Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity NewsEnterprise Services

5 minutes with AJ Samuel – Why legal teams must quarterback data breach responses

By Maria Henriquez
5 m w Samuel
April 28, 2021

Data breach and privacy incidents occur daily at organizations of all sizes. Just recently, hackers broke into a water treatment facility in Florida, gaining access to an internal ICS platform, and changed chemical levels; Syracuse University revealed that names and Social Security Numbers of about 9,800 students were exposed; 500 million LinkedIn accounts were leaked, and so on. It happens all too frequently. And while it is obvious that breaches continue impacting hundreds of thousands of lives, legal and compliance teams are not always brought in to manage each breach. With increased focus from regulators and law enforcement agencies to ensure organizations fulfill their obligations for post-breach notifications, legal teams can help quickly coordinate internal processes, and take swift action to begin the process of remediating damage and initiate immediate legal steps to protect the enterprise, and comply fully with all regulatory obligations.

Here, we talk to AJ Samuel, co-Founder and Chief Product Officer at Exterro, about the many benefits of retaining legal counsel, who can better protect the integrity and confidentiality of the incident response.

 

Security: What is your background and current role?

Samuel: I am a co-founder of Exterro, a Legal GRC software company, and the Chief Product Officer. I have a background in building process automation and intelligent systems. I have built high volume, highly secure systems for the financial services industry. We have applied these same architectures to the software we create at Exterro, which is targeted to legal, risk and compliance professionals.

 

Security: How can organizations reduce risk and ensure cybersecurity through well-defined roles, responsibilities, and automated incident response processes and notifications?

Samuel: With the proliferation of new security and privacy legislation(s), every incident is multi-jurisdictional. Even in Europe where there is a great deal of regulatory consistency, there are still diverse regulators with different reporting expectations. These regulations also have different specifications about what is reportable, and generally, have extremely tight timelines for reporting to regulators if the incident is classified as a reportable breach.

To win at any game, you need to get the best players together, each of whom will have different skills and different roles. But they also need to have a game plan and a series of plays that they know how to execute in order to win. The same is true in the case of a security incident; We need to marshal a team of experts:

  • Forensic investigators to figure out how the incident occurred and what might have been compromised IT security to ensure that whatever path was used to gain entry is sealed off
  • Data experts to determine the contents of the compromised data
  • Legal and Compliance to determine if this incident is a breach under the law and to fulfill reporting obligations if it is.
  • These plays must be executed across many different jurisdictions, before the clock runs out, which is usually at 72 hours. The complexity increases when you include the third parties involved.

Most organizations today have some form of cyber insurance that covers losses and penalties in case of a breach. However, just like you cannot tell your auto insurer how much the damage to your car is worth, the organization cannot do all of its own investigating into the breach. Once a breach has been determined, the data often must be handed off to a service provider to define the scope of data subjects’ information and determine how much was compromised (this is a principal determinant in a cyber insurance claim). Many organizations do not have the ability to do this themselves and rely on outsourced services even when they are unsure if the incident is a breach under law. 

Also, here in the U.S., organizations that have suffered breaches are often sued for negligence. Many retain outside counsel for advice on handling the response. Communication with outside counsel is vital for effective coordination of the response, and it needs to be handled carefully to preserve the option to assert privilege if needed.

 

Security: How can profiling all third-party vendors, including law firms, promptly and accurately ensure compliance with legal and regulatory obligations for controllers and processors?

Samuel: If you follow the vast amount of data breaches that take place on a daily basis, you’ll see that many of them don’t make it to the headlines we see every day. The targets are not always high-profile and, oftentimes, the breaches are aimed at third parties that provide services.

For example, the recent breach that affected Jones/Day, a law firm with a significant breach response practice, was of a third party that they used for data transfer duties (Accellion). This breach also affected schools, airlines and many other types of businesses.

Hackers are extremely clever. The only way you can protect your organization from these kinds of breaches is to have a clear understanding with service providers about what expectations regarding security. You have to profile the security and privacy practices of your providers – including law firms – and work with them to mitigate any issues. You should also profile prospective service providers and factor that assessment into purchasing decisions. Profiles are point-in-time exercises and must be repeated regularly as your needs and the provider’s capabilities and offerings change in order to ensure compliance and proper risk assessment.

 

Security: What are key reasons why organizations should have legal teams in place in case of a data breach?

Samuel: There are six key reasons:

  1. Incidents are things that happen, breaches are a matter of law. It is the legal team that must determine whether the security incident has met the criteria for a full-blown data breach under the law. Handling this in an ad-hoc manner means having to figure out the matters of law anew each time an incident occurs. Since incidents are frequent, this makes no sense.
  2. The consequences of breaches are growing. Regulators have become very aggressive about enforcing breach legislation, and the reputational impacts are visible at the board level. I read a study recently that said that companies who suffered breaches lost 10% of their market value in the following year. It is not just about financial costs, but also the cost of harming your brand.
  3. The regulatory and reputational risk can be mitigated with good response practices. If you can show that you took the incident seriously, moved quickly to isolate the problem, identified the cause and the potential victims, were open and transparent and informed everyone involved, this all goes a long way. The regulators will give these organizations the benefit of the doubt. And because data breaches are so common today, even customers may give them a pass if it is obvious they are trying to do the right thing.
  4. In addition to potential regulatory penalties, there are also class-action lawsuits in the U.S. and Brazil particularly, as well as collective redress actions in the EU and Britain. These can be extremely expensive, so it is vital that the response to incidents be defensible and consistent. These types of lawsuits can only be avoided if legal teams are involved to guide the rest of the team and the effort.  
  5. There have also been recent changes to the meaning of terms such as “privacy incident” and “harm.” The seventh circuit recently ruled that just holding personal data after it was no longer needed constituted harm. The California Privacy Rights Act that passed in November also has strict retention and disposal obligations. The proposed Oklahoma legislation is a shift from an opt-out to an opt-in model. Then there is also Virginia, which just passed a similar data privacy regulation to that of California. All of these new rules change the nature of the risks associated with data use, retention and protection. Having legal and compliance teams there to assist in the even of a breach means company’s can have a more thorough understanding of the state and federal laws that apply to the case.
  6. Finally, the pandemic has sped up some trends: Communications have moved to channels that are more difficult to investigate and secure, such as Slack. We have moved more data onto cloud resident systems outside corporate firewalls. And we have introduced new personal information such as video conference recordings that require new procedures for handling. Handling the collection, transfer, and protection of all of these new data types in new [remote] locations has massive legal, risk and compliance implications.

 

Security: How can organizations enable secure communications and preserve legal privilege (as the risk of lawsuits in response to security breaches has grown)?

Samuel: Legal privilege is about a conversation between representatives of the company and their legal counsel. In the same way you would never expect to have a private conversation in a crowded bus station, you would not expect to have a privileged conversation on an open Slack channel or other chat-like communication.

If the communication is mixed in with other, operational communications about the situation or with individuals who are not part of the legal discussion, it can compromise the ability to assert legal privilege over that conversation.

It is critical that there be a secure, auditable, managed communication channel between all the parties involved in the breach response, so that communication discipline can be maintained, and privilege can be asserted where warranted. Keep in mind, it is entirely possible that internal communications mechanisms may also be compromised in a breach. As you probably can assume, it is just as important to vet the security of the communication mechanism your organization is using as it is to understand the process and etiquette of having said conversations in the appropriate ways to ensure legal privilege and information privacy. This becomes all the more important as lawyers and other departments work remote in 2021 and beyond. Finding the right platform/process will likely continue to be an ongoing conversation within the legal and compliance industries for some time.

KEYWORDS: compliance cyber security data breaches hackers regulatory compliance risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Maria Henriquez is a former Associate Editor of Security. She covered topics including cybersecurity and physical security, risk management and more.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

Coding

AI Emerges as the Top Concern for Security Leaders

Person working on laptop

Governance in the Age of Citizen Developers and AI

patient at healthcare reception desk

Almost Half of Healthcare Breaches Involved Microsoft 365

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • 5 Minutes With

    5 Minutes with Saad Gul on LifeSpan's data breach

    See More
  • 5 minutes with Bahar

    5 minutes with Michael Bahar - The aftermath of the SolarWinds Orion breach

    See More
  • 5 mins with Lines

    5 minutes with Michael Lines - Why the IT/infosec community should be concerned after SolarWinds

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing