How your incident response plan can prevent litigation following a cyber-attack: Blakes lawyer

In-house counsel play vital role in responding to incidents

How your incident response plan can prevent litigation following a cyber-attack: Blakes lawyer
Nicole Henderson

As cyber threats continue to evolve amid the pandemic crisis, organizations are increasingly vulnerable. The best defence from litigation following a cyber-attack is the implementation of a comprehensive and realistic incident response plan that is easy to access, according to Nicole Henderson, litigation partner at Blake, Cassels & Graydon LLP.

“This is important, not only to deal with the immediate fallout of a cyber incident, but we’ve also seen some cases in litigation where courts have commented favourably on an organization’s effective response to an incident,” says Henderson. Even in cases where the incident response plan is not central to legal liability issues, it can help to mitigate risk, she says.

Litigation and class actions can arise where cyber-attacks lead to the unauthorized use of the personal information of customers, clients and other stakeholders.

“It’s not just the large hacking incidents that you see on the news that are potentially going to cause litigation and class actions,” says Henderson. “I’ve been involved in class actions that involved criminal cyber-attacks by third parties, but there’s also the type that involves a rogue employee who has solen data from the employer.”

Henderson also urges in-house counsel to circulate within their organizations the idea that a cyber incident really is a legal incident and not just an IT security issue. It is essential that in-house counsel are involved in the incident response team immediately following an attack.

“We’ve seen incidents where a well-intentioned IT security group have been handling a breach on their own for days or even weeks before in-house counsel are made aware of it,” says Henderson. “That can really be a lost opportunity to mitigate risk and also to ensure that the organization is complying with all relevant regulatory requirements, reporting requirements and so forth.”

The COVID-19 pandemic has given rise to an increased prevalence of phishing emails purporting to be from reputable organizations offering medical advice, or providing information about vaccines. Such emails will ask the reader to click on a link that downloads malware or requests personal information. The shift to remote work has also created vulnerabilities as many organizations have not implemented multifactor authentication to access their systems.

In the post-pandemic landscape organizations will find more opportunities to be agile in terms of how they collect and use the data of customers, clients or other stakeholders, so in-house counsel must take corresponding steps to ensure that data is adequately protected, Henderson advises.

“An important thing for in-house counsel and others to be aware of is that cyber security really is to some extent a game of cat and mouse,” she says. “It’s important, even with all the resource strains that organizations of all sizes are facing during the pandemic, to be very much on top of IT security and to make it a priority because cyber criminals are constantly innovating and improving their techniques.”