Legal Pitfalls to Avoid in Security Incidents

Conference:  BlackHat USA 2021



Importance of incident response plan and documentation in cybersecurity incidents
  • Cybersecurity needs a seat at the table in procuring cyber risk insurance
  • Using incident response plan and documentation is critically important in incident situations
  • Incident documentation helps in telling the story of what the company did and why it did it
  • Incident documentation helps protect chain of custody and preserve privilege in a two-track investigation
  • Legal pitfalls to avoid in cybersecurity incidents
When a company does not build documentation on what they did, why they did it, and the timeline in particular, it makes it really hard to answer questions from insurance carriers to get reimbursed. It really makes it hard to answer questions from plaintiffs and the like. Therefore, it is important to have incident documentation to do those things.


Privilege, two-track investigations, OFAC, insurance coverage, and preserving evidence... Lawyers think about this stuff from the jump in a security incident, and you should be aware of them too. Often, attorneys are brought into a security incident after key decisions get made - sometimes those decisions accept unknown legal risk.This session will focus on the lawyer's role in a security incident and how lawyers work together with information security professionals by walking through real-world client examples.