June 23, 2022
Developing a cybersecurity incident response plan is important for any organization to prepare for potential attacks and equip a company’s IT security team to respond before, during, and after a cyberattack. A security incident and cyberattack can cost an organization time, money, its reputation and its customers. Having an effective incident response plan can help minimize the negative impacts.
It’s also important to implement a communication strategy on how to inform customers about a security incident when developing a response plan. When a business experiences a cybersecurity incident, it’s easy to forget that responding to the technical issue is only part of the response effort. A major component of a cybersecurity issue is how to let people know what’s going on and how it could affect them.
When doing so, companies must have appropriate communication protocols to help protect attorney-client privilege and mitigate the significant risks (legal, reputational, financial) associated with the unintended disclosure of incident-related communications.
Amy de La Lama, Christian Auty, Daniel Rockey and Logan Parker, attorneys with the law firm Bryan Cave Leighton Paisner LLP, recommend companies incorporate communication best practices into incident response plans and disseminate them to the incident response team at the outset of every response effort.
“Companies should remind internal teams and external service providers that while copying internal or external legal counsel on communications, as well as designating materials as subject to Attorney-Client Privilege and/or designating materials as ‘work ‘product,’ are important steps, doing so will not automatically create relevant legal privileges,” the attorneys wrote in a bulletin. “Moreover, there is always the risk that communications may inadvertently be sent to the wrong recipients and/or acquired either as part of the legal process or by the bad actors themselves. Therefore, thinking carefully about the content and manner of dissemination is essential in mitigating the inevitable fall-out from a security incident and moving forward as quickly as possible.”
The following are communication “do’s” and “do not’s” developed by de La Lama, Auty, Rockey and Parker.
- DO communicate via telephone where possible.
- DO include a Project Name (e.g., “Project Yellow: Notification Content”) in all emails and other written communications.
- In certain situations, a communication may need to go to a smaller group. In those instances, the remaining Dos and Don’ts should still be followed.
- DO mark any emails concerning legal opinion, legal analysis, litigation strategy and risk as “Privileged and Confidential” and include designated counsel (internal and/or external counsel) on all such communications.
- DO designate emails as “private.”
- DO limit email content to factual and/or objective information, when possible. If an email communication contains work product or content subject to the attorney-client or legal professional privilege, do not forward it to anyone outside of the original distribution list.
- DO assume that any written communication might be discoverable or made public at some point (i.e., White Board Test).
- DO segregate written communications in a separate, designated (protected) location and maintain communications in accordance with any litigation hold instructions.
- DO start a new email thread and be mindful of the necessary recipients of information contained in the email. Send the email to only those with a need to know the information and confirm the recipient list before hitting send.
- DO NOT include subjective conclusions/assessments (e.g., “this was a big mistake,” “our systems were not adequately protected”) in email communications.
- DO NOT circulate forensics or other reports via email, particularly in draft form. Reports should be reviewed using a screen sharing application or similar means, and any dissemination via email or otherwise should be done only when the report has been finalized and at the direction of counsel.
- DO NOT communicate about the incident via other unofficial means (e.g., texts, instant messaging, other non-company communication applications), unless the nature of the incident mandates use of an approved secondary communication method.
- DO NOT destroy or delete any written communications related to the incident until receiving specific instructions to do so.
- DO NOT forward email communications.
- DO NOT continue to use the same email thread for new topics and avoid reflexive “reply all” responses.
- DO NOT mix legal and business advice; use separate communications.
When in doubt, the law firm recommends using the phone and obtaining input from either your internal or external legal counsel prior to sending a written communication. Communication is a key and integral component of a strong response to incidents and having and following your protocol provides a mechanism for rapidly notifying stakeholders, coordinating internal and external stakeholders, monitoring customer or employee sentiment, and minimizing reputational damage, all while protecting your company’s interest and legal privileges.