After an update from a cybersecurity firm caused widespread outages for millions of Microsoft Windows-powered devices worldwide, the Association of Corporate Counsel (ACC) has published a fact sheet and tips for in-house lawyers in cases of massive IT outages.
The outage disrupted operations in various sectors, including airlines, banking, emergency services, and media companies. The ACC highlighted the critical role of in-house legal teams in preparing for and responding to such incidents.
The affected machines experience crashes and become stuck in a reboot loop, rendering them inoperable. While a manual workaround exists, it requires a device-by-device rollout, which can take hours or even days for large companies to implement. In response to such incidents, in-house legal teams should focus on several key areas to ensure business continuity and mitigate risks, according to the ACC.
Recent Articles
Business continuity plans are essential. In-house legal teams must ensure their companies have comprehensive plans that map out mission-critical systems and vendors. These plans should include detailed contingency strategies in case of service interruptions or degradation from these vendors. Understanding which systems and services are crucial for operations and having alternative solutions ready are crucial steps in maintaining operational resilience.
The ACC further emphasized that communication with vendors is vital. When a service interruption or degradation occurs, it is crucial to seek information directly from the vendor. This is especially important in the initial hours after an IT outage, as bad actors may exploit the situation with fake "fixes" designed to infiltrate critical systems. Accurate information from the vendor helps prevent further damage and ensures appropriate steps are taken.
Service level agreements (SLAs) should be a focal point when negotiating contracts with technology vendors. SLAs should clearly define the scope of services, incident reporting processes, target resolution times, and remedies for failure to meet resolution targets. In the event of an incident, reviewing the contract and holding the vendor accountable to the agreed SLA is essential for maintaining service standards.
The ACC noted that if a service interruption from a vendor affects the company's ability to serve its customers, it is important to quickly determine whether a workaround is possible or if the service will continue in a degraded state. If service suspension is necessary, promptly defining and implementing a communication plan to inform customers of the situation and expected resolution time is critical for maintaining customer trust.
Monitoring for cyber incidents or data breaches on the vendor's side is another crucial responsibility. In-house legal teams should inquire about potential breaches and take proactive steps to secure data, especially if the vendor can access the company's systems or data. This can prevent further complications and protect the company's information.
Lastly, the ACC pointed out that in-house legal teams should consider the implications for the company's insurance policies when a mission-critical system is down or when a cyber incident occurs. Notifying insurance carriers promptly can help manage potential claims and maintain coverage.