The Combination of Lawyers and Incident Response: A Potentially Hazardous Duo

The Combination of Lawyers and Incident Response: A Potentially Hazardous Duo

Lawyers and C-suite leaders have the same basic mission: protect the enterprise from bad actors who want to do harm. But they often often approach the job in such polar opposite ways that they wind up fighting each other instead of working together.

A new academic report on the topic from researchers at the University of Edinburgh, the University of Innsbruck, Tufts University and the University of Minnesota tried to document how stark those differences have become.

“Cyber insurance sends work to a small number of [incident response] firms, drives down the fees paid and appoints lawyers to direct technical investigators,” the report noted. “Lawyers, when directing incident response often introduce legalistic contractual and communication steps that slow down incident response, advise IR practitioners not to write down remediation steps or to produce formal reports and restrict access to any documents produced.”

According to the report, one lawyer told a forensics team, “We don’t want a final report. Just keep this in draft form.”’ Another was quoted as saying, “You never want to put in writing what the security system is like, but you also need candor to improve the system. And there is a risk that there won’t be as much frank assessment, because that would turn into a roadmap for plaintiffs.”

The problem, according to noted security consultant Bruce Schneier? “We’re not able to learn from these breaches because the attorneys are limiting what information becomes public,” Schneier said, weighing in on the report. “This is where we think about shielding companies from liability in exchange for making breach data public. It’s the sort of thing we do for airplane disasters.”

This is all troubling on so very many levels. Not that I disagree with the facts and details discussed in the report, but I have some serious worries about the implications.

What concerns? One, I think the lawyers referenced are taking an overly narrow and outdated view of the law. In short, their efforts to shield their enterprise from legal liabilities are in fact exposing those companies to more liabilities. And two, it puts the germane C-level executives (especially the CEO) in an awkward-but-necessary position of having to overrule counsel on legal matters. But in today’s environment, that sometimes needs to happen. The job of protecting the enterprise ultimately rests with the CEO and the board.

Let’s explore issue No. 1. The lawyer’s concern is that documenting an incident would make it easier for someone to use that information against the enterprise in a lawsuit. Their advice is: don’t write it down and never finalize your investigation — keep it open.

That’s an old-school approach of making it harder for the opposition to piece together a complete picture. The problem? Those efforts themselves are discoverable and the opposition will learn it all. Taking an action that could be correctly…

2023-07-10 08:00:05
Article from www.computerworld.com

Exit mobile version