Outside counsel is increasingly the first call for businesses after a breach, even before the incident response teams.
According to CrowdStrike's Global Incident Response report released this week, outside counsel (rather than an organization itself) arranged 49 percent of incident response engagements.
Shawn Henry, president of services and chief security officer at CrowdStrike, singled it out as one of the most interesting statistics in a broad-ranging report.
"It's an increase for sure," said Henry. "In the past, it was more likely in Fortune 500-sized companies — larger companies have outside counsel already on retainer. We've seen an increase from companies smaller than that."
The common wisdom is that companies should engage outside counsel to be shielded by attorney-client privilege. Companies might be less enthusiastic about unearthing evidence for a lawsuit and scale back the depth of their investigation into a breach accordingly.
But there are other reasons. Lawyers experienced with breaches may be better equipped to handle an increasingly complex regulatory and business environment. They are also useful to bring in on the ground floor, said Craig Hoffman, partner at the law firm BakerHostetler. Not only can they help coordinate disparate business, law, and tech interests that often don't operate in sync, they have experience with the incident response companies that breach victims often need to help address the risk.
"We've seen thousands of matters," Hoffman said. "We know the choices you'll face and how others have faced them."
Hoffman said that the increase CrowdStrike noticed in engagement of outside counsel meshes with BakerHostetler's own experience. In 2019, the firm assisted around 1,000 cases. In 2020, it's looking more like 1,600.
Henry singled out ransomware as a growing legal issue that may lead chief information security officers to call a law firm before an IR company. In October, the Department of Treasury warned companies that it would not tolerate paying ransoms to sanctioned entities. While Hoffman notes that nearly all ransomware comes from criminals, not sanctioned entities, this could still compel companies to seek legal counsel.
Those aren't the only regulations that drive the move toward getting outside counsel involved early in the process, said Michael Phillips, chief claims officer at the cyber insurance firm Resilience.
"I see this most often to ensure that victims of cybercrime can receive candid and comprehensive legal advice about the incident" to ensure they comply with existing laws, he said via email. "Over the past eight years, there has been an explosion of privacy regulations and breach laws hitting the books; for example, the California Consumer Privacy Act, the New York DFS cybersecurity regulation, and the EU's GDPR."
Regardless, Hoffman sees the increase as an encouraging sign that companies recognize the risk.
"As more companies identify the right way to do incident response, they set up plans in advance," he said.