Navigating personal liability: post data-breach recommendations for CISOs

  1. Who in your organization should be advised of the claim and who, whether or not within your organization, should not.
  2. Whether the lawyers can and will be representing you as well as your organization and, if not, how you might go about finding counsel.
  3. Attorney/client privileges. Ask to be educated or refreshed on the attorney client privileges. The attorney-client privilege is a critical protection that must be preserved, whether or not legal, if legal action is taken as a result of the breach.
  4. Ask about a “litigation hold,” which is a directive from counsel to all involved areas of your organization instructing that document destruction not occur, even in the regular course of business practices. The decision and the scope of such instructions should come from counsel, but you and others must be aware of the concept and specifics as to how it is to be used in your situation. Simply put, your counsel will want to avoid accusations of destroying evidence.
  5. If you are not the CSO or CISO, identify who such officers are and ask counsel how to contact such people.
  6. Ask about documents to be turned over to counsel. This will likely include the materials submitted with the claim by the claimant, documentation regarding the claim that are within your organization, any policy or applicable guidelines regarding data security, and any materials already generated or gathered by you.
  7. Be prepared to provide counsel with a detailed description of your knowledge of the incident, along with the identification of any other organization-controlled persons who may have some involvement in what is claimed to have happened and any supporting documentation. They can guide the incident response and provide legal advice to limit both the organization and your personal liability.
  8. Ask counsel about anything else that comes to mind. If it raises your concerns, it is worth sharing with counsel.

Document an incident straight away

Counsel will likely ask you to document what you know about the incident and instruct you as to how to do so. While you should follow counsel’s direction, all relevant details will certainly be needed. These will include the date and time of discovery, the nature of the breach, the type of data involved, the number of individuals affected, any immediate steps taken, and anything else that will preserve the pertinent facts regarding the breach.

While the entire scope of relevant information may not yet be apparent, you should err on the side of being more inclusive. Your documentation should be prepared as close in time to the event as practical so as to preserve recollections as well as the information that may reside in people who could leave the organization for whatever reason. This documentation is critical to help guide internal and external investigations, assist in regulatory compliance, and help reduce the impact of potential legal proceedings.

It can be tempting for CSOs and CISOs to take the reins in data breach incidents, given their technical expertise or sense of personal responsibilities. However, this can lead to unintended legal complications. In the aftermath of a data breach, it’s critical to let your organization’s legal counsel guide decision-making processes. They can ensure that the response to the data breach complies with applicable laws and that both communication and remediation efforts are handled appropriately to minimize potential liability.

In addition to protecting the organization, CSOs and CISOs may want to seek personal legal advice. Although it’s rare to face personal liability or criminal charges, there can be situations where it could be a real or feared risk. Independent legal advice can provide guidance tailored to your specific situation, to identify where your interests may be different from those of your organization, to allay your concerns, all of which can be protected under attorney-client privilege.

After a data breach, effective communication is crucial. Legal counsel should guide the crafting of public statements, ensuring they are accurate, timely, and compliant with legal obligations. Remember, providing incorrect or misleading information can increase liability risks. Public information can also impact positively or negatively public concern over their personal financial and privacy risks. Consult with legal counsel before making any public statements or communicating with affected parties.

Data breaches often involve various regulatory agencies. Cooperate fully with any investigation while also protecting the interests of the organization. This cooperation should be done under the guidance of legal counsel to ensure that it does not inadvertently increase liability.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button