{"id":22397,"date":"2023-07-07T04:30:08","date_gmt":"2023-07-07T12:30:08","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/07\/07\/news-16127\/"},"modified":"2023-07-07T04:30:08","modified_gmt":"2023-07-07T12:30:08","slug":"news-16127","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2023\/07\/07\/news-16127\/","title":{"rendered":"Lawyers and Incident Response can be a dangerous combo"},"content":{"rendered":"

<\/p>\n

Credit to Author: eschuman@thecontentfirm.com| Date: Fri, 07 Jul 2023 03:30:00 -0700<\/strong><\/p>\n

Lawyers and C-suite leaders have the same basic mission: protect the enterprise from bad actors who want to do harm. But they often often approach the job in such polar opposite ways that they wind up fighting each other instead of working together.\u00a0<\/span><\/p>\n

A new academic report on the topic from researchers at the University of Edinburgh, the University of Innsbruck, Tufts University and the University of Minnesota tried to document how stark those differences have become.<\/span><\/p>\n

\u201cCyber insurance sends work to a small number of [incident response] firms, drives down the fees paid and appoints lawyers to direct technical investigators,\u201d <\/span>the report noted<\/span><\/a>. \u201cLawyers, when directing incident response often introduce legalistic contractual and communication steps that slow down incident response, advise IR practitioners not to write down remediation steps or to produce formal reports and restrict access to any documents produced.\u201d<\/span><\/p>\n

According to the report, one lawyer told a forensics team, \u201cWe don\u2019t want a final report. Just keep this in draft form.\u201d\u2019 Another was quoted as saying, “You never want to put in writing what the security system is like, but you also need candor to improve the system. And there is a risk that there won\u2019t be as much frank assessment, because that would turn into a roadmap for plaintiffs.\u201d<\/span><\/p>\n

The problem, according to noted security consultant <\/span>Bruce Schneier<\/span><\/a>?\u00a0\u201cWe\u2019re not able to learn from these breaches because the attorneys are limiting what information becomes public,” Schneier said, weighing in on the report. “This is where we think about shielding companies from liability in exchange for making breach data public. It\u2019s the sort of thing we do for airplane disasters.\u201d<\/span><\/p>\n

This is all troubling on so very many levels. <\/span>Not that I disagree with the facts and details discussed in the report, but I have some serious worries about the implications.<\/span><\/p>\n

What concerns? One, I think the lawyers referenced are taking an overly narrow and outdated view of the law. In short, their efforts to shield their enterprise from legal liabilities are in fact exposing those companies to more<\/em> liabilities. And two, it puts the germane C-level executives (especially the CEO) in an awkward-but-necessary position of having to overrule counsel on legal matters. But in today\u2019s environment, that sometimes needs to happen. The job of protecting the enterprise ultimately rests with the CEO and the board.\u00a0<\/span><\/p>\n

Let\u2019s explore issue No. 1. The lawyer\u2019s concern is that documenting an incident would make it easier for someone to use that information against the enterprise in a lawsuit. Their advice is: don’t write it down and never finalize your investigation \u2014 keep it open.\u00a0<\/span><\/p>\n

That\u2019s an old-school approach of making it harder for the opposition to piece together a complete picture. The problem? Those efforts <\/span>themselves<\/span><\/i> are discoverable and the opposition will learn it all. Taking an action that could be correctly interpreted as trying to hide information will be the biggest gift in the world to opposing counsel. When it comes out, and it absolutely will, it will alienate the judge, anger the jury, and potentially expose the company to negative court decisions.<\/span><\/p>\n

Even from a strictly legal defense perspective, failure to put relevant information in writing is reckless. And that’s looking at this solely from a civil lawsuit perspective. What about compliance rules and the regulators paid to enforce them? How do you honestly think that those government entities will react to this hide-or-play-down-the-data effort?\u00a0<\/span><\/p>\n

We don\u2019t even need to take the argument up a level and debate, \u201cIsn\u2019t improving an enterprise\u2019s risk profile as much as possible going to protect the company more than depriving plaintiff\u2019s lawyers from some details (which they\u2019ll eventually see anyway)?\u201d On the legal risks alone, this strategy is a loser.\u00a0<\/span><\/p>\n

If we get around to asking the bigger questions, then yes, protecting a company\u2019s data, systems, and other assets does outweigh the concerns from any single lawsuit. Failure to document is not a trivial matter. It makes it more difficult to plan the best security strategy. It also makes it much more likely that new employees and contractors \u2014 who weren\u2019t around for the last breach \u2014 won\u2019t be sufficiently prepared to defend against the next attack.\u00a0<\/span><\/p>\n

This forces us to explore the more delicate issue: decision-making. The CISO and CIO will almost certainly be livid and demand that proper procedures be strictly followed. If corporate counsel argues that it shouldn\u2019t, the CEO must defend the enterprise. There are times when the CEO has a fiduciary obligation to obey chief counsel. <\/span><\/p>\n

Incident Rresponse isn\u2019t one of them.<\/span><\/p>\n

This is one of the many reasons boards today need to have members who have active and extensive cybersecurity experience. Only with that background can a board have the confidence to override the legal folks on such a matter.<\/span><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: eschuman@thecontentfirm.com| Date: Fri, 07 Jul 2023 03:30:00 -0700<\/strong><\/p>\n

\n
\n

Lawyers and C-suite leaders have the same basic mission: protect the enterprise from bad actors who want to do harm. But they often often approach the job in such polar opposite ways that they wind up fighting each other instead of working together.\u00a0<\/span><\/p>\n

A new academic report on the topic from researchers at the University of Edinburgh, the University of Innsbruck, Tufts University and the University of Minnesota tried to document how stark those differences have become.<\/span><\/p>\n

\u201cCyber insurance sends work to a small number of [incident response] firms, drives down the fees paid and appoints lawyers to direct technical investigators,\u201d <\/span>the report noted<\/span><\/a>. \u201cLawyers, when directing incident response often introduce legalistic contractual and communication steps that slow down incident response, advise IR practitioners not to write down remediation steps or to produce formal reports and restrict access to any documents produced.\u201d<\/span><\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[18384,22930,714],"class_list":["post-22397","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-it-leadership","tag-it-strategy","tag-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/22397","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=22397"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/22397\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=22397"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=22397"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=22397"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}