The legal questions to ask when your systems go dark
At Span Cyber Security Arena, I sat down with Iva Mišković, Partner at the ISO-certified Mišković & Mišković law firm, to discuss the role of legal teams during cyber incidents. She shared why lawyers should assume the worst, coordinate quickly, and ask the right questions to support IT.
Mišković explained that a legal strategy, built on understanding tech workflows, helps lawyers build trust with CISOs and respond to cyber threats.
Every cyber incident should be treated as both technical and legal from the start. What’s the first thing legal teams should do once a breach is suspected?
Unfortunately, there’s no checklist to follow as there are simply too many things that need to happen at the same time. So, I would say:
1. Assume the worst
Legal should assume the worst and lean into their natural legal pessimism. There’s very little time to react, and it’s better to overreact than underreact (or not react at all). The legal context around cyber incidents is broad, but assume the worst-case scenario like a massive data breach. If that turns out to be wrong, even better!
2. Coordinate
Even if your organization has a detailed incident response plan, chances are no one’s ever read it and that there will be people claiming “that’s not my job.” Don’t get caught up in that. Be the one who brings together management, IT, PR, and legal at the same table, and coordinate efforts from the legal perspective.
3. Know where your data is
If that means “my DPO will check the ROPA” – congrats! But if your processes are still a work in progress, you’re likely about to run a rapid, ad hoc data inventory: involving all departments, identifying data types, locations, and access controls. Yes, it will all be happening while systems are down and everyone’s panicking. But hey – serenity now, emotional damage later. You literally went to law school for this.
What are some common mistakes legal teams make in the first 72 hours of a breach?
Definitely legalizing. Everybody will naturally focus on IT department, but you need the attention of the management right away in order to gain autonomy and authority over other departments in order to legal-proof their actions. So, instead of citing law present them continuity, liability and reputation risks, preferably backed by potential fines or financial losses.
Also, presenting problems instead of providing structured decision options in terms of what’s urgent and what’s strategic.
Lastly, confusing media coverage with legal notification. Even though you might already be all over the news, the supervisory authority doesn’t count that as a formal notification and that oversight alone can lead to harsher penalties.
Many legal teams lack technical expertise. What’s the best way for them to engage with IT and forensics teams without slowing down the response?
Yeah, we’ve traditionally preferred not to get in the way and to let the IT guys handle it, but I’d say those days are over. Instead of feeling uncomfortable for being the person who knows the least about technology, try feeling empowered as the person who knows the most about legal obligations and lead the process with the bigger picture in mind.
I know from experience that it’s not always easy to speak the same language as the technical team, but you can always ask the right legal questions:
- Is the evidence of the attack documented?
(This is a basic requirement—and it’s universally mandatory under the GDPR.) - Was the data accessed, altered, encrypted, or stolen?
(The scope of the breach determines your next steps and potential consequences.) - Do we have a backup?
(Business continuity directly impacts data subjects’ rights.) - Do we have any measures that could mitigate the consequences of the breach, like encryption at rest or in transit?
(If the attackers took the data but can’t read it, the situation is significantly less severe.) - What are we doing to fix things?
(It’s important to know how we’re minimizing the risk to affected individuals; e.g system isolation, backup restoration, or monitoring the dark web.)
These questions alone will provide you with most of the key information you need from IT in the first 72 hours.
How can CISOs and lawyers build trust and communication before a crisis hits?
We all need to understand that this is a team effort. It has been ever since the GDPR, but after NIS2, there’s no doubt anymore.
I’m aware that I may be over-romanticizing it, because quite often the first time legal meets the CISO in a constructive way is during a crisis.
That’s why management needs to have a clear vision of this much-needed partnership. If for no other reason, then at least driven by the previously outlined trio: continuity, liability, and reputation risks if there’s no early coordination.
Also, consider pursuing security certifications like ISO 27001. That’s a unique process that brings both roles together and in doing so, cyber law becomes an organizational issue, not just “legal stuff.”
What should legal teams start doing today to be more prepared for the next incident?
You, as in-house or external legal support, really have to understand the organization and how its tech workflows actually function. I dream of a world where lawyers finally stop saying “we’ll just do the legal stuff,” because “legal stuff” remains abstract and therefore ineffective if you don’t put it in the context of a particular organization.
Also, let’s stop considering ourselves merely a support function. We have to be part of core decision-making, especially when choosing service providers or implementing digital tools.
Third, processes matter more than perfect documentation. If you’re limited by time or budget, focus on what actually works rather than what’s written down.
Finally, when it comes to training, remember: one size fits none! Instead of repeating the same generic webinar, run a phishing simulation or a real data breach scenario. You can find inspiration in the EDPB Guidelines 01/2021, which include detailed case examples.