Among the many issues that can give rise to the initial uncertainty of responding to a significant cybersecurity incident is a failure by incident response team members to understand the perspectives and priorities of other stakeholders. But this complicating factor can readily be mitigated through cross-functional education and relationship building before an incident occurs.

In the first part of a two-part article in Cybersecurity Law Report (subscription required), Steve Surdu and Jennifer Martin, members of Covington’s cybersecurity practice with extensive experience responding to cyber incidents, explain the differences in how forensic analysts and lawyers approach incident response, and how those differences, if understood, can complement one another rather than lead to tension. 

Consider, for example, how evidence is viewed: In the initial stages of an incident, digital evidence drives a forensic analyst’s findings and informs his or her urgent need to contain a problem, but lawyers may already be thinking about how the evidence supports legal analyses and obligations, and longer term litigation strategies. Or consider communications objectives: Forensic investigators are engaged in a problem-solving exercise to identify relevant systems, gather evidence, and deploy forensic tools, often resulting in significant back-and-forth communications and a quick escalation in the number of people involved in trouble-shooting.  Counsel, on the other hand, may be primarily concerned at this point with protecting unnecessary disclosures of security issues,  oversharing of information, quelling public speculation and, importantly, maximizing the likelihood that formal attorney-client privilege and work product doctrines will attach to the communications associated with the investigation.

The article provides legal counsel and forensic investigators with an understanding of stakeholder priorities and concerns to better prepare to meet the common objectives of incident response. It also provides attorneys new to such investigations with a better understanding of the limitations of digital evidence and other challenges that may arise during the course of a forensic examination.

If properly understood, the different skill sets and insights that stakeholders bring to incident response are assets, rather than sources of disagreement, in meeting the shared objectives of efficiently uncovering the facts and mitigating client risks in the short and long terms.