For many, responding to an incident feels chaotic — questions swirling, uncertainties piling up, and no clear direction. Even when prepared with a well-rehearsed incident response plan, a data security incident places a company’s response team in a precarious situation of juggling numerous variables at once. In the chaos of determining whether a breach has occurred, companies may forget to think through the most important issues. For example, restoring network access and network security is typically the response team’s primary objective, while legal obligations and strategies are often forgotten. Though business continuity is a crucial step in the process, failure to prioritize the following critical aspects in responding to a breach could have consequences later.
1. Don’t get lost, preserve the breadcrumb
When responding to a cyberattack, there may be pressure to retain business continuity by immediately restoring information system integrity and availability. For example, the business may decide to wipe or erase data on existing computers, systems, and servers and rebuild them from the ground up. As part of any preservation strategy, companies should image all devices that may have been affected by the attack. This includes affected laptops and desktop computers, which are often overlooked during this process. Failure to preserve these breadcrumbs often leaves large gaps in the investigation.
Though incident response teams may be focused on restoring systems and resources, they must also recognize that cyber incidents often lead to government investigations and consumer litigation. The evidence gathered during the breach response will help counsel and cyber experts to determine what data was compromised. If the data is properly preserved, counsel can more accurately determine what data was accessed or stolen, and whether any personal information was compromised. Without this critical evidence, uncertainty may remain, forcing a business to rely on assumptions in making decisions about the existence and scope of a breach.
2. Phone a friend (aka trusted legal advisors)
The existence of these issues should make clear the importance of including outside counsel in all serious, or potentially serious, incident responses. Counsel will help ensure evidence of the data breach is preserved, as well as determine the company’s notification requirements without interrupting the forensics or recovery team’s efforts to re-establish business operations. Critically, outside counsel can help a company prepare for impending litigation or regulatory inquiries under attorney-client privilege, substantially increasing the confidentiality of the company’s response and mitigation efforts following the breach. Moreover, counsel will assist incident response teams in determining a proper course of action that aligns with applicable state and federal legal requirements, such as a company’s remediation decisions post-breach. Indeed, companies often fail to take initial intrusions seriously, because they believe the issue is contained, when in fact the attacker is merely waiting to continue the malicious activity after the logs showing the intrusion have been automatically deleted. Because breach response counsel is well-versed in this area of law, counsel can provide advice on potential blind spots to investigate, leading to a more fulsome response that mitigates unforeseen risks.
3. Notify your insurance carrier
Any company in any industry can experience a data breach, particularly those handling sensitive or numerous amounts of personal information. Notification to affected individuals alone, as discussed further below, routinely costs millions of dollars if the breach is large enough. Legal fees, engaging forensics experts to investigate, potential government enforcement actions, and consumer class actions can cost even more.
Whether your company has cyber-specific insurance or not, companies should immediately put their insurance provider(s) on notice upon experiencing a data breach. There’s always a possibility that your company’s insurance policies may cover some of the costs of your breach response. Moreover, if a company fails to timely notify their insurance carriers, those carriers may deny coverage outright. In addition, the insurance policy may require the company to use specific firms and forensics teams that are on a pre-approved list. The insurance company may also require detailed billing practices that should be considered before an incident response investigation begins.
4. Determine your legal requirements
Each state places unique data breach notification obligations on companies to notify all affected state residents of the data breach. It’s not uncommon for larger companies to notify residents in all 50 states and the several territories. Beyond standard state data breach notification statutes, the company may be subject to other regulatory frameworks. If the company is publicly traded, then the company must consider SEC rules. If the company maintains protected health information, then HIPAA’s notification requirements would apply and a likely investigation from the Department of Health and Human Services could follow. Among other agencies, state departments of insurance may require notice, as well certain licensing agencies like the New York Department of Financial Services. Additionally, companies will likely receive inquiries and demands from their partners, investors, and key personnel, among other third parties to whom the company has a contractual obligation. Thus, counsel must be prepared to fully understand all aspects of the client’s business to ensure all notification requirements are met, which generally follow a 30-to-60-day timeline after a company discovers the data breach.
5. Contact law enforcement
Companies often struggle to decide whether to engage law enforcement following a cyber incident. Though these decisions are not easy, working with law enforcement can allow a company some extra time to notify consumers and regulators, as well as show that they are concerned about their customers and all affected individuals. Often, insurance policies require the company to notify law enforcement of the incident. We encourage companies to periodically review their policies and coordinate with their counsel to ensure proper compliance with those policies. Regardless, law enforcement — especially the Federal Bureau of Investigations — may have access to additional technical and legal resources that could be valuable. This could include advice, technical knowledge, and assistance in working with third parties. Importantly, law enforcement may have investigations ongoing against your attackers and may be able to use the knowledge you gain from the attack to pursue legal action against the criminals.