A recent Tripwire survey of 150 information technology professionals in the oil, natural gas, and electricity sectors found that more than 75 percent worked at organizations that had experienced at least one cyber attack in the past 12 months, and more than 80 percent believe that such an attack will harm physical infrastructure this year.1 When a cyber attack affects a company, quickly involving counsel is vitally important to manage the potential consequences.
Asserting and Protecting Attorney-Client Privilege
A key first step for legal counsel is to consider how to protect privileged discussions and documents. The failure to timely and properly do so could lead to costly disclosure and exposure of information that would have rightfully received protection had the privilege been a core consideration from the beginning. In re: Target Corporation Customer Data Security Breach Litigation,2 outlines a possible approach implemented by Target in the wake of a major data security breach. At the direction of in-house counsel, Target established a Data Breach Task Force and retained outside counsel to provide legal advice. Target asked a vendor hired to assist with the investigation to provide two teams that would handle two separate tracks of the investigation: one that would act at the direction of outside counsel for the purpose of providing legal advice, and one to conduct a non-privileged investigation to enable Target and its affiliates to respond quickly and appropriately to the breach.3
The two teams were walled-off from one another to prevent the sharing of any privileged material handled by the “legal” investigatory team. This approach enabled Target to better demonstrate to the court precisely how the privilege had been asserted and maintained over documents created in the “legal” track of the investigation, while also allowing the technical teams at the time to work as quickly as possible to stop the attack and remediate affected systems. While certainly not the only way the attorney-client privilege can successfully be maintained in the context of responding to a cybersecurity incident, this dual-track investigation approach may be beneficial.
Assessing Affected Systems and Data
Cyber attacks may involve the loss of or disruption to systems and data. While energy companies typically do not hold significant amounts of consumer information, payment card information, or health information, the compromise of these types of information (and others) may trigger specific external notification requirements under law, that may require the company to disclose an incident that otherwise may have been addressed internally. As soon as possible, counsel should work with technical teams to understand and clarify the scope of systems and information affected. If the integrity of business email systems is affected, alternate communication approaches may be required. Especially in the case of an ongoing disruption of power or critical business operations, the same personnel that have access to these facts may also be the team responding to that attack, so counsel fitting into the operational tempo is important to minimize disruption to the response effort to bring these systems back online.
Preparing for Reporting and Notification Requirements
Preparing for reporting and any notification requirements is a key next step. Particularly because “facts” often change as an investigation progresses, care should be taken to vet any messaging that goes beyond what has been forensically confirmed. Consider the following:
Cybersecurity insurance policies often have a very brief window to notify the carrier of a suspected incident. Even a brief, preliminary notification to the insurer may be adequate to preserve coverage. Consult your policy to assess your specific terms and conditions.
- Coordination with the procurement or contracts administration team may be needed to identify and execute any specific contractual requirements to notify certain customers.
- Depending on the impact of the attack, law enforcement, such as the Federal Bureau of Investigation,4 and other federal and state officials may proactively contact the company, or the company may elect to request government technical assistance, such as through ICS-CERT.5
- Briefing to senior leadership of the company and to the board of directors should be considered as the potential impact of the cyber attack comes into focus. Counsel should be prepared to advise how and when to engage and to advise on the appropriate level of detail concerning the company’s risk exposure.
- Information provided to individual consumers and news media, if any, should be strategically considered.
- Notifications to federal and state energy regulators should use consistent language and occur in accordance with any regulatory timelines or content requirements.
- Publicly held companies must also consider whether cybersecurity risks and cybersecurity incidents must be disclosed, either as a one-time reporting event or as part of the annual reporting cycle.6
Returning to Steady-State
Once the attack has ended, counsel will continue to play a role, incorporating lessons learned and preparing for future events.