Sponsored By

4 Legal Surprises You May Encounter After a Cybersecurity Incident

Many organizations are not prepared to respond to all the constituencies that come knocking after a breach or ransomware incident.

Beth Burgin Waller

September 28, 2023

3 Min Read
A scale, indicating legal matters, on a digital background
Source: Brain light via Alamy Stock Photo

Most security professionals know the parade of problems that emerges after an incident, from data breach notifications to looming Securities and Exchange Commission materiality filings for public companies.

However, there are unexpected concerns that may surprise the average incident responder, and each has a potential impact on legal liability. As a cyber-incident breach attorney with experience handling dozens of ransomware incidents, these are my top four surprising post-incident considerations.

1. Cyber Insurance Review of Pre-Incident Security Controls

If you have cyber insurance and notify your carrier, there may come a time during the insurance reimbursement process when the carrier asks pointed questions about what security controls were in place before the incident. The carrier will also dive deep into what failed and the incident's root cause.

Take care to truthfully and accurately describe the controls you have in place on any insurance application and during the underwriting process. Recently, insurance carriers have sought to deny claims based on application misstatements. Therefore, not being truthful during the application process can have millions of dollars of consequences later. Work with your risk management team, insurance broker, and outside counsel — before an incident occurs — to make sure that the company's controls are accurately described and documented.

2. Auditor Investigations

Public companies, public bodies, and even small companies have CPA audits and reviews. Those reviews do not stop after a cybersecurity incident, and many auditors have questions about an incident. Engage specialized cyber-incident counsel to assist in navigating the responses to these questions. Any information shared with a CPA is unlikely to be considered confidential or covered by privilege, so any statement made about an incident could be used in a later lawsuit. Therefore, make sure that all statements are consistent with what was shared in notification letters and with employees, customers, and the media.

3. Banks Halting Ransomware Payments

After an organization has made the painstaking decision to make a ransomware payment, a series of legal concerns can arise while racing against a threat actor's timeline to leak information.

Many security professionals are familiar with the US Treasury Department's Office of Foreign Asset Control (OFAC) process for clearing a ransom payment and ensuring it does not get into the hands of a bad actor. Yet banks are increasingly hesitant to process wires to known threat negotiation firms. This is because organizations in the ransom payment's chain could, in theory, be held liable for an improper payment to a sanctioned entity under OFAC. Organizations should be prepared to navigate OFAC for their own and their financial institution's purposes. Be ready with a report to share information quickly with a financial organization so that it can clear the transaction.

4. Failing to Know Which Customers Need Immediate Notice

If your organization serves other businesses or is a subcontractor to governmental entities, you likely have agreed to certain incident-response notification requirements in contract or by statute. Create a spreadsheet tracking each notification timeline before you have an incident so that you can respond rapidly and comply with notification requirements. Otherwise, it could take a team of lawyers rapidly reviewing contracts to meet notification requirements. Failing to meet a notification requirement could make your organization in breach of a contract, and some contracts have large penalties for failure to provide notice.

Preparation Is the Best Incident Response Plan

Even the best tabletop exercise and incident response plan may have to be flexible to the changing circumstances of an incident. Being prepared to respond to the various constituencies that come knocking after an incident is a great first step to help manage the unknown.

About the Author(s)

Beth Burgin Waller

Chair, Cybersecurity & Data Privacy Practice, Woods Rogers Vandeventer Black

As chair of the Cybersecurity & Data Privacy practice at Woods Rogers Vandeventer Black (WRVB), Beth's practice is fully devoted to cybersecurity and data privacy. Clients ranging from local government and state agencies to mid-market firms and Fortune 200 companies depend on Beth for advice and counsel. Beth's credentials in the field are extensive. She is a certified Privacy Law Specialist by the International Association of Privacy Professionals (IAPP), which is accredited by the American Bar Association. In addition, she is a Certified Information Privacy Professional with expertise in both US and European law (CIPP/US & CIPP/E) and a Certified Information Privacy Manager (CIPM), also from the IAPP. In 2022, the governor of Virginia appointed Beth to the Commonwealth of Virginia’s first Cybersecurity Planning Committee, a committee tasked with increasing the cybersecurity posture of public bodies and local governments in Virginia.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights