InfoSec Insider

Incident Response: 5 Principles to Boost the Infosec/Legal Relationship

Effective cyber-incident response means working well with legal. Matt Dunn, associate managing director for cyber-risk at Kroll, lays out how to do it.

As an information-security professional, would you feel ready to respond to a state attorney in the event of a cyber-incident?

Around half (47 percent) of organizations polled for Kroll’s The State of Incident Response 2021 report said that their teams lack clarity around when to engage legal counsel about a potential incident. The potential impact of current and emerging cyber-incidents is so great that cybersecurity can no longer remain solely within the scope of an organization’s information-security team. The multi-layered nature of incident response demands input from resources across an organization, particularly legal.

We’ll go through five key approaches for helping the infosec and legal teams work together in partnership, but first let’s review some general best practices.

Infosec Insiders Newsletter

At least two in five organizations are currently ill-equipped to respond to the full legal requirements of handling an incident, while 43 percent are missing a clearly defined process to communicate with regulatory agencies. In many organizations, legal teams remain a significant blind spot within infosecurity programs. It is imperative that they ensure that these two key teams are aligned in advance of an incident taking place.

Sharing Knowledge Around Data Privacy & Protection

Every organization that digitally stores personal and/or sensitive information is required to implement data-privacy and protection measures. This involves input from both legal and infosec teams to ensure collaboration for effective support on the standards and controls necessary to meet these requirements.

Some privacy regulations, such as CCPA, HIPAA, CMMC and GDPR, provide specific mandatory measures that must be instituted when organizations electronically store customers’ personal information.

Data-mapping exercises are critical in identifying and cataloging protected personal information across an organization’s network. This process should also be used to remediate any vulnerabilities necessary for meeting applicable compliance requirements. This process requires cross-coordination between legal and infosec, and should also include the development of a data-privacy program to create a roadmap to a privacy compliance process.

Creating and Implementing Cyber-Policies and Strategies

In the aftermath of an incident, it is understandable that organizations frequently prioritize financial concerns. After all, cyber-incidents can result in significant financial losses, whether that’s as a result of theft, forensic investigation costs, remediation and rebuilding networks, or paying a “ransom” or fines. Never mind the damaging impact on brand and reputation, and the potential loss of future business.

However, organizations must ensure that legal issues are high on their list of cybersecurity priorities – not only post incident/breach, but also throughout the process of creating and revising internal security policies, strategies and implementations. This is especially critical when addressing new regulatory or legislative privacy requirements.

Educating Legal on Baseline Cybersecurity to Optimize Programs

Effective incident response stems from a reciprocal stance on knowledge-sharing. It is important for the infosec team to receive legal consultation on the development of a data-privacy program, while the legal team must also be educated on baseline cybersecurity. Legal will then have better insight into the nuances of implementing new policies or technologies to further these programs.

The need for a symbiotic relationship between infosec and legal is never more pressing than when implementing new technologies. For example, the use of IoT devices which store protected health information (PHI), such as those used within the medical and health sectors, needs to be specified and addressed in an organization’s information security policy and how it applies to regulations such as HIPAA. Careful coordination by legal will enable infosec to apply appropriate “least-privilege” controls and configurations so that access to sensitive data is only provided to those who really need it.

Throughout the COVID-19 pandemic, many organizations have come to rely on video conferencing software to communicate with co-workers, customers and clients. These platforms are often used for discussing sensitive, and sometimes protected, information, and therefore a compromise can have significant negative repercussions. Infosec teams need to coordinate with legal to understand what security controls should be implemented to protect sensitive data from being accessed by unauthorized individuals.

While the infosec team can suggest and implement specific technology solutions, legal should be consulted to provide guidance on what applicable compliance regulations define as “reasonable” measures to meet mandatory minimum standards to protect this data.

In Partnership: Key Actions to Take in Response to Incidents

Today’s cyber-threat landscape requires the cross-coordination of infosec and legal teams to effectively respond to and recover from an incident, from a technical, as well as a regulatory and compliance perspective. The life cycle should generally follow these stages:

  1. Identify the Nature of the Breach and Required Remediation

When an organization identifies a potential intrusion or compromise within its IT network, infosec should coordinate with legal to provide continuous updates about the status of the forensic investigation. Legal will have the responsibility of determining whether a breach of mandatory reportable data has occurred, and the required remediation steps. The fact that an IT team was able to identify the root cause of a cyber-incident and contain and remediate the issue does not negate the need for a legal opinion on whether the “event” was reportable.

  1. Determine the Type of Data Exposed and Any Disclosure Obligations

Organizations should have an updated Incident-Response Plan that provides instruction on legal’s involvement, and outlines the partnership with infosec around the effective preservation of evidence. By coordinating the specific details of a cyber-incident, infosec and legal will be able to jointly determine the type of data exposed or accessed, the source of the compromise and whether there are any required disclosure obligations.

  1. Define Notification and Response

Infosec should keep legal apprised about the scope and type of each event in a forensic investigation, so that they can determine the most effective response. Legal should then shape this response based on data-privacy laws and data-privacy policy, defined by the type of breach which has taken place.

  1. Ensure Compliance Meets All Appropriate Laws and Regulations

The complexity of data breach and cyber-incident disclosures is magnified when organizations operate across multiple jurisdictions, each with different disclosure requirements and timelines. This means ensuring compliance with regional, national and cross-jurisdictional laws and regulations. The chain of custody should then be handled by legal, with the support of infosec.

  1. Prepare for Litigation and Undertake Reporting

Legal should prepare for possible litigation and provide guidance on potential civil, criminal or regulatory fines, while infosec is undertaking its investigation or restoring a network. Infosec will also need to update legal on the root cause of an incident and whether there was lateral movement in the network which may have potentially exposed protected information that would require mandatory reporting.

These phases are all too frequently conducted in a disjointed way when, to be effective, they must be carefully coordinated. To achieve this, organizations should develop a clear strategy in advance of the immediate incident response.


Despite the increasing pressure created by breaches, the legal implications of incidents remain a blind spot for many organizations. It is only by fostering collaboration between their infosec and legal teams that organizations can avoid the potential pitfalls of incident response. This will allow them to create a transparent and streamlined route for staff to follow for quick answers and more effective response when an attack is underway and time is of the essence.

Matt Dunn is the associate managing director for cyber-risk at Kroll.

Enjoy additional insights from Threatpost’s Infosec Insiders community by¬†visiting our microsite.

Suggested articles