Bring up the topic of incident response communications, and you might think of a breach notification posted on a website or sent via email or letter to affected customers. But internal communications related to security events is just as important to get right. Emotionally charged, sarcastic or overly revealing exchanges among employees could come back and bite the employer in a legal discovery situation.
“Most plaintiffs’ attorneys are casting a very wide net when it comes to discovery, so they're going to ask for a dreaded ‘all information,’ and what that means is, we're not just talking about formal reports or considered communications,” said Ann Marie Mortimer, managing partner and co-head of commercial litigation practice at Hunton Andrews Kurth LLP, speaking Tuesday in an incident response panel session at the 2021 RSA Conference. “We're talking about communications that happen in the heat of the moment of a security incident.”
This means not only emails, but informal chats via text or business communications platforms could be used against an individual or the company to prove mishandling of a security incident, even if the organization may have acted responsibly.
“These off-channel forms of communication can be real gold for someone trying to reconstruct a scenario – particularly that the company was already aware of a security vulnerability or didn't respond adequately or quickly enough,” said Mortimer.
“So remember, when you're using your Slack or your text or any other app, you're not writing in invisible ink. Those things are actually going to be produced in a litigation – and while it's hard to adopt that mindset in the moment, you need to start disciplining yourself now so that when you get to litigation, an email you fired off in the heat of the moment doesn't come back to haunt you in a deposition.”
Even if a written statement was meant in jest or is an exaggeration of what actually transpired, opposing attorneys litigating a security or privacy civil case could use your own words against you. So employees should at all costs avoid putting in writing anything that could be interpreted to make the company sound negligent. Mortimer referred to this concept as “communication hygiene.”
“Before you hit send on that message, think to yourself: How would I feel if that was blown up into giant font and posted in the middle of Times Square? Would I be comfortable with that communication? Because that's the standard that you need to adopt,” she said.
This rule of thumb applies to communications not just in the aftermath of a breach, but also even before a security incident occurs, Mortimer added. After all, lawyers can look back at your history to see what the company knew, and when.
“Sometimes it's not the specific words you use, but the tone; and the tone is often toxic,” added fellow panelist Brian Levine, managing director at EY Parthenon. “I've seen numerous instances where a case was going nowhere, it was going to be dismissed… and then for whatever reason emails became exposed.”
As a result, the plaintiffs suddenly gained the upper hand. “Now it's going to head towards settlement because even though it's only smoke – it's not fire – the smoke is enough that the company doesn't really want to take the risk of going to trial”
Of course, a typical security team employee may not consider the legal consequences of his or her words, so it behooves companies to inform workers about these issues and train them to be more mindful of what they put in writing, Mortimer noted.
And there’s actually a second reason employees should be mindful of their internal communications following a breach: the cybercriminal who executed the compromise may be watching. “And that may interfere with your ability to negotiate effectively with the criminal,” said Levine. “If it’s a ransomware situation, the bigger your reaction, the higher the price may go.”