Skip to main content

Top Eight Things to Remember During a Cybersecurity Crisis

July 1, 2022

On Friday, June 17, 2022, the Center for American and International Law’s 57th Academy of American and International Law welcomed attorney Shawn Tuma; Mark Michels, Santa Clara University School of Law; and Micah Skidmore, Haynes and Boone; to lead a cyber breach crisis workshop. Jessica Lee and Haley Stevers, 2022 Summer Associates at Spencer Fane, were also present to help facilitate the event.

Each year, the Academy gathers lawyers from more than twenty countries to study United States law and various international business transactions issues such as international arbitration and litigation, intellectual property, cybersecurity, human rights and business, and negotiations. Since 1964, the Academy has gathered over 3,300 lawyers from 121 countries to learn from some of the greatest teachers and practitioners of international law in the United States.

In the workshop, each participant was assigned a corporate leadership role and asked to spot the issues throughout various stages of a cybersecurity crisis.

Below are the top eight takeaways from the workshop:

  1. Nobody thinks that this is going to happen to them. It is better to prepare for an event that never happens than to be unprepared when an incident occurs. Cyber issues affect everyone.
  2. Prepare your incident response team now. Practice is key. If the chief decision makers have never met before a data breach occurs, the response may not be executed with the highest degree of confidence.
  3. Save money by learning how to “speak” insurance. Understanding the intricacies of insurance can mean money in your pocket in the event of disaster. Learning what the insurance companies require and getting the proper coverage will save both time and money.
  4. Remain calm. Measure your response. Shutting down operations is often drastic and unnecessary. Determine what really happened before making any decisions or talking to third parties. You want to ensure that you are the true source of the data leakage before you respond.
  5. Be careful when using the term “data breach.” “Data breach” has a very significant legal meaning that requires immediate action and implicates various reporting requirements. Consider using the term “incident” or “event” until the breach is confirmed.
  6. Logistics is key. As General Omar Bradley famously said, “Amateurs talk strategy. Professionals study logistics.” Many of the cybersecurity issues that businesses deal with today can be avoided with early planning, and logistics is the most important part of preparation.
  7. Attorney-client privilege does not always apply. Information communicated with outside professionals may fall under attorney-client privilege if they were hired by attorneys as consultants to the case. However, information disclosed to law enforcement or perhaps even an insurance carrier is not likely privileged
  8. Don’t forget to fly the plane. Protecting the company is the top priority for crisis response. If the company goes out of business, then the crisis response was futile.

This blog post was drafted by Jessica Lee and Haley Stevers, 2022 Summer Associates at Spencer Fane. For more information, visit