Ensuring Proper Legal Involvement in the Incident Response Process - Dear Mary – Incidents + Investigations Cybersecurity Advice Column

Karla Ballesteros, Kaitlin Clemens, Samuel Fishel, Robyn Lin, Sadia Mirza, Stephen Piepgrass, Ronald Raether, Jr., John Sample, Whitney Shephard, Casselle Smith, Ashley Taylor Jr., Edgar Vargas, Daniel Waltz
Troutman Pepper
Contact
LinkedIn
Facebook
X
Send
Embed

Troutman Pepper

“Dear Mary” is Troutman Pepper’s Incidents + Investigations team’s advice column. Here, you will find Mary’s answers to questions about anything and everything cyber-related — data breaches, forensic investigations, how to respond to regulators, and much more. “Dear Mary” goes beyond our articles, podcasts, webinars, and other content we produce because here, we respond directly to your questions with concise, practical answers. We promise they will be interesting, informative, and hopefully a little fun.

Drop us a line with any cyber-related question you would like answered — whatever may keep you up at night — and we’ll do our very best to provide a practical, actionable answer. Of course, our answers will be somewhat general in nature and should not be considered legal advice — always consult with an attorney (preferably one of ours!) before acting on anything you read here.

Thank you for reading!

Dear Mary,

I’m the general counsel of an organization and have recently started getting involved in the cybersecurity side of things. As I’m getting my bearings, I’ve noticed that our security team doesn’t always involve the legal department when an incident is suspected. While I understand that not every incident requires our involvement, I’m concerned that we’re being left out of matters that do need legal oversight, and when we are involved, it’s often too late. What can I do to help address this?

– Living in FOMO


August 14, 2024

Dearest L. FOMO,

Your concern is both valid and common among legal teams everywhere. But worry not, for there is a solution, and it begins with understanding your security team’s formalized triage process. Here’s what you need to know:

  1. Understand the Triage Process: Security teams typically use a triage process to determine how to escalate and respond to each detected incident. They might assign a severity level to incidents on a scale from 1 to 4 — Level 1 being routine incidents that internal IT can handle, and Level 4 being major incidents requiring a response. This triage process usually dictates which matters require legal involvement and which do not. For example, the triage process may dictate that only Level 3 and 4 incidents need to be escalated to Legal, meaning Legal will not be notified of Level 1 and 2 incidents.

  2. Define Legal’s Role: Your mission is to ensure that the triage process clearly dictates which incidents need to be escalated to Legal and when. As you correctly noted, not all cybersecurity incidents require the same response or lead to the same outcomes. Historically, however, security teams have struggled to identify which incidents will have legal implications, often skipping critical steps needed to mitigate potential legal exposure. Consequently, you should work closely with them to define the matters Legal should be involved in from the outset and ensure there is a protocol in place to provide such notification. This might include incidents that could potentially implicate sensitive or confidential data, affect many individuals, involve certain types of attacks (e.g., ransomware or other network intrusions), or are likely to result in consumer/customer harm or otherwise trigger regulatory scrutiny. Incident response is not always black and white, so if the security team is ever uncertain about whether an incident meets a certain classification level, encourage them to view Legal as a partner in this process and to reach out for discussion.

  3. Periodic Review: Once you have reviewed and are comfortable with the documented triage process, implement an internal audit system to ensure that security incidents are being classified correctly and that those requiring legal involvement are being escalated appropriately. While some misclassifications are inevitable, if you notice recurring errors, it may be necessary to revisit the triage process to determine what adjustments are needed or what additional training should be provided to address potential gaps.

By understanding, refining, and auditing the triage process, you can alleviate your fear of missing out on critical incidents or being involved too late. With that worry off your plate, the only thing left to ponder is … what does Legal do once notified?

Yours truly,

Text Dear Mary in a black script font

Written by:

Troutman Pepper
Troutman Pepper
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Troutman Pepper on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide