Cybersecurity incidents are becoming increasingly prevalent and sophisticated in nature, often resulting in, among other things, a loss or compromise of sensitive confidential or person information, material business interruption and significant remediation costs, reputational damage, and litigation exposure.
In order to successfully respond to, and contain a, cybersecurity incident, businesses must act quickly and methodically, especially during the critical first 72 hours following discovery of an incident. The quicker an organization acts, the more successful it will be in mitigating unfavourable consequences and risks. We outline below five key things businesses should consider implementing immediately following the discovery of a cybersecurity incident.
1. ENGAGE THE INCIDENT RESPONSE TEAM
As soon as possible after discovering a cybersecurity breach, the incident response team should be activated. The incident response team is made up of individuals within the organization who are best suited to respond to the breach and engage directly with third-party vendors and external legal counsel. The incident response team should be clearly identified in the organization's incident response plan, which will save valuable time when a breach occurs. Each individual's role within the incident response team should be clearly defined to avoid any confusion or duplication.
Getting the incident response team involved early on will ensure that all the information related to the incident is recorded and documented in a manner that can withstand any eventual scrutiny by customers, key stakeholders and regulators, particularly in the context of the mandatory reporting, notification and record-keeping requirements under the Personal Information Protection and Electronic Documents Act (PIPEDA) and similar provincial and even international laws.
2. ENGAGE LEGAL COUNSEL
To ensure the organization's legal interests are well protected, external legal counsel should be engaged as soon as possible following a cybersecurity incident. Along with the incident response team, external legal counsel has an important role to play in the implementation of the incident response plan and can assist in mitigating the risks of legal liability and litigation.
Moreover, since in-house lawyers are often the subject of heavy scrutiny in investigations following a cybersecurity incident, especially if they also advise the organization on business matters, external legal counsel can provide additional protection that is often essential for organizations in responding to a cybersecurity incident. For example, external legal counsel may assert lawyer-client privilege where appropriate for most, but not all communications with their clients.
3. CONTAIN AND INVESTIGATE THE BREACH
In the aftermath of a breach, the incident response team should implement measures to both contain and eliminate the threat. This could mean disconnecting the affected systems or devices from the network and from other devices to isolate the damage and prevent the propagation of the breach. In many situations, it may also be crucial to ensure that certain data is preserved throughout the process, which could be necessary down the line for forensic purposes or in the context of an inquiry by regulator or litigation. The response team must consider the overall implications on the organization rather than only on its immediate needs.
Rather than immediately trying to find the root cause of the breach, the primary focus following the incident once it has been contained and that the environment is secure, is to identify what information has been compromised (i.e., personal or confidential business information). Afterwards, the scope of the incident should be assessed by the response team (i.e., number of systems affected, volume of data stolen or compromised, etc.).
At this time, the main role of the incident response team is to gather and record the facts and actions taken by utilizing a variety of tools such as administrative assessments and interviews, while coordinating the forensic investigation. In doing so, the incident response team ensures the incident is categorized properly and that the appropriate steps are taken to effectively respond to the incident.
4. NOTIFY AND REPORT
Once the cybersecurity incident has been contained, remediated, and all affected systems are running smoothly again, the focus must shift towards assessing the breach further in order to determine whether any legal reporting or notification requirements apply based on the circumstances of the incident. For example, under PIPEDA, organizations must notify affected individuals and report to the Office of the Privacy Commissioner any breach of security safeguards if it involves personal information (i.e., any information about an identifiable individual) and if there is a risk that it could create significant harm to an individual. Depending on whether the organization is subject to any other legislation with extraterritorial reach (i.e., the EU's General Data Protection Regulation), there may be additional notification requirements to consider. The incident response team should work closely with external counsel to determine which, if any, notification requirements apply.
5. BE PREPARED FOR NEXT TIME
Once the cybersecurity incident has been contained and operations are fully restored, organizations should identify how they can better respond to cybersecurity breaches in the future. For example, having an incident response plan in place is perhaps the most important step an organization can take to protect itself from, and prepare itself for, a cybersecurity breach, yet many organizations do not yet have such plans in place. Beyond its use to the organization during the actual breach, a well-thought-out incident response plan also provides evidence to regulators that the organization took all reasonable steps to mitigate the risk of a cyberattack.
When it comes to effective cybersecurity incident response, expediency and preparedness are key. Organizations must continue to develop and improve their cybersecurity posture in order to keep up with the ever-changing landscape of cybersecurity threats. The key steps outlined in this article should help guide organizations in responding efficiently to an eventual cybersecurity breach. Timely involvement of the incident response team and external legal counsel, as well as having a solid incident response plan in place, will help mitigate the risks organizations are exposed to in the aftermath of a cybersecurity breach.
This article is the second instalment in a series examining how businesses can stay vigilant, resilient and secure, as part of Cybersecurity Awareness Month. The next article in the series will explore cybersecurity diligence in M&A transactions.
For permission to reprint articles, please contact the Blakes Marketing Department.
© 2019 Blake, Cassels & Graydon LLP.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.