Whether you are in-house counsel or external counsel, upon first hearing of a massive data breach affecting your client, your first reaction will likely be at least a twinge of panic. So first, take a deep breath and calm down. Unfortunately, these days this happens all the time. Below are the top ten things to do after enjoying that deep breath.
1. Consult Your Incident Response Plan
Hopefully you have an incident response plan and team already place. Hopefully, you’ve even done some run-throughs or rehearsals in the past and already know the players. If you do have an Incident Response Plan -- follow it. Failing to follow your own plan may give rise to claims of gross negligence or recklessness. Hopefully, when you formulated your Incident Response Plan, you made sure it was one you could adhere to and live with.
If you or your clients do not have an Incident Response Plan, this is something you should definitely put in place. Not only is it extremely useful, but it is the first thing that regulatory authorities and plaintiffs’ lawyers will ask for. The lack of one will undoubtedly be used by adverse parties (and the courts) to assess liability. Every company should at least have some sort of response plan in place.
But if you don’t, there’s not much to be done about it once the breach occurs -- except to create one on the fly.
2. Preserve the Attorney-Client Privilege
So the next thing to think about is preserving the attorney-client privilege and work product doctrine with regard to documents and communications pertaining to the cause, and remediation, of the breach. You should definitely make sure that in-house counsel and external counsel are involved in all communications relating to the breach, as you are certainly in anticipation of litigation mode.
Ideally, external counsel should be in charge, working hand in hand with in-house counsel and the technical people discussed next. The external counsel should be involved in the selection and retention of these experts, and perhaps be the procuring party, to give your company the best option to preserve privilege. This is particularly the case if in-house counsel is located outside the United States, in a country where the attorney-client privilege may not apply to in-house counsel.
Of course, you should make sure that privileged communications bear the “privileged and confidential” header or footer placed prominently thereon, and take all precautions to preserve privilege while you are learning and assessing how the data breach occurred and what should be done about it.
3. Use Alternative Modes of Communication
As your company’s system has been compromised, and you may not know the full extent, you should seriously consider refraining from using your company’s email system, which may be compromised as well. Meetings, phone calls or texts are preferable. You may even consider resorting to that old stand-by, inter-office mail, as opposed to emails. You should also refrain from other methods of communication using your company’s systems, such as Skype or other live-chat mechanisms, at least until you can be confident that the system is once again secure.
4. Retain a Forensic Consultant
Next, you should make sure you have qualified IT personnel and a forensic consultant investigating the breach. Hopefully, you or your counsel already have one on retainer, or at least on speed-dial, as part of your Incident Response Plan. But if not, you need to act, or have your counsel act, fast. You need your forensic consultant to quickly figure out what type of information has been exposed, the cause of the breach, the date of the breach, the duration of the breach, how to cut off the threat, and how to stop the flow of information from spreading.
5. Document Preservation
You also need to be extremely focused on document preservation, to avoid spoliation claims and also to preserve evidence for your defense. Documents to be preserved include all system log files, including the firewall, VPN, mail, network, client, web, server and intrusion systems logs. These are key. Proving the methods used to enter your company’s system may be integral to your defense. If you can prove that your company took reasonable precautions, using up-to-date technology, but you are nevertheless a victim of a state-sponsored hacker or sophisticated criminal organization you will have a much stronger defense. For example, your contracts with business partners may have force majeure clauses providing that your company is not liable for “malicious acts of third parties” or “acts of terrorism.” Thus, it is extremely important to preserve the evidence demonstrating the breach has the earmarks of a terrorist act.
It is vital that you balance three sometimes competing workstreams at the same time:
- investigating and stopping the threat;
- while preserving attorney-client privilege; and
- preserving evidence.
6. Consider Telling Law Enforcement
You also must consider notifying law enforcement. In many states, this is required. It may also help get you obtain leniency in any investigation. Law enforcement may also be of assistance in resolving and remediating the problem, as they may have seen the same type of breach before. However, keep in mind that law enforcement will sometimes be more focused on catching the perpetrator as opposed to helping your company. Law enforcement involvement may also cause distractions, such as by sending information requests while holding back evidence. If the breach is contained and you can quickly get it under control, and third parties’ personal identifying information is unaffected, you may not need to alert law enforcement. All of these factors should be considered. You should also be cognizant of the type of law enforcement that is involved. Civil regulators may be much more focused on your company as a target rather than viewing your company as a victim.
Once you get a handle on what type of information has been exposed, and the locations of the individuals or business whose information has been exposed, you may begin addressing notice requirements. Nearly every state has a notification requirement, and there are several federal notification requirements as well.
You need to determine whether unencrypted personally identifying information has been exposed, such as a customer’s or employer’s name and social security number, drivers license number, credit card number or bank account number with password. Sometimes this type of information is stored separately from a company’s main systems, so it is possible that a data breach can occur that does not expose personal identifying information. More than likely, however, notifications will be required and differ under many states.
In an ideal world, you will already have draft notifications written for the relevant jurisdictions. Otherwise, you have some serious work to do. The good news is that there are many vendors that specialize in drafting and sending out the notifications, so if you don’t already have one lined up, you might want to consider enlisting one. Of course, this should be covered in your Incident Response Plan.
Before you send out notifications, you should consult with any involved law enforcement, as they may want to keep as much information confidential as possible to attempt to catch the perpetrator. In many states, a law enforcement request to refrain from sending notifications constitutes a defense to claims of unreasonably late notifications. Also note that many state statutes require notification of credit reporting agencies as well.
8. Press Releases/Communications
Regardless of the required notifications, word of data breaches gets around quickly, and soon your customers and business partners may get wind of it. Assuming law enforcement has no objection, you need to consider a press release or an email to customers or business partners
Any such communication should describe what occurred accurately yet in as non-inflammatory matter as possible. Obviously, you do not want to provide plaintiffs’ lawyers with “Exhibit A” in a litigation.
You should describe what occurred, what information may have been exposed, how you are remediating the situation, and emphasize that you are focused on doing so. You should also consider setting up a hotline or email address for those with questions. Also, you might want to consider getting ahead of the curve and offering credit monitoring, identity theft insurance, identity theft help, or even set up claims for compensation, right away, to keep the customers or business partners on your side.
However, often at the time of any such communication, you may not know the full extent of the facts, so you should be careful to state that you are still investigating. Once more facts are known, you may have to update the communication so it does not become false, misleading, or incomplete.
Hopefully you already have cyber insurance lined up, because if you do not, it will obviously be quite hard to come by at this point. Insurance companies do not like to insure burning buildings. If you are fortunate enough to have cyber insurance, you need to look into your insurance coverage and advise your insurance company immediately. Your insurer may have requirements regarding the attorneys and/or forensic consultant you may retain and obtain reimbursement, so you should confer with your insurance company as soon as possible upon learning of the breach. Also, consider the types of insurance you may have. Are you insured against claims asserted by credit card companies? Against extortion, as hackers sometimes demand payments for the return of your information? Are you insured for losses due to business interruption? All of this may affect your go-forward strategies.
Next, you may want to consider whether any third person, such as an outside vendor, is either responsible for allowing the breach to occur, such third person may be liable, or for failing to detect the breach earlier, resulting in the damages.
At the same time, you should be gearing up to respond to information requests and the variety of lawsuits that will surely be filed. You should think about having several legal teams working in tandem; one investigating the cause of the breach and the remediation, another preparing for the wave of information requests the company will surely get from law enforcement and civil regulators, who will be seeking responses on an expedited basis; one responding to the inevitable lawsuits; and one pursuing action against potential third parties who allowed the breach to occur or did not detect it sooner.
While obviously the more you have prepared for the data breach the better, you will, in all likelihood, get through the breach and move on. Remember that. Stay calm and focused as you work though these 10 steps.