The Cybersecurity Law Report Quotes Michelle Reed on Collaboration by Legal and IS Departments
Contact:
Michelle Reed, co-leader of the cybersecurity, privacy, and data protection practice at Akin Gump, has been quoted by The Cybersecurity Law Report in the article “When and How Legal and Information Security Should Engage on Cyber Strategy: Assessments and Incident Response (Part Two of Three).” The article looks at how legal and information security professionals can work together on cyber incident responses as well as risk and privacy impact assessments.
Before a breach, the most important task for the chief information security officer and legal team, Reed said, is the incident response plan, which should be “the guiding document of what a company does in response to a breach.” Given that information security and legal policies and handbooks are often created separately, she said it is best for the cybersecurity attorney “to help translate the security and legal policies and procedures and make sure they go hand in hand.” An outside expert, Reed suggested, can then “help all of the relevant voices be heard and teams communicate so that the ultimate incident response plan reflects and then harmonizes all of their views and concerns.”
When an incident does occur, given the likely different approaches by information security and legal, Reed said, “someone should be keeping a record of which decisions are being made and when. Sometimes, the security team thinks that someone on the legal team is doing it, and the legal team thinks someone on the security team is doing it.”
Determining who is going to be the record-keeper, whether it is going to be on the legal or technical side, and how to coordinate efforts is crucial, although, Reed added, “operational decisions can be really difficult.” This makes it crucial for companies to have “one person who has their ear to the ground on operations and ensures that gets reflected in the plan.”