Stephen Reynolds, a partner at the law firm of McDermott, Will, and Emery, joins the Nexus Podcast to discuss some of the concerns and questions CISOs and other security executives may have about their personal liability and exposure during breach investigations. The short of it: Don’t panic, but don’t be unprepared either. In this case, preparation equates to having personal legal counsel available, and document everything during an incident.
Reynolds and Eli Lilly associate VP and assistant general counsel Nick Merker presented on this topic at Black Hat under the context of the case and conviction of former Uber CISO Joe Sullivan. Sullivan was convicted of obstruction of justice and misprision of a felony for his role in covering up a breach at Uber. 
Reynolds cautions that CISOs always remember that corporate counsel represent the company, and any attorney-client privilege is to the company and not the individual. He also reminds leaders to document the facts and information available at the time key decisions were made during an incident.