Skip to content

19.5 Legal Considerations During Incidents

Important Disclaimer: This section provides general educational information about legal considerations during incident response. It does not constitute legal advice. Laws vary by jurisdiction, change frequently, and apply differently based on specific circumstances. Always consult qualified legal counsel for guidance on your organization's legal obligations and response.

Supply chain incidents create legal exposure that extends far beyond the immediate technical response. When customer data is exfiltrated through a compromised dependency, organizations face potential regulatory fines, breach notification requirements across multiple jurisdictions, customer lawsuits, and insurance claims—each with specific documentation requirements and deadlines. The December 2020 SolarWinds breach led to SEC charges against the company and its CISO in October 2023, a $26 million shareholder settlement, and years of ongoing litigation before the SEC case was ultimately resolved. Legal considerations must be integrated into incident response from the first moments, not addressed as an afterthought.

The intersection of technical and legal response creates tension. Incident responders want to restore systems quickly; legal teams need evidence preserved. Engineers want to communicate openly; counsel may advise caution. Navigating these tensions requires understanding both domains and establishing coordination processes before incidents occur.

Evidence Preservation for Potential Litigation

Evidence that proves invaluable in litigation may be routinely destroyed during normal incident response. Rebuilding compromised systems destroys forensic artifacts. Rotating credentials invalidates tokens needed to trace attacker activity. Log rotation removes records of the incident timeline. Evidence preservation must happen early and deliberately.

Evidence preservation requirements:

When litigation is reasonably anticipated, organizations have a legal duty to preserve relevant evidence. This litigation hold (also called legal hold) requirement means:

  • Suspending routine data deletion for potentially relevant systems
  • Preserving logs, backups, and artifacts that might otherwise rotate
  • Notifying custodians of relevant data about preservation obligations
  • Documenting what was preserved, when, and by whom

For supply chain incidents, relevant evidence typically includes:

  • Dependency manifests and lockfiles showing compromised component versions
  • Build logs and CI/CD pipeline records
  • Network logs showing communication with attacker infrastructure
  • Memory dumps and disk images from affected systems
  • Access logs for systems the compromised component could reach
  • Communication records (email, Slack, tickets) related to the incident
  • SBOM and vulnerability scan records from before and after the incident

Work with legal counsel to define preservation scope. Over-preservation is expensive; under-preservation risks spoliation (destruction of evidence) claims. The right balance depends on the specific incident and potential legal exposure.

Chain of Custody and Forensic Requirements

Evidence used in legal proceedings must be demonstrably authentic and unaltered. Chain of custody documentation tracks who had access to evidence, when, and what they did with it.

Chain of custody considerations:

  1. Document collection: Record who collected each piece of evidence, when, from where, and using what method.

  2. Secure storage: Store evidence in locations with access controls and audit logging. Evidence should be read-only or write-protected where possible.

  3. Hash verification: Calculate cryptographic hashes (SHA-256) of evidence files at collection time. Verify hashes before use to prove integrity.

  4. Access logging: Maintain records of who accessed evidence and why. Limit access to those with legitimate need.

  5. Handling documentation: If evidence must be processed (e.g., extracting files from an image), document each step and preserve original alongside derived artifacts.

# Example: Evidence collection with integrity verification
# Create evidence directory with timestamp
EVIDENCE_DIR="evidence_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$EVIDENCE_DIR"

# Collect and hash
docker save affected-image:tag > "$EVIDENCE_DIR/container_image.tar"
sha256sum "$EVIDENCE_DIR/container_image.tar" > "$EVIDENCE_DIR/container_image.tar.sha256"

# Document collection
echo "Collected by: $(whoami)" >> "$EVIDENCE_DIR/collection_log.txt"
echo "Collected at: $(date -u +%Y-%m-%dT%H:%M:%SZ)" >> "$EVIDENCE_DIR/collection_log.txt"
echo "Source: production-server-01" >> "$EVIDENCE_DIR/collection_log.txt"

For incidents likely to involve litigation or law enforcement, consider engaging forensic specialists who can collect and handle evidence according to standards that will withstand legal scrutiny.

Notification Obligations

Supply chain incidents that compromise personal data trigger notification requirements under various laws. These requirements specify who must be notified, what information must be provided, and how quickly notification must occur.

Major notification frameworks:

Framework Scope Timeline Key Requirements
GDPR (EU) EU resident data 72 hours to regulators Notify supervisory authority; affected individuals if high risk
US State Laws Varies by state 30-90 days typically Most states require notification; requirements vary significantly
HIPAA (US) Protected health information 60 days to individuals HHS notification for breaches affecting 500+
PCI DSS Payment card data Within 24 hours Notify card brands and acquiring banks
SEC (US) Material cybersecurity incidents 4 business days (8-K filing) Public company disclosure requirements

Notification complexity:

Supply chain incidents complicate notification in several ways:

  • Scope uncertainty: You may not immediately know what data was accessed or exfiltrated. Notification timelines may begin when you know a breach occurred, not when you complete investigation.

  • Multi-jurisdictional exposure: Customer data from multiple jurisdictions means multiple notification requirements. An organization with EU, California, and New York customers faces GDPR, CCPA, and NY SHIELD Act obligations simultaneously.

  • Downstream notification: If you are a service provider whose compromise affected your customers' data, both you and your customers may have notification obligations.

  • Content requirements: Different laws require different notification content. Prepare templates that can be adapted to various requirements.

Work with legal counsel to determine applicable notification requirements early in the incident. Notification decisions should not wait until investigation is complete if regulatory timelines require earlier action.

Legal counsel should be engaged from the earliest stages of significant incidents. Their involvement protects the organization and shapes response decisions.

Legal counsel engagement timing:

  • Immediately: Potential data breach, regulatory implications, or significant financial exposure
  • Within hours: Any incident requiring external notification or involving customer data
  • Within days: Incidents with potential contractual implications or vendor liability questions

Benefits of early legal engagement:

  • Privilege protection: Communications with counsel regarding legal advice may be protected by attorney-client privilege. Having counsel direct certain investigation activities can extend privilege to those activities under the work product doctrine.

  • Notification guidance: Counsel can assess notification obligations and help prepare compliant notifications.

  • Communication review: Legal review of external communications helps avoid statements that could increase liability.

  • Regulatory coordination: Counsel can manage communications with regulators, ensuring appropriate disclosure without unnecessary exposure.

  • Contract review: Counsel can assess contractual obligations to customers, vendors, and partners affected by the incident.

Coordination practices:

  • Include legal representative in incident response calls
  • Route external communications through legal review
  • Document legal decisions and their rationale
  • Maintain separate privileged communication channels where appropriate

Law Enforcement Coordination

Some supply chain incidents warrant law enforcement involvement. Criminal attacks—particularly those involving nation-state actors, organized crime, or significant financial theft—may benefit from law enforcement resources and may support eventual prosecution.

Criminal referral considerations:

  • FBI Cyber Division: Handles computer intrusion cases, particularly those involving foreign actors or critical infrastructure
  • Secret Service: Handles cases involving financial crimes and payment systems
  • IC3 (Internet Crime Complaint Center): Accepts reports and refers to appropriate agencies
  • CISA: Coordinates response for critical infrastructure and can facilitate law enforcement engagement

Coordination trade-offs:

Benefit Challenge
Access to threat intelligence Investigation may take precedence over remediation
Potential for asset recovery Evidence may be held for prosecution
Deterrence through prosecution Public disclosure may result from criminal proceedings
Resource augmentation Loss of control over timeline and messaging

Organizations should have policies defining when to involve law enforcement and who makes that decision. Legal counsel should guide this process.

Liability Documentation

Thorough documentation during incident response supports defense against future liability claims and demonstrates reasonable response.

Liability documentation practices:

  • Decision rationale: Document why key decisions were made with the information available at the time. Hindsight will judge decisions harshly; contemporaneous documentation shows reasonable judgment.

  • Response timeline: Detailed timelines demonstrate prompt response, relevant to both regulatory enforcement and civil litigation.

  • Standard of care: Document how response followed industry standards, established playbooks, and security frameworks. Deviation from standards should be explained.

  • Third-party actions: Document vendor notifications, their responses, and any failures that contributed to or extended the incident.

  • Mitigation efforts: Document steps taken to reduce harm, notify affected parties, and prevent recurrence.

# Decision Log Entry Template
**Date/Time**: 2025-01-15 16:30 UTC
**Decision**: Rotate all production database credentials immediately
**Participants**: [Names/Roles]
**Information Available**: Compromised package had access to DB connection strings; no evidence of exfiltration yet
**Alternatives Considered**: (1) Wait for exfiltration confirmation, (2) Rotate only highest-privilege credentials
**Rationale**: Potential impact of credential misuse exceeds cost of rotation; waiting increases window of exposure
**Outcome**: Credentials rotated by 18:45 UTC; 15-minute service degradation

Cyber Insurance Claims

Many organizations carry cyber insurance that covers incident response costs, business interruption, and liability. Proper documentation and coordination with insurers protects coverage.

Cyber insurance claim process:

  1. Notify insurer promptly: Most policies require notification within specific timeframes—often 24-72 hours of discovering an incident. Late notification can jeopardize coverage.

  2. Use approved vendors: Many policies require using insurer-approved forensic firms, breach counsel, and notification services. Using non-approved vendors may result in unreimbursed costs.

  3. Document costs: Track all incident-related expenses with sufficient detail for reimbursement:

  4. Forensic investigation fees
  5. Legal counsel fees
  6. Notification costs (mailing, call centers)
  7. Credit monitoring services
  8. Public relations support

  9. Business interruption losses

  10. Coordinate communications: Insurers may want to review external communications, particularly those admitting fault or making commitments.

  11. Preserve subrogation rights: If third-party failures contributed to the incident, insurers may pursue recovery through subrogation (the insurer's right to pursue third parties responsible for the loss). Documentation of vendor failures supports these claims.

Coverage considerations for supply chain incidents:

  • Review policy language regarding third-party software and supply chain attacks
  • Understand coverage limits and sublimits for different cost categories
  • Clarify whether coverage extends to incidents originating in vendor systems
  • Document how the incident qualifies under policy definitions

Recommendations

We recommend the following legal coordination practices:

  1. Engage counsel early: Include legal in incident response from the start of significant incidents. The cost of early engagement is far less than the cost of legal missteps.

  2. Establish relationships beforehand: Identify breach counsel and develop relationships before incidents occur. Incident response is not the time to evaluate law firms.

  3. Know your notification obligations: Map applicable notification requirements for your data types and customer jurisdictions before incidents occur.

  4. Preserve evidence deliberately: Implement litigation hold procedures and train responders on evidence preservation requirements.

  5. Document thoroughly: Maintain detailed records of decisions, rationale, and response actions throughout the incident.

  6. Coordinate with insurers: Notify cyber insurers promptly and follow policy requirements for approved vendors and documentation.

  7. Prepare templates: Develop notification templates, legal hold notices, and documentation formats before you need them.

Legal considerations should not paralyze incident response, but they must inform it. Organizations that integrate legal and technical response—through preparation, early engagement, and ongoing coordination—navigate incidents more successfully than those that treat legal as a separate, subsequent concern.