the organization from legal and reputational risks.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today