The Role of Legal Teams in Cybersecurity: Best Practices for Effective Breach Management
- Joanne Elieli
- Ethical Hacking
Cyber threat incidents have become a boardroom issue, like a legal minefield, and are a growing risk for organizations across the world. In this episode of EC-Council’s Cybersecurity Podcast, host Jay Bavisi speaks with Joanne Elieli, partner at Stephenson Harwood, UK to unravel the critical junctures of cyber incidents and cyber law.
This riveting dialog navigates crucial topics like cyber incidents, ransomware, regulatory enforcement, cyber insurance, and the evolving role of AI in cybersecurity, and offers insights to business leaders, legal professionals, and cybersecurity practitioners.
Elieli started her career as a commercial litigator handling complex, multi-jurisdictional disputes, before transitioning into technology, data protection, and cybersecurity.
A pivotal moment in her career came with the introduction of the General Data Protection Regulation (GDPR) in May 2018.
GDPR empowered regulators to impose strict fines on organizations for data breaches, leading to heightened corporate attention to data security. This regulatory environment provided Elieli her first substantial exposure to cybersecurity issues, effectively serving as the gateway into this specialized legal field. Since then, her work in cybersecurity law has grown considerably, reflecting the growing importance and complexity of data protection and cyber risk management in the post-GDPR era.
Read on as Elieli shares insights into the impact of cyber regulations and future of cyber law, and explores what organizations need to know about navigating the complex world of cyber incidents and compliance.
When GDPR fines hit corporate liability
Organizations operating in the digital landscape face a critical question: Just how severe are the consequences of violating data protection laws like the GDPR? Elieli explains for penalties fined under the GDPR, regulators can issue fines of up to 4% of a company’s global turnover. This can amount to millions of dollars for large MNCs like tech giants or airlines, and has the capacity to cause a substantial dent in the balance sheet of an organization.
The stakes grow higher when considering corporate structure. Many global giants operate in the UK through wholly owned subsidiaries which raises questions about how global turnover is assessed when a breach occurs at the subsidiary level. While some may assume the fine would only apply to the subsidiary’s revenue, the regulator can, at its discretion, look up the entire corporate chain and consider the parent company’s global revenue. This approach is precisely why international organizations are taking compliance seriously—regulators have both the reach and the resolve to ensure that data protection is enforced at the highest levels.
When ransomware hits your insurance policy
Ransomware remains one of the most persistent and devastating cyber threats organizations are facing today. Elieli shares a striking example, where a client initially faced a ransomware demand of £500,000 (approximately $670,538). However, once the attackers gained access to the company’s internal documents, including the cyber insurance policy, they discovered that the policy covered up to £10 million in ransomware payments. Promptly the attackers increased their demand to match the policy limit!
Such instances are rare, but it highlights a critical and often overlooked vulnerability by organizations: While most ransomware attacks may involve indiscriminate data theft, some threat actors are willing to go as far as sifting through stolen files in search of valuable intelligence that can help them maximize their payday.
Call legal first in a ransomware crisis
In case of a ransomware crisis, legal counsel should be the first to be involved. In this way, all communications will remain protected under legal privilege, and sensitive information will be shielded from disclosure in litigation or regulatory investigations. Elieli stresses that reaching out to technical or PR teams before legal counsel can expose organizations to avoidable legal risks.
Case study: A ransomware attack that affected children
Amongst all the cybersecurity incidents she has encountered, Elieli reflected on the most challenging ransomware attack that was waged on a charitable organization supporting abused children in third-world countries. The incident took place in 2018–19, and the breach compromised sensitive personal data of around 100,000 vulnerable children across third-world countries comprising multiple jurisdictions. Worse still, children’s sensitive personal data was made available for sale on the dark web.
As per the UK GDPR, the charity under attack was obligated to report the breach to data protection authorities as it posed a risk to the rights and freedoms of identifiable individuals. Moreover, the high-risk threshold necessitated notifying the impacted children and their guardians. Many of them lived in remote parts of nations, with minimal to no access to the internet, email, or even regular postal services, making direct alert impossible.
Needless to say, informing the children about the breach posed a bigger challenge as it could cause more distress as compared to concealing the information. It was with the help of local NGOs and community organizations that Elieli and her team were able to raise awareness among the communities about safeguarding against unsolicited approaches in connection to the breach.
This case is a profound example of the human influence behind cyber incidents, highlighting the need for technology, cyber law, and ethical responsibility in cybersecurity crisis management. It also begs the need for robust incident response plans and having support teams in place before disaster strikes.
Making cybersecurity affordable for small-scale organizations
It is widely perceived that bringing in legal counsel early, establishing governance frameworks, and investing in comprehensive security measures during cybercrime crises is a luxury that only large organizations can afford. While it is true that security involves significant expense—such as requiring the right people, processes, technology, cyber insurance, and external support like PR and legal counsel—such resources should also be made accessible to small businesses and start-ups.
Cyber insurance is an evolving world
The role of cyber insurance in cybersecurity strategy is evolving, though it remains complex and nuanced. There is growing concern that some organizations view cyber insurance as a loophole and avoid making substantial investments into cybersecurity defenses.
Assessing the sufficiency of cyber insurance compared to having best-in-class cybersecurity defenses is challenging. Insurance policies alone cannot prevent cyberattacks or data breaches. These policies primarily provide financial remediation after a cyber incident. Organizations should invest in strong security infrastructure. Some insurance providers are exploring innovative ways to better evaluate risk, including using AI-driven continuous pen testing platforms to assess an organization’s security posture more objectively. This shift could proactively improve a company’s cybersecurity posture.
Breach reporting and emerging risks from AI integration
When it comes to breach reporting under cyber laws like the GDPR, many countries mandate organizations to report incidents but often fail to specify the scale or quantum of the breach.
The GDPR also has a short 72-hour reporting window which presents a significant challenge. To navigate this, organizations often submit a preliminary report indicating that a breach has occurred, even if key details are not yet available. They commit to updating the regulator as and when information comes in.
A large number of employees in most organizations have started using AI tools, often without adequate safeguards. From a legal standpoint, responsibility may rest with AI developers, users, or data controllers, depending on the data processing arrangements. The difficulty in conducting forensic analysis on AI systems further complicates attribution and liability. This problem of feeding data which may or may not be retractable highlights the urgent need for organizations to put robust AI governance frameworks and controls in place to prevent unauthorized data exposure.
AI and proprietary data: Legal challenges in cybersecurity
As AI (especially large language models (LLMs) is increasingly processing corporate data, it is also failing as a system to differentiate between proprietary and non-proprietary data. This causes corporations to be in the hot spot for significant risks such as NDA breaches and intellectual property violations, creating the ground for lawsuits.
A singular question arises: Who is responsible when AI mishandles sensitive data? Is it the developers, the users, or the data controllers? Moreover, AI tools are now being integrated into insurance, cybersecurity defenses, and corporate workflows. This intersection of AI, cybersecurity, and law is another reason why clear regulatory measures are even more critical than before.
Given the nature of cyber incidents, Elieli supports the idea for the creation of an international cyber court, like an international court of justice (ICJ). However, she cautions that differing levels of cybersecurity maturity and political realities across countries would make implementation challenging.
Common legal risks
The most common legal risks from cyber incidents include financial loss, regulatory enforcement, and class-action litigation involving large groups of affected data subjects. However, a frequently overlooked yet critical risk is the failure to properly leverage legal privilege. Organizations often miss the opportunity to protect sensitive data at an early stage, which can lead to increased liability exposure. In the UK, involving internal legal teams straightaway can provide privileged protection for communication with the threat actor.
Establishing a strong relationship between the technical and legal teams well in advance, including joint preparation of incident response plans, ensures coordinated and effective crisis management.
Check out this podcast The Fine Print of Cyber Incidents: Law, Leadership, and Liability to know what Joanne Elieli says about cyber threats and the regulations imposed to tighten them and how organizations big and small must prioritize not just their bits and bytes, but also the legal frameworks that protect their future.
For more conversations shaping the future of cybersecurity, subscribe to the Cybersecurity Podcast by EC-Council.
