Responding To A Cyber Attack: Why You Should Call Your Lawyer

By David Varney (left), partner, and Isaac Bed (right), solicitor, in the technology team at independent UK law firm Burges Salmon (www.burges-salmon.com)

With the significant rise in data breaches and cyber incidents in the past few years, organisations are becoming increasingly aware of the risks that cyber attacks pose to their business and cybersecurity threats are now a board-level issue. Sophos’ recent State of Ransomware Report 2023 indicated that around 44% of UK businesses surveyed had suffered a ransomware attack in the previous year, with the average recovery costs (excluding any ransom payment) being around £1.1 million.

However, despite this increased awareness, when sophisticated cyber-attacks do occur, organisations often focus their immediate attention on instructing third party IT providers to remedy and rectify the breach, rather than approaching their lawyers to assist them with ensuring that they comply with their legal obligations in respect of any data breach.

This article examines the legal obligations that organisations should be considering when a cyber attack occurs, as well as the importance of obtaining legal advice on these issues at the earliest stages of an attack – and ideally as part of a well-planned and rehearsed cybersecurity readiness program that is in place prior to any data security incident and ready to action if an organisation is subjected to a cyberattack.

Key Considerations
Clearly the key concern for organisations upon suffering a cyber attack is the restoration of their systems and the recovery of any data lost. To that extent, unless organisations do have internal teams who can deal with an attack, it is critical for them to already have an arrangement in place with a third-party IT provider or instruct them as soon as possible upon discovery of an attack.

However, organisations should also ensure that in conjunction with their immediate IT response, they contact their lawyers to assist with ensuring compliance with their immediate obligations, such as:
• the compliance obligations associated with paying any ransom to the attackers;
• the obligation to notify regulators, such as notifying the ICO within 72 hours where any personal data is involved in the attack;
• any contractual obligations to notify their insurers of the attack;
• the obligation to notify data subjects of the attack where there is a high likelihood of a risk to their rights and freedoms;
• any contractual obligation to notify third party suppliers or customers of the attack.

It’s important to remember that failure to notify any insurer within the required timeframe will often result in any coverage for cyber insurance being invalidated. Similarly, any failure to notify third party suppliers or customers may result in a breach of contract, entitling those third parties to terminate any agreement and potentially claim damages as a result.

The advantage of instructing lawyers as part of the immediate response in the aftermath of a data breach is that they can consider all the above issues from the outset and scan the horizon for any issues in the breach response strategy that may create problems or complications for the organisation in the future and once the immediate impact of the breach has been resolved. These issues might include any claims brought by individuals or customers as a result of the cyberattack or any claims the organisations may wish to bring against third parties who may have some responsibility for the breach, such as a third-party IT provider who has failed to diligently protect against a cyberattack.

Most importantly, instructing lawyers at the outset of an attack means that the organisation can benefit from the legal privilege that communication between clients and their lawyers is afforded. In particular, where a third-party IT provider is being instructed to investigate the root cause of an attack, having lawyers instruct the provider on the organisation’s behalf will mean that any report produced may be subject to legal privilege, allowing the organisation to retain control over this information and who this is disclosed to, which is of significant benefit to the organisation should any claims be brought against them as a result of the attack, or indeed should they wish to bring any claim themselves against any third party who may be responsible for it.

Key takeaways and implications
Ultimately, organisations’ response to any cyber attack should ensure that it prioritises its legal obligations in respect of a breach alongside its cyber response. Ensuring that lawyers are on hand at the earliest stages of the breach will allow organisations to ensure they remain compliant with their legal, contractual and regulatory obligations throughout the breach response process.

If you have any questions or would otherwise like to discuss any issue raised in this article, please contact David Varney or a member of Burges Salmon’s cybersecurity team. Burges Salmon has worked with carefully-selected partners from across the cybersecurity industry to assemble a world-class team of experts who can address any issues arising from a data breach or cybersecurity attack, including in relation to digital forensics support. The team also has extensive experience of crisis management advice in the immediate aftermath of a data breach or ongoing cyber incident.