Hi All

A great piece of advice:

Last week the SEC announced $289 million in penalties against 11 firms for using “off-channel” messaging platforms on their personal devices (e.g., iMessage, WhatsApp, and Signal) to communicate about work matters. See https://lnkd.in/ekbKXaGj. As a result, a number of clients have asked whether they should still be using encrypted messaging apps to communicate during a breach. Here's what you need to know:

1. GO OFF-CHANNEL: If you have a breach, ransomware attack, or other security incident, you should still consider using an "off-channel" method of communicating (e.g., phone, FaceTime, encrypted messaging apps, etc.) until you have confirmed that the attackers are no longer in the company's systems or otherwise monitoring communications. If ransomware actors can read corporate emails and learn how much you are willing to pay or how an attack is impacting the company, for example, it may interfere with your ability to negotiate.

2. DOCUMENT: Consider documenting the practice of using "off channel" communications during incidents in your incident response plan and testing the use of such communications at least annually through tabletop exercises. Documenting and testing this practice will increase the likelihood that everyone remembers to communicate properly during a breach and will help show that the use of such "off channel" communications was in good faith, and was not an effort to evade reporting requirements.

3. PRESERVE: While the SEC's recent enforcement actions are specifically about "broker dealers," there may still be risks to not preserving these "off channel" communications. A plaintiff or regulator may argue that when a significant incident occurs, litigation is reasonably likely to follow. Indeed, if the company claims its communications with outside counsel are protected by attorney "work product protection," it will likely assert that these communications were made "in anticipation of litigation," thus making it hard for the same company to argue that litigation was unforeseeable.

As a result, whether it is a legal requirement or not, consider ensuring that "off channel" communication apps (e.g., encrypted messaging apps) have been configured to preserve all communications and that the users of these apps have consented in advance (in writing) for the company to collect these communications following an incident.

4. PICK UP THE PHONE: To be clear, there is also some risk in preserving these communications. Emails and texts tend to lack the context and nuisance of in-person communications. For example, panic or attempts to lighten a stressful situation through humor or sarcasm may not read well after the fact. Initial thoughts and fears often turn out to be wrong. As a result, it is these rapid-fire emails and texts that often cause a company problems. Thus, when feasible, consider communicating the old-fashioned way: in person, over the phone, or through video.'

Source:   Brian Levine