5 minutes with AJ Samuel – Why legal teams must quarterback data breach responses | 2021-04-28

Data breach and privacy incidents occur daily at organizations of all sizes. Just recently, hackers broke into a water treatment facility in Florida, gaining access to an internal ICS platform, and changed chemical levels; Syracuse University revealed that names and Social Security Numbers of about 9,800 students were exposed; 500 million LinkedIn accounts were leaked, and so on. It happens all too frequently. And while it is obvious that breaches continue impacting hundreds of thousands of lives, legal and compliance teams are not always brought in to manage each breach. With increased focus from regulators and law enforcement agencies to ensure organizations fulfill their obligations for post-breach notifications, legal teams can help quickly coordinate internal processes, and take swift action to begin the process of remediating damage and initiate immediate legal steps to protect the enterprise, and comply fully with all regulatory obligations.

Here, we talk to AJ Samuel, co-Founder and Chief Product Officer at Exterro, about the many benefits of retaining legal counsel, who can better protect the integrity and confidentiality of the incident response.

Security: What is your background and current role?

Samuel: I am a co-founder of Exterro, a Legal GRC software company, and the Chief Product Officer. I have a background in building process automation and intelligent systems. I have built high volume, highly secure systems for the financial services industry. We have applied these same architectures to the software we create at Exterro, which is targeted to legal, risk and compliance professionals.

Security: How can organizations reduce risk and ensure cybersecurity through well-defined roles, responsibilities, and automated incident response processes and notifications?

Samuel: With the proliferation of new security and privacy legislation(s), every incident is multi-jurisdictional. Even in Europe where there is a great deal of regulatory consistency, there are still diverse regulators with different reporting expectations. These regulations also have different specifications about what is reportable, and generally, have extremely tight timelines for reporting to regulators if the incident is classified as a reportable breach.

To win at any game, you need to get the best players together, each of whom will have different skills and different roles. But they also need to have a game plan and a series of plays that they know how to execute in order to win. The same is true in the case of a security incident; We need to marshal a team of experts:

Forensic investigators to figure out how the incident occurred and what might have been compromised IT security to ensure that whatever path was used to gain entry is sealed off
Data experts to determine the contents of the compromised data
Legal and Compliance to determine if this incident is a breach under the law and to fulfill reporting obligations if it is.
These plays must be executed across many different jurisdictions, before the clock runs out, which is usually at 72 hours. The complexity increases when you include the third parties involved.

Most organizations today have some form of cyber insurance that covers losses and penalties in case of a breach. However, just like you cannot tell your auto insurer how much the damage to your car is worth, the organization cannot do all of its own investigating into the breach. Once a breach has been determined, the data often must be handed off to a service provider to define the scope of data subjects’ information and determine how much was compromised (this is a principal determinant in a cyber insurance claim). Many organizations do not have the ability to do this themselves and rely on outsourced services even when they are unsure if the incident is a breach under law.

Also, here in the U.S., organizations that have suffered breaches are often sued for negligence. Many retain outside counsel for advice on handling the response. Communication with outside counsel is vital for effective coordination of the response, and it needs to be handled carefully to preserve the option to assert privilege if needed.

Security: How can profiling all third-party vendors, including law firms, promptly and accurately ensure compliance with legal and regulatory obligations for controllers and processors?

Samuel: If you follow the vast amount of data breaches that take place on a daily basis, you’ll see that many of them don’t make it to the headlines we see every day. The targets are not always high-profile and, oftentimes, the breaches are aimed at third parties that provide services.

For example, the recent breach that affected Jones/Day, a law firm with a significant breach response practice, was of a third party that they used for data transfer duties (Accellion). This breach also affected schools, airlines and many other types of businesses.

Hackers are extremely clever. The only way you can protect your organization from these kinds of breaches is to have a clear understanding with service providers about what expectations regarding security. You have to profile the security and privacy practices of your providers – including law firms – and work with them to mitigate any issues. You should also profile prospective service providers and factor that assessment into purchasing decisions. Profiles are point-in-time exercises and must be repeated regularly as your needs and the provider’s capabilities and offerings change in order to ensure compliance and proper risk assessment.

Security: What are key reasons why organizations should have legal teams in place in case of a data breach?

Samuel: There are six key reasons:

Incidents are things that happen, breaches are a matter of law. It is the legal team that must determine whether the security incident has met the criteria for a full-blown data breach under the law. Handling this in an ad-hoc manner means having to figure out the matters of law anew each time an incident occurs. Since incidents are frequent, this makes no sense.
The consequences of breaches are growing. Regulators have become very aggressive about enforcing breach legislation, and the reputational impacts are visible at the board level. I read a study recently that said that companies who suffered breaches lost 10% of their market value in the following year. It is not just about financial costs, but also the cost of harming your brand.
The regulatory and reputational risk can be mitigated with good response practices. If you can show that you took the incident seriously, moved quickly to isolate the problem, identified the cause and the potential victims, were open and transparent and informed everyone involved, this all goes a long way. The regulators will give these organizations the benefit of the doubt. And because data breaches are so common today, even customers may give them a pass if it is obvious they are trying to do the right thing.
In addition to potential regulatory penalties, there are also class-action lawsuits in the U.S. and Brazil particularly, as well as collective redress actions in the EU and Britain. These can be extremely expensive, so it is vital that the response to incidents be defensible and consistent. These types of lawsuits can only be avoided if legal teams are involved to guide the rest of the team and the effort.
There have also been recent changes to the meaning of terms such as “privacy incident” and “harm.” The seventh circuit recently ruled that just holding personal data after it was no longer needed constituted harm. The California Privacy Rights Act that passed in November also has strict retention and disposal obligations. The proposed Oklahoma legislation is a shift from an opt-out to an opt-in model. Then there is also Virginia, which just passed a similar data privacy regulation to that of California. All of these new rules change the nature of the risks associated with data use, retention and protection. Having legal and compliance teams there to assist in the even of a breach means company’s can have a more thorough understanding of the state and federal laws that apply to the case.
Finally, the pandemic has sped up some trends: Communications have moved to channels that are more difficult to investigate and secure, such as Slack. We have moved more data onto cloud resident systems outside corporate firewalls. And we have introduced new personal information such as video conference recordings that require new procedures for handling. Handling the collection, transfer, and protection of all of these new data types in new [remote] locations has massive legal, risk and compliance implications.

Security: How can organizations enable secure communications and preserve legal privilege (as the risk of lawsuits in response to security breaches has grown)?

Samuel: Legal privilege is about a conversation between representatives of the company and their legal counsel. In the same way you would never expect to have a private conversation in a crowded bus station, you would not expect to have a privileged conversation on an open Slack channel or other chat-like communication.

If the communication is mixed in with other, operational communications about the situation or with individuals who are not part of the legal discussion, it can compromise the ability to assert legal privilege over that conversation.

It is critical that there be a secure, auditable, managed communication channel between all the parties involved in the breach response, so that communication discipline can be maintained, and privilege can be asserted where warranted. Keep in mind, it is entirely possible that internal communications mechanisms may also be compromised in a breach. As you probably can assume, it is just as important to vet the security of the communication mechanism your organization is using as it is to understand the process and etiquette of having said conversations in the appropriate ways to ensure legal privilege and information privacy. This becomes all the more important as lawyers and other departments work remote in 2021 and beyond. Finding the right platform/process will likely continue to be an ongoing conversation within the legal and compliance industries for some time.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

A head of state needs heart surgery at your facility. High-profile members of a national sports team are getting updated vaccinations. What do you do when you get the call?