General Counsel Now ‘Quarterbacks’ Of Cyber Incident Responses: John Reed Stark

Corporate Counsel Weekly™ helps corporate lawyers get the big picture on the legal challenges facing corporations today. Practitioners can discover trends on the horizon and stay alert to the full...

Bloomberg BNA's Yin Wilczek recently posed questions to John Reed Stark, president of John Reed Stark Consulting LLC, a firm that advises clients on data breaches, cybersecurity, cybercrime and incident response. In an excerpt of the interview, Stark suggests that the general counsel now is the “most logical and effective quarterback” for data breach responses.

Bloomberg BNA: In the age of cyber breaches, how has the role of general counsel changed? What are some emerging/top concerns for general counsel (GC) with respect to cyber incidents?

John Reed Stark: The GC, alone or with outside counsel, has quietly emerged as the most logical and effective quarterback of data breach response.

Incident response workflow requires careful legal navigation because the legal ramifications of any failure can be calamitous or even fatal for any public or private company. So many incident response issues are critical to the very survival of a company, so the GC should lead investigative workflow, commanding the investigation and remediation for the C-suite and sharing with senior management the ultimate responsibility for key decisions. Just like any other independent and thorough investigation, the work relating to a cyber-attack will involve a team of lawyers with different skill sets and expertise (e.g. regulatory; e-discovery; data breach response; privacy; white-collar defense; litigation; law enforcement liaison; and the list goes on).

Virtually every aspect of an incident response is rife with delicate and complex legal issues. For instance, consider the dramatically competing constituencies during an incident response. On one hand, there are the FBI, Secret Service, U.S. Air Force Office of Special Investigations, and other law enforcement agencies who want to help find the intruders, and on the other hand, there are the myriad attorneys general and other state regulatory agencies who will be issuing requests and demanding answers about the safety of the personally identifiable information or so called “PII” of their respective citizenries. The GC should lead the creation of the rules, practices and procedures that govern the sharing of intelligence with government agencies.

In addition to the governmental investigations and litigation, the list of civil liabilities after a cyber-attack is almost endless, including shareholder lawsuits for cybersecurity and data breach disclosure failures; declines in a company's stock price; and management negligence. There may also be consumer/customer driven class action lawsuits against companies falling victim to cyber-attacks, alleging a failure to adhere to cyber security “best practices.”

Most importantly, with respect to cyber-attack investigations, attorney-client privilege will arguably apply to the work product from the digital forensic investigators hired by outside counsel. This is not done to hide information; rather it helps protect against inaccurate information getting released in an uncontrolled fashion and allows for more careful deliberation and preparation for litigation or government investigation/prosecution, two scenarios more and more likely nowadays. Along these lines, the digital forensics, malware reverse engineering, exfiltration analysis, logging review and the rest of the typical incident response workflow should all be done at the direction of counsel.

For instance, after a data breach, law enforcement agencies may request forensic images of impacted systems or may want to attach a recording appliance to a victim company's network in hope of capturing traces of attacker activity, should an attacker return to the company. These requests raise a host of legal issues, including whether providing information to law enforcement could violate the privacy of customers or result in a waiver of the attorney-client privilege.

Interestingly, law firms are only beginning to respond to the need for incident response by forming specialized data breach response legal practice groups. But my take is that the incident response practice area is where the Foreign Corrupt Practices Act was 10 or 15 years ago. In fact, I (continued on page 286)(continued from back page)predict that in just a few years, data breach response practice groups of law firms will not only be a leading revenue generator for law firms but will be the leading growth area for large law firms as well.

BBNA: What can GCs do now to better tackle such incidents?

Stark: The best place for a GC to begin a review of a company's incident response capabilities is with a review of the company's cybersecurity policies and procedures. It is a good starting point to facilitate meaningful legal guidance relating to a company's cybersecurity risks and vulnerabilities.

First and foremost, cybersecurity is a business imperative, yet too often cybersecurity is too far down on a C-suite priority list—or because it is so complex, simply delegated to lower level technical personnel. There should be a commitment from the top down, both culturally and financially, to rigorous cybersecurity, and C-level accountability should be a part of the day-to-day business focus. The GC should review current reporting lines and assigned areas of responsibility to ensure they make sense. Given the responsibilities and accountability needed to execute an incident response plan, the right employees, possessing the appropriate skill sets, should be adequately empowered. One important check is to make sure that the individual charged with overseeing cyber-defense is not the same person who reports up the chain about breaches and who would oversee any response—it can create too much of a conflict. The best practice is to have an incident response group that is separate and apart from information technology infrastructure and reports to the GC—just like any other internal investigative group, an incident response team should have credibility and independence.

In cybersecurity, most companies allocate significant resources to fortifying their networks and to denying access to cyber-attackers. However, it is now a cliché, well founded in reality, that data breaches are inevitable. Along those lines, just like a fire evacuation plan for a building, a company should have a plan in place to respond to data breaches: an art form less about security science and more akin to incident response. Due to the absence of such a plan, many organizations unfortunately allow what could have been a relatively contained incident to become a major corporate catastrophe because they neither thought through all of the elements necessary for an effective response nor put the necessary mechanisms in place to ensure these elements were addressed in their plans.

Similarly, the critical importance of a business continuity plan in the event of a natural disaster is widely recognized and accepted. Yet, too often, such plans are not evaluated in the context of assessing cybersecurity risks. The GC may want to take ownership and ensure the properly interwoven connectivity of a company's incident response plan and disaster recovery plan.

Another area for the GC to check is whether incident response is competently staffed. Competition for talent in the information security space is intense, while the pressure on IT security senior executives is infinite and exhausting. Moreover, despite their rapidly rising salaries, turnover remains constant and there is a serious shortage of experienced and capable IT senior executives, especially chief information security officers. Relatedly, when a company loses key senior IT security personnel, it is not only a red flag but also an opportunity for a GC to examine succession plans and to obtain an unbiased, albeit possibly disgruntled, view of any cybersecurity flaws. The art and the benefit of the exit interview is lost on so many companies today—too often because departing employees are dismissed as resentful and unreliable. In the case of a resigning IT executive, a proper exit interview may reveal critical cybersecurity and incident response weaknesses.

The GC also needs to inquire whether the company is keeping up with cybersecurity threats. Not all companies face the same cybersecurity risks. There is no “one size fits all” approach. Companies that house and maintain large amounts of personal information and data need to tailor any defense, mitigation and response plans accordingly. By taking steps to ensure that information flow about data breaches within the industry and the latest intelligence about rising threats are considered by management on an ongoing basis, companies can stay current on the latest threats and prepare accordingly—preparedness is the key.

The GC may also want to review information technology and security budgeting with the chief financial officer. Most budgeting at companies is conducted annually and planned carefully and thoughtfully before execution—yet cybersecurity budgetary priorities can shift very quickly. Thus, a one-year budgetary cycle might not be swift or agile enough to manage rapidly emerging cyber-threats. Moreover, the average cost of a data breach continues to increase.

Also, the most significant cybersecurity vulnerability at any company will always be its employees. If employees do not adhere to cybersecurity rules and requirements, an attacker's exploit becomes all the more effective and capable of doing damage. GCs should take note of the frequency and efficacy of the firms' cyber-safety training programs. It is important to determine who participates in the training and how the company handles policy violations, especially violations by senior executives, whom studies have shown are typically the least compliant with cybersecurity policies.

BBNA: What are steps they can take to safeguard against future breaches?

Stark: There are a few important areas that immediately come to mind. The first area is data mapping.

Every cyber-attack response begins with the simple notion of preservation, i.e. collecting and preserving, in a forensically sound and evidentially unassailable manner, any ESI [electronically stored information], devices, logs, etc. that could become relevant to the cyber-attack.

Preservation is a critical workstream during a cyber-attack because incident responders will be scrutinizing every byte of data, including any fragments, artifacts or remnants left by the attacker in all sectors of any relevant device, including deleted recoverable files, unallocated and slack space or the boot sector. These artifacts can include: Internet addresses; computer names; malicious file names; system registry data; user account names; and network protocols.

Gathering the data and devices relating to a cyber-attack is the first and one of the most critical steps of an incident response. The most effective investigative methodology of a cyber-attack is one based on targeted incident response practices and does not solely rely on “signature detection” technologies, such as antivirus software. Rather, careful investigators employ an iterative process of digital forensics, malware reverse engineering, monitoring and scanning. As analysis of known or suspected compromised systems identifies new so-called Indicators of Compromise (IOCs), investigators will examine network traffic and logs, in addition to scanning hosts for these IOCs. When this effort discovers additional systems, those systems are forensically imaged and analyzed, and the process repeats. Armed with the information gathered during this phase of “lather, rinse, repeat,” a victim company can begin efforts to remediate the malware, rebuild compromised systems, reset compromised account credentials, block IP addresses and properly initiate network and host monitoring in an effort to detect additional attempts by the attacker to regain access.

Preservation is also critical because investigators will likely need to scour all ESI in search of PII. The search for PII is necessary to determine whether the attacker exfiltrated (removed from a corporate IT environment) any data containing personal information relating to any individuals, who may require notice of the cyber-attack, credit monitoring services and other remedial action. Finally, just about every cyber-attack response also involves the forensic imaging and reviewing of e-mails and other relevant communications from laptop computers, desktop computers, network servers, backup tapes, mobile devices, iPads and other systems.

Yet, preserving ESI after a cyber-attack can quickly become a challenging, costly and resource-intensive task. Most companies have ESI in so many locations (both physical and virtual) that, after a cyber-attack, it becomes an onerous struggle to locate and preserve relevant ESI and to piece together information about sometimes complex and disparate systems—all under the intense pressure of an active digital forensic investigation (with serious consequences for error or omission). Relatedly, it can sometimes take days after learning of a cyber-attack before a company realizes that it maintains an electronic purging process that deletes data (such as relevant logging information) on a regular schedule. Without having proactively made the effort to map information sources, assets and their key characteristics, these purging schedules can become unintended and latent causes of spoliation.

GCs should probe a company's data practices because where information relevant to identifying and describing potentially accessed/target/exfiltrated systems has never been data-mapped, establishing a strong and effective incident response plan for addressing cybersecurity risks can become challenging. Without any sort of responsible system overview or asset classification exercise, companies not only make mistakes in their cyber incident response plans, but companies can also make mistakes when applying available resources for security.

In addition, GCs should press to identify and understand the most critical pieces of company information. Otherwise, GCs become unnecessarily hamstrung during litigation and law enforcement/regulatory response. Mapping should make it faster and simpler for the GC to identify the company’s most valuable intellectual property assets and consumer/customer-based informational assets, and how that data is currently being protected. Rapid access to, and a solid understanding of, the location of data assets can become critically important during a data breach response. For instance, whether data is maintained internally, at a third-party data center (in the U.S. or overseas), or in a cloud-based environment are all-important for a GC to appreciate first-hand. Asking these and other similar questions will help a GC better understand the company's posture with respect to securing its virtual assets and inform what additional steps, if any, management can take to improve such practices.

Two preemptive areas for GCs are buying cyber insurance and installing an Endpoint Detection and Response (EDR) Tool. Soon enough, cyber insurance will be as common for companies as health insurance is for individuals. Companies who have cyber insurance also often have the best cybersecurity policies and practices, probably because of the rigorous pre-review by the proposed insurance company. Relatedly, companies should consider deploying the real-time “intelligence feeding” of an EDR tool, typically installed within an entire attack vector including domain controllers, database servers and user workstations. EDR deployment improves a company’s ability to detect and respond to outsider and insider threats; enhances speed and flexibility to contain any future attack or anomaly; and helps manage data threats more effectively overall.

Finally, sometimes, simply by sneaking through the front door, an outsider can surreptitiously gather fodder for a social engineering scheme (such as a spearfishing campaign) or an insider (such as a so-called “bad leaver”) can gain access to a company’s network and wreaks havoc. Physical security and cybersecurity have become inexorably linked, so companies need to shore up physical security the same as they do with cyber.

BBNA: Are there other issues GCs should be aware of stemming from a cyber incident?

Stark: One over-arching issue is that the role of the GC after a data breach is a challenging one because, unfortunately, the public's view of cyber-attack victims is less about understanding and sympathy, and more about anger and vilification.

Given in particular the 47 or so separate state privacy regulatory regimes, together with a growing range of federal agency jurisdiction, instead of accepting a helping hand, cyber-attack victims are accepting service of process of multiple subpoenas. The world of incident response is an upside-down one: Rather than being treated like criminal victims, companies experiencing data breaches are often treated like criminals themselves, becoming defendants in federal and state enforcement actions, class actions and other proceedings.

Formerly looked upon as the problem of the IT director, cybersecurity has quickly evolved into a GC issue and responsibility, which the GC needs to understand and oversee. In the aftermath of a corporate cyber-attack, GCs and the companies they govern are subjected to immediate public scrutiny and, in many cases, unwarranted criticism.

But cybersecurity engagement for GCs does not mean that they should obtain computer science degrees or personally supervise firewall implementation and intrusion detection system rollouts. GCs can lead incident responses first by becoming actively involved in ensuring the organizations they counsel are not only adequately addressing cybersecurity, but are also engaging in careful, thoughtful, independent and systematic incident response. Second, and most importantly, GCs should approach the subject in much the same way they approach other areas of risk under their purview: with vigorous, skeptical, intelligent and methodical inquiry.   

John Reed Stark

John Reed Stark is president of John Reed Stark Consulting LLC. Before forming his own firm, Mr. Stark served for over five years as managing director (three as head of the Washington, D.C., office) of a global digital risk management firm, leading cybersecurity, incident response and digital compliance engagements for corporations and regulated entities. Before that, Mr. Stark served for 15 years as an SEC enforcement attorney leading cyber-related projects, investigations and a broad range of substantial and pioneering SEC enforcement actions, including 11 years as founder and chief of the SEC Office of Internet Enforcement. He also concurrently served for 15 years as an adjunct professor at Georgetown University Law School teaching a law and technology course and 10 years as a guest instructor teaching an annual law enforcement and technology in-service lecture at the FBI Academy. Read his blog on CybersecurityDocket.com entitled, Stark on IR.