Lawyers and C-suite leaders have the same basic mission: protect the enterprise from bad actors who want to do harm. But they often often approach the job in such polar opposite ways that they wind up fighting each other instead of working together.
A new academic report on the topic from researchers at the University of Edinburgh, the University of Innsbruck, Tufts University and the University of Minnesota tried to document how stark those differences have become.
“Cyber insurance sends work to a small number of [incident response] firms, drives down the fees paid and appoints lawyers to direct technical investigators,” the report noted. “Lawyers, when directing incident response often introduce legalistic contractual and communication steps that slow down incident response, advise IR practitioners not to write down remediation steps or to produce formal reports and restrict access to any documents produced.”
According to the report, one lawyer told a forensics team, “We don’t want a final report. Just keep this in draft form.”’ Another was quoted as saying, "You never want to put in writing what the security system is like, but you also need candor to improve the system. And there is a risk that there won’t be as much frank assessment, because that would turn into a roadmap for plaintiffs.”
The problem, according to noted security consultant Bruce Schneier? “We’re not able to learn from these breaches because the attorneys are limiting what information becomes public," Schneier said, weighing in on the report. "This is where we think about shielding companies from liability in exchange for making breach data public. It’s the sort of thing we do for airplane disasters.”
This is all troubling on so very many levels. Not that I disagree with the facts and details discussed in the report, but I have some serious worries about the implications.
What concerns? One, I think the lawyers referenced are taking an overly narrow and outdated view of the law. In short, their efforts to shield their enterprise from legal liabilities are in fact exposing those companies to more liabilities. And two, it puts the germane C-level executives (especially the CEO) in an awkward-but-necessary position of having to overrule counsel on legal matters. But in today’s environment, that sometimes needs to happen. The job of protecting the enterprise ultimately rests with the CEO and the board.
Let’s explore issue No. 1. The lawyer’s concern is that documenting an incident would make it easier for someone to use that information against the enterprise in a lawsuit. Their advice is: don't write it down and never finalize your investigation — keep it open.
That’s an old-school approach of making it harder for the opposition to piece together a complete picture. The problem? Those efforts themselves are discoverable and the opposition will learn it all. Taking an action that could be correctly interpreted as trying to hide information will be the biggest gift in the world to opposing counsel. When it comes out, and it absolutely will, it will alienate the judge, anger the jury, and potentially expose the company to negative court decisions.
Even from a strictly legal defense perspective, failure to put relevant information in writing is reckless. And that's looking at this solely from a civil lawsuit perspective. What about compliance rules and the regulators paid to enforce them? How do you honestly think that those government entities will react to this hide-or-play-down-the-data effort?
We don’t even need to take the argument up a level and debate, “Isn’t improving an enterprise’s risk profile as much as possible going to protect the company more than depriving plaintiff’s lawyers from some details (which they’ll eventually see anyway)?” On the legal risks alone, this strategy is a loser.
If we get around to asking the bigger questions, then yes, protecting a company’s data, systems, and other assets does outweigh the concerns from any single lawsuit. Failure to document is not a trivial matter. It makes it more difficult to plan the best security strategy. It also makes it much more likely that new employees and contractors — who weren’t around for the last breach — won’t be sufficiently prepared to defend against the next attack.
This forces us to explore the more delicate issue: decision-making. The CISO and CIO will almost certainly be livid and demand that proper procedures be strictly followed. If corporate counsel argues that it shouldn’t, the CEO must defend the enterprise. There are times when the CEO has a fiduciary obligation to obey chief counsel.
Incident Rresponse isn’t one of them.
This is one of the many reasons boards today need to have members who have active and extensive cybersecurity experience. Only with that background can a board have the confidence to override the legal folks on such a matter.