Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Guide To Navigating the Legal Perils After a Cyber Incident
Jess Nall, a defense attorney specializing in infosec professionals, provides strategies for navigating legal challenges after a major cyber incident.
7 Min Read
Alamy
In the fallout from high-profile security breaches, individuals often bear the brunt of the blame. Even when they act in good faith or follow strict corporate directives, CISOs increasingly find themselves the targets of government regulators, including the SEC, DOJ, and FTC. These professionals have been charged with offensives that range from securities fraud to obstruction of justice.
CISOs face the dual challenge of protecting organizations against cyber threats while safeguarding their careers and reputations from legal risks. To navigate these pressures, they desperately need holistic defensive strategies. One expert providing this support is Jess Nall, a defense attorney at Backer McKenzie specializing in defending CISOs and infosec professionals. Nall, who spoke at Black Hat 2024 in a briefing titled Skirting the Tornado: Essential Strategies for CISOs to Sidestep Government Fallout in the Wake of Major Cyberattacks, has decades of experience defending workers from unjust blame during federal investigations.
In this article, we will explore real-world cases and the insights from Nall’s Black Hat presentation, discussing lessons learned and strategies for navigating the turbulent legal tides of cyber-incident fallout. Whether you are a CISO or a lower-level infosec professional, today’s shifting regulatory landscape requires you to prepare for every aspect of a security incident – from properly documenting critical communications to knowing when it is time to exit before it is too late.
Regulatory Entanglement: A Growing Risk
Cyber incidents pose significant technical challenges, but the real storm often hits after the breach gets contained, Nall said. That’s when regulators step in to scrutinize every decision made in the heat of the crisis.
While scrutiny has traditionally focused on corporate leadership or legal departments, today, infosec workers risk facing charges of fraud, negligence, or worse, simply for doing their jobs.
The Yahoo breach
Consider the 2014 Yahoo breach, which Nall discussed in detail during her presentation. The attack, orchestrated by Latvian hacker Alexsey Belan at the urging of Russia’s intelligence agency FSB, compromised the personal data of more than 500 million Yahoo users. The breach followed a similar incident the previous year. Although Yahoo’s security team quickly identified Russia as the likely culprit, the full scope of the breach wasn’t disclosed to shareholders or the public for several years.
While Yahoo’s response, particularly in terms of communication and disclosure, had shortcomings, the security team successfully identified the breach as the work of a state-sponsored actor.
What went wrong
Instead of notifying the public or shareholders, Yahoo’s CISO briefed only one company lawyer on the full extent of the breach, Nall said. Critical communications between the legal and security teams were subsequently lost or destroyed. By the time Bob Lord, the incoming CISO, uncovered the breach in 2016, Yahoo was already under intense scrutiny due to its impending sale to Verizon and an activist board. This led to multiple investigations by the SEC and U.S. Attorney’s Office.
Nall, who represented Yahoo employees during this legal battle, noted that the investigation focused heavily on internal communications. Investigators wanted to know who knew what and when. The SEC’s investigation was particularly aggressive, targeting executives but also employees at all levels, Nall said.
The Yahoo case is a cautionary tale about the dangers of poor internal communication, failure to preserve records, and overreliance on selective briefings. As Nall explained, if Yahoo’s CISO had maintained a clear paper trail and facilitated better communication practices during the incident, the situation might not have escalated into a protracted legal disaster for Yahoo employees, most of whom were at no fault.
Understanding the Regulatory Landscape
Recent developments in cybersecurity regulation reflect the growing focus on holding individual workers accountable for major breaches. In her briefing, Nall pointed to one prominent example of this shift: the SEC’s regulation S-K Item 106 (§ 229.106), introduced last year. The regulation requires companies to disclose detailed information about their cybersecurity risk management, governance, and strategies.
While the SEC regulation may appear straightforward, Nall noted that the burden of compliance often falls disproportionately on individual CISOs – despite many cases where they have limited control over the exact wording used in their organizations’ mandatory public disclosures and other documents, which can come from departments like marketing or sales. If these disclosures include exaggerations, undetected or approved by leadership, they can lead to serious legal consequences for CISOs.
The SolarWinds hack
Driving home the importance of accurate disclosures and marketing materials, Nall cited the 2019-2020 SolarWinds hack, another Russia-linked attack that compromised data for an estimated 18,000 or more customers, including large corporations and government branches. The breach was further complicated by inaccuracies in how the company had portrayed its security capabilities leading up to the incident.
Nall explained that senior management and other stakeholders at SolarWinds, including the legal department, were aware that the cybersecurity claims in the company’s marketing materials were “aspirational,” yet they approved them.
When the breach came to light and investigations commenced, Tim Brown, the company’s CISO, faced securities fraud charges under SEC Rule 10b-5. It was the first instance of a CISO being charged under a law typically reserved for serious financial crimes.
Although the SEC has been pressured to step down the charges, Nall noted that anything short of an acquittal would unjustly equate Tim Brown with convicted financial fraudsters like Bernie Madoff and Sam Bankman-Fried.
Regulation By Enforcement
Instead of clear, universal cybersecurity standards, regulatory bodies like the SEC only define acceptable practices after a breach occurs, Nall said. This reactive approach puts CISOs and other infosec workers at a distinct disadvantage.
"Federal prosecutors and SEC attorneys read the paper like anyone else, and when they see bad things happening, like major breaches, especially where there is a delay in disclosure, they have to go after those companies," Nall explained during her presentation.
Strategies For Legal Defense, Communication, and Record-Keeping
Fortunately, CISOs and other infosec workers can take several concrete steps to protect their careers and reputations. By implementing airtight communication practices and negotiating solid legal protections, they can navigate the fallout of a disastrous cyber incident. The following strategies, adapted from Nall’s presentation at Black Hat, provide a blueprint for surviving these turbulent situations.
Before a breach
Establish cross-functional communication: Ensure your company has clear communication channels that include cybersecurity, legal, and executive teams.
Document everything: Keep detailed records of decisions, communications, and security-related actions. The documentation can be vital as evidence in case of investigations. As Nall put it, “A note-to-self can be a get-out-of-jail-free card.”
Negotiate legal protections:
For all infosec workers:
Indemnity under state law: Not all states offer indemnity. Nall advised that if you have an option, you should select California law in your employment contract.
Contractual indemnity agreements: Ensure the company will cover your legal fees and allow you to choose your lawyer. Additionally, ask about new insurance products specifically for CISOs and infosec.
For CISOs:
D&O (Directors and Officers) insurance coverage: Understand the policy limits, including Self-Insured Retention (SIR) or deductible, and the extent of the legal protections provided.
During a crisis
Avoid ephemeral messaging: Refrain from using SMS or disappearing message apps during a breach. The lack of communication records could be interpreted as an attempt to hide crucial information.
Be transparent but strategic: Always consult legal counsel before disclosing sensitive information. Nall advised labeling communications as “attorney-client privileged” whenever possible to maintain confidentiality. It can help protect you from unnecessary exposure to litigation.
After a breach
Escalate when necessary: If you face internal resistance to transparency and best practices, escalate the issue to the board.
Know when to leave: If you believe that the company’s handling of an investigation becomes unethical or risky, it may be time to consider resigning. Nall recommended that CISOs be ready to “pull the ripcord” if the situation warrants it.
Additional support
Seek outside legal counsel when necessary: Consult external counsel if your company’s legal team doesn’t adequately protect your interests.
Whistleblower protections: Federal regulations offer protections for individuals reporting misconduct. If needed, use whistleblower programs such as anonymous hotlines.
The Takeaway
Navigating the aftermath of a cyber incident has become a high-stakes balancing act. The evolving legal and regulatory landscape puts tremendous pressure on individual workers. To thrive in this environment, infosec workers must adopt a proactive approach.
Don’t wait for a crisis to defend yourself—lay the groundwork early and communicate clearly and strategically. As Nall said, “Don’t go it alone, and don’t take it lying down.” Infosec workers who combine technical expertise with legal savvy are more likely to land safely rather than get caught in the fallout of regulatory issues.
About the Author
You May Also Like
.png?width=700&auto=webp&quality=80&disable=upscale)