The Tenth Step to Forensic Readiness: Legal Review
When we plan our incident response strategies and forensic readiness steps, we strongly pay attention to digital evidence acquisition, storage, handling, reporting, and remediation. While these stages are of essential importance for the overall cyber posture of your organization it is more than important as well, throughout each of these steps, to include legal risks and considerations.
From a cyber security perspective, it is important to detect and remediate the threat, while on the other side the same kind of laser focus should be placed on legal issues such as state/federal laws, contractual obligations, and any other potential legal exposures or rights.
This is done since at certain points during a cyber-crime investigation, it will be necessary to review the case from a legal standpoint and get advice on any follow-up actions to strengthen your case.
Legal parties should be well informed and prepared for any matters related to cyber-laws and digital evidence legal handling within your organization. They need to be part of your incident response plan (from a legal standpoint) and be well informed about your internal security policies.
According to IJDE, advice from legal advisers will include:
- Any liabilities from the incident and how they can be managed
- Finding and prosecuting/punishing (internal versus external culprits)
- Legal and regulatory constraints on what action can be taken
- Reputation protection and PR issues
- When/if to advise partners, customers and investors
- How to deal with employees
- Resolving commercial disputes
- Any additional measures required
At the first incident detection phase, the incident response team will work closely with the legal consultants to collect information that may be vital to the case to determine whether there are any legal obligations that need to be raised to regulatory bodies. At this stage, the two teams determine the incident scope, threat scope, and the level of the vulnerabilities the cyber attackers potentially exploited.
Since time is a crucial asset in managing incidents the incident response team and legal team should work in parallel to minimize the potential damages of the incident in the shortest time possible.
Automation and speed are essential
Rapid detection and incident response needs to be based on automation and speed. While being in the DFIR market for more than 13 years, the team at Binalyze encountered how time is crucial when a data breach occurs because the faster you are the less time you give to cyber attackers to finalize their malicious activities. While collecting intelligent data from various digital forensic reports shows us that no matter how effective solutions you have deployed internally within your organization, time stays as the number one asset in fighting cyber attacks. Therefore we need to listen more closely to the market needs and challenges and start running towards them. Binalyze product roadmap is closely connected to this, enhancing incident response reports with compromise assessment solutions that include lightning-fast anomaly scans in seconds rather than weeks and chronological display of events that will save you time and money.
The faster you analyze digital evidence and get insightful information, the more efficiently the legal team can work. Once you move to the next stage (analysis and containment) new legal points may arise as more information comes to the light. Once you have finalized your compromised assessment report where you can learn more about the threat actor’s movements, the legal team can identify any specific data breach laws that may apply and create a comprehensive report and submit it to the insurance carrier and, if needed, may involve law enforcement as well.
Throughout the incident response process legal involvement is required due to the sensitive nature of the event. Cooperation at all times needs to be established between the incident response team and legal team to identify and answer any legal risk that may appear.
A comprehensive and systematic approach needs to be deployed that contains technical risk mitigation as well as legal risk mitigation. This kind of approach will make your organization forensic ready and cyber-resilient to any incident that may come along.