When a company suffers a data breach, anything from an innocent joke to a blame-spreading incident report can bring about very expensive consequences.
That's according to a panel of defense attorneys and former U.S. government prosecutors who took to the virtual stage at the RSA Conference 2021 this week to share some of the more painful lessons they have seen companies make over the course of their careers.
Many of those mistakes led the companies to face millions of dollars in penalties and legal decisions -- and in rare cases, opened up the possibility of criminal prosecution.
No funny business
One of the most common mistakes the lawyers said they had seen was companies not realizing just how much information gets collected by attorneys in the aftermath of a data breach. When civil suits are filed, as is often the case with breaches of customer databases, the pre-trial discovery period allows plaintiffs' lawyers to get everything up to and including internal emails and text messages sent before or during the attack.
As a result, panelist Ann Marie Mortimer, managing partner and co-head of commercial litigation practice at law firm Hunton Andrews Kurth LLP, advised companies to drill into their employees that any and all communications could be subject to legal scrutiny.
"Think to yourself, 'How would I feel if that was blown up in giant font in the middle of Times Square,'" Mortimer suggested. "It is not just from the moment of the breach forward -- litigation reaches back in the history."
In particular, she said, executives should tell their security teams to lay off the gallows humor that is often prevalent in IT departments. A seemingly innocent joke or sarcastic comment about the state of security at a company can get taken out of context and land workers in a deposition, or worse.
"We're talking about communications that happen in the heat of the moment in a security incident. When you are using Slack or sending a text, you are not writing in invisible ink," Mortimer said. "You need to start disciplining yourself now, so that an email you fired off in the heat of the moment does not get you in trouble."
Fellow panelist Brian Levine, a former prosecutor with the Department of Justice and current managing director of EY Parthenon, added that lawyers might not be the only people seeking to collect company communications. The hackers who performed the attack often remain on a victim's network after making their demands. Seeing a company panic could lead the criminals to up their demands.
"Sometimes it is not the specific words you use, but the tone. People can be nervous in these situations and some of the nervousness can come out in their texts or emails," Levine explained.
Brian LevineManaging director, EY Parthenon
"If you have had a breach, it is possible that the criminal is monitoring your communications, and that may interfere with your ability to negotiate effectively."
Another common pitfall for companies is in the incident report. The panelists noted that when security teams make their reports, either internally or via consultants, it is important not to open the company up to further legal liability by assigning too much blame.
That is not to say that companies should lie or omit any information, the attorneys said, but rather they advise that reports stick to the facts and avoid laying the blame at anyone's feet, which could leave the door open to lawsuits. If possible, Levine said, companies should look to do much of their incident triage and reporting in meetings or over video conferencing, with an executive or attorney present to take notes and make sure important information is recorded without the possibility of offhand comments or early conclusions getting taken out of context.
Levine said another effective way to reduce legal exposure is to have the report written from a position of what is known as "affirmative defensive litigation." In that approach, the incident report is written from the perspective of a company that is going to bring suit against the attacker, placing the blame squarely on the intruder rather than any steps the company did or did not take.
"It shifts the optics from this being your fault to this being a criminal action, and you are going to take steps against the attacker," Levine said.
Whatever you do, don't hack back
One point of agreement for the panelists was that companies should never try to retaliate against the attacker, a practice known as "hacking back."
While it may be tempting for companies to try and break into the hacker's own servers to retrieve their stolen files, this is never a good idea, and is one of the few ways companies can turn a civil action into a potential criminal one.
"If you respond by hacking back, you are potentially breaking federal criminal and civil law, and that could result in legal action," Levine said.
"While you think you are reaching out to the criminal's computer, you are almost always reaching out to an innocent third party and hacking their computer or server."
There is also potential liability in paying the ransom demand. Because the government has now issued sanctions on a number of foreign hacking groups, paying money in the form of ransom demands would be a violation of federal law.
To that extent, the panelists advised companies get a clear picture of who they are dealing with and where their money would be going, lest they find themselves receiving further penalties from the U.S. Department of the Treasury.
What is going right?
There were some good practices the attorneys had seen in their clients. Mortimer noted that her clients are increasingly becoming proactive in their data breach strategy. Mortimer said that rather than wait for an attack to occur, companies are taking early measures to prepare for incidents and train their teams.
"One of the good things companies are doing is preparing themselves. For most companies, it is not a matter of if you will be breached, it is when," Mortimer said. "Companies need to build in a certain amount of muscle memory so they are prepared if and when it comes to them."