Skip Navigation
Get a Demo
Resources Blog Incident response

Incident response planning: When to call in the lawyers

Red Canary’s General Counsel weighs in on when to engage your in-house lawyers during incident response planning, execution, and remediation.

Matt Spohn
Originally published . Last modified .

Cybercrime is at an all-time high, as organizations scramble to defend against a shapeshifting threat landscape while sifting through proverbial crime scenes for digital footprints left behind. According to a recent report published by IBM, the average cost of a data breach rose to more than $4 million in 2020. Perhaps even more startling: it took an average of 287 days (that’s more than 9 months) to identify and contain such breaches. It’s not all grim news, though; companies with mature and organized incident response (IR) capabilities—commonly involving legal counsel—have proven to fare better year over year.

Incident response planning is no easy feat, requiring a collaborative approach from teams beyond infosec, including the legal department. While traditional response teams are sometimes hesitant to “bother” Legal, you’ll likely find them to be eager collaborators. The ransomware nightmares that keep you up at night probably disturb your lawyers’ sleep, too. Think of this post as a guide to the many ways you can and should engage your lawyers (you’re the client, after all!) to ensure you have all the right resources deployed in your incident response program.

Note: This article assumes that your company has in-house lawyers. But if not, there are many excellent private-practice attorneys who will partner with you.


Legal has an important role in planning for incident response—and if you don’t include Legal at all, your plan will have gaps that threaten its utility. Here are some key areas where you will want to collaborate:

Cyber insurance

The benefits of cyber insurance are well documented, and for the vast majority of companies the cost-benefit analysis will weigh in favor of getting coverage. However, it’s not as simple as saying “I want a $5 million cyber policy.” Unlike other business coverage (e.g., commercial general liability), cyber insurance policies are not standardized, meaning that coverage can vary widely from policy to policy. And cyber coverage often has many sub-limits to particular components of coverage, so your “$5 million cyber policy” may cover significantly less than that amount for particular losses.

Sounds complicated, right? But who is good at sorting through complex issues and making sense of dense text? Legal! Your lawyers can be a big help working with you and your insurance broker to sort out the coverage your company needs and confirm that a policy provides the promised coverage.

Incident response plan

An effective incident response plan is drafted in collaboration with your lawyers. Though most incidents can be resolved by the infosec team without involving Legal, lawyers should be consulted if an incident involves sensitive data (personally identifiable information, protected health information, payment card data, etc.) or could otherwise subject the company to liability. Accordingly, an effective incident response plan addresses the nuts and bolts of handling ordinary incidents, but also has well-defined triggers of when Legal should be called and how the legal team will interact with the rest of the response unit. That way, it is much less likely that someone says, “hey, maybe we should call Legal” too late in the process.

Data privacy policies

An incident response plan is usually just one part of a comprehensive data privacy program. Practically every company is subject to one or more state, federal, or international data privacy laws (CCPA, GDPR, and the forthcoming CPRA, VCDPA, and CPA are just some of the more notable examples). Regulators, investors, and M&A buyers will each expect to see written policies and procedures explaining how your company will comply with them in practice. Your lawyers should help clarify applicable laws, draft policies, and ensure they properly mesh with the incident response plan.

Vendor management

It is no secret that vendors can be a security risk; recent events involving SolarWinds and Kaseya software have brought that risk into focus. A strong vendor management program will help address that risk, and Legal should collaborate with infosec to help understand the risks presented by each vendor and properly address them in each vendor contract.

Customer contracting

If your company is a vendor, you will often be asked to make security and incident notification commitments in contracts with individual customers. In those cases, Legal and infosec need to work together to properly provide the necessary contractual commitments.

Tabletop exercises

Once you are happy with your incident response plan, test it with a tabletop exercise. There are many ways to run a tabletop, but the goal is to run through challenging incident scenarios with the relevant teams to ensure everyone truly understands how the plan will work in practice. Include an exercise that requires Legal’s involvement so you can practice how that will play out. There are many resources on how to run a tabletop, but first check with your cyber insurer—some will cover the cost and direct you to preferred providers. Also, many law firms are experienced in running tabletops that test the interactions between the infosec and legal departments.


Involving legal counsel in the planning phase will certainly pay off once a breach occurs. The plan should define and deploy key tripwires that’ll enable Legal to then orchestrate efforts with the incident handling team to contain and eradicate a threat.

Maintaining privilege

As explained above, a good incident response plan will direct the response team to call Legal as soon as they suspect sensitive data is involved, or the incident could otherwise expose the company to liability. If Legal is engaged properly, the company can maintain the attorney-client privilege over elements of the investigation to allow fast, full, frank analysis without concern for how heat-of-the-moment statements might look in the unlikely event of a follow-on lawsuit.

Some infosec teams fear that if the lawyers get involved, it will slow down containment. But today’s lawyers are usually comfortable interacting in Slack and other tools commonly used in incident response, and can help manage communications generally to avoid things getting out of hand. Planning in advance for your lawyers’ involvement (and ideally conducting a tabletop exercise) will help clarify expectations.

Activating cyber insurance and working with forensics and breach counsel

Legal is often best positioned to quickly determine whether an incident may be covered by cyber insurance and to start the claim process. This is important for the following reasons:

  • You jeopardize your coverage if you wait too long to submit a claim.
  • A valid claim unlocks the forensics team, breach counsel, and other professionals that most insurers provide.
  • In many cases, you can be in communication with such professionals within hours of submitting a claim by telephone.
  • Legal is often best situated to connect these teams and facilitate efficient communication, especially when the rest of the team is heads-down in responding to the incident.


Legal’s job is far from over once a threat has been contained. They should carry your team through the compliance finish line and act as liaison both internally and externally.

Breach notifications

If a security incident compromised sensitive information, applicable laws often require notifications to the subjects of that information, regulators, and others. Incidents like these are usually covered by cyber insurance so that the insurer-provided breach counsel will take the lead in determining the notification obligations, but Legal will still play an important part in helping gather and analyze the necessary information.

Other communications to those affected

Even if an incident does not involve legally protected data (which is the case more often than not), it may still require communication to those affected because of contractual commitments—or more simply—ethical duty. Your lawyers can analyze applicable contracts and help craft any communications with potential legal exposure in mind.


It is strongly advised to conduct a postmortem or similar review after an incident to assess what went wrong, identify areas for improvement and determine how to prevent similar incidents from happening in the future. Unfortunately, this step is often overlooked by organizations, which can lead to follow-on compromises. Don’t let this be your company’s story. Because Legal works with a number of departments day-to-day, they can be a good facilitator of such exercises and help ensure company wide follow-through.

In closing

Good law is good order. And, order is necessary when it comes to how your company positions itself to respond in a virtual world full of chaos and crime. So, reach out to your favorite in-house lawyer and let them know you’d like to meet up to discuss their role within your incident response program. I’ll bet they will be eager to talk.


What Home Alone teaches us about proactive defense


Adversaries exploit Confluence vulnerability to deploy ransomware


Is your IR plan DOA?


Be prepared: The key to cloud and enterprise incident response

Subscribe to our blog

Back to Top