It is not a question of whether your company will experience a cyberattack; rather it is a question of when and how effectively your company responds. IT professionals at large companies consistently predict that their own organizations will be breached in the future. Yet, surprisingly, some companies do not have a comprehensive plan to protect their data and respond to cyberattacks. For those that do, their plan is likely focused largely on IT considerations. But the modern reality is that cybersecurity incidents pose operational, legal, and reputational risks that far exceed the IT-related considerations that used to rule the day.
Cyberattacks increasingly focus on targeting commercially valuable intellectual property, which could later be sold to, or exploited by, a competitor. Even where a company’s own trade secrets are not compromised, such breaches often target customer information — such as credit card information or social security numbers — leading to a loss of consumer confidence in the company and significant operational disruption. And the inevitable flow of consumer and shareholder lawsuits in the wake of cyberattacks further exacerbates those costs and disruption.
Additionally, in the past, the public might never have learned of the breach of a company’s computer systems. Now, however, an increasing number of laws and regulations require that data breaches be reported to regulators, investors, or consumers. For example:
- The SEC has indicated that data breaches might be material events for public companies, thereby requiring appropriate reporting to the securities markets (including material details regarding the breach);1
- Companies holding U.S. government contracts (and their subcontractors) face a patchwork of mandatory reporting requirements, with the DOD and HUD requiring mandatory disclosures, while other agencies continue to review their reporting requirements;2
- HHS rules require the disclosure of breaches involving health information by HIPPA covered entities;3
- The FTC Health Breach Notification Rule requires disclosing breaches involving health records by other entities not covered by HIPPA;4 and
- 47 states, plus the District of Columbia, Guam, Puerto Rico, and the Virgin Islands now have laws requiring notification of breaches involving personally identifying information.
Depending on the circumstances, a company’s failure to fulfill its reporting obligations, even if inadvertent, could expose the company to significant fines, penalties, and related civil litigations.
Given these significant risks and the potential associated consequences, sophisticated companies have come to correctly view cybersecurity breaches as operational risks like any other that the directors and officers of a company must appropriately understand, plan for, and manage. While a company’s actual response to a breach will be determined by a number of factors, including the circumstances of the breach and the criticality of the systems affected, there are a number of common mistakes made by companies when responding to cyberattacks that should be considered during planning for, or an actual response to, a cybersecurity breach.
Common Mistakes When Planning for or Responding to Cyber-Breaches
1. Viewing cybersecurity incidents as solely IT issues
Not all cybersecurity incidents are of the same severity and not all cybersecurity incidents carry the same risks to the company. But whether a cybersecurity incident has already occurred or a company is merely planning for such an occurrence, it is important that all stakeholders in such a response — including the company’s directors/officers, and its legal counsel — recognize that responding to a cybersecurity incident is not something that the company’s IT personnel could, or should, be doing alone. Responding to a cybersecurity incident is a multidisciplinary effort that requires technical, operational, and legal skills.
Whenever company or customer data has been potentially compromised, a response should begin with a risk assessment to determine the potential technical, operational, and legal, and ramifications of the incident. As the operational or legal significance of the incident increases, so should the involvement of senior management. Additionally, for significant incidents, a member of senior management with sufficient authority within the company to get the necessary tasks accomplished should be appointed to quarterback the company’s response.
2. Failing to include knowledgeable legal counsel in the cyber incident response team
Cybersecurity incidents are increasingly accompanied by legal implications for the victim, so it has become a best practice to include experienced legal counsel as part of both the planning and response efforts.5 Often, the company will have legal or regulatory obligations to report breaches in several states (or countries), which might require reports under different circumstances and specify different methods of reporting, deadlines, and required content. During the planning stage, knowledgeable counsel can help the company categorize the types of risks and regulatory regimes the company faces and tailor its response plans accordingly. During a response to a known or suspected cybersecurity incident, counsel can likewise help the company determine its reporting obligations, weigh the potential benefits and costs of self-reporting the incident to law enforcement early, and understand what it can expect when making a report to law enforcement.
Additionally, knowledgeable counsel involved at an early stage can help the company understand the types of legal implications that the company may face and develop strategies to best manage those risks. In addition to governmental investigations, data breaches are now commonly followed by civil litigation, whether from consumer protection agencies, customers whose information was compromised, or shareholders. At least in the United States, the early involvement of legal counsel during the response effort may permit the most sensitive portions of the response to be protected by the attorney-client privilege or the attorney work product doctrine. Without such early inclusion of legal counsel, tasks that would otherwise have been considered to be performed at the direction or in concert with legal counsel might not be protected.
3. Not having pre-identified an outside data forensics team to be utilized for significant cyber incidents
One of the most commonly encountered technical failures in cybersecurity planning is the underestimation by IT staff of the technical skills and resources required to respond to cybersecurity incidents. And thus, the failure to pre-identify which vendor the company will rely on when serious incidents occur. While corporate IT departments are increasingly savvy regarding cybersecurity issues, even the savviest of IT departments will require the use of an outside computer forensics vendor to appropriately respond to serious cyberattacks. Not only are the skills necessary to respond to such incidents far more specialized than what is typically available in-house, but specialized equipment and tools are often required. Moreover, for obvious strategic reasons the company would likely not want an internal IT person to be called to testify during subsequent litigation.
At the same time, not all forensics vendors share the same experience, reputation, or capabilities. Nor are all such vendors equipped to handle every type of computer system or device that the company might be using. As such, it is far more efficient to identify in advance which data forensics team has the necessary expertise and tools to determine the size and scope of a breach of the company’s systems and to respond accordingly.
4. Taking affected systems offline before forensic images are preserved
There are many competing considerations after a cybersecurity incident occurs and, without adequate pre-planning, it is likely that critical evidence of the incident will be irretrievably lost. Operationally, the company and its executives would likely want systems and data restored as quickly as possible so the company can resume its business. Similarly, most IT staff would initially focus on removing intruders from the company’s network and on restoring affected systems to their pre-breach state. But, both management’s desire and IT’s focus would overlook the need to preserve evidence of the breach by preserving forensic and legally defensible images of the affected systems and devices.
Without such forensic images, it is unlikely that the company could truly assess the method of attack, which might allow the company to stop similar attacks in the future. Additionally, the company might not be able to fully assess the scope of the breach, which can prevent the company from fulfilling its legal obligations to disclose the attack (or which can require the company to disclose the attack more broadly than necessary). Evidence necessary to aid a law enforcement investigation might be lost. And, the loss of evidence that might be critical to subsequent consumer or shareholder litigation regarding the breach might prevent the company (or its directors/officers in their fiduciary capacities) from defending the preventative actions taken and the company’s response.
5. Failing to have a plan for how internal communications regarding incidents will take place
Communicating in the wake of a significant cybersecurity incident can be surprisingly challenging, which many companies fail to appreciate during their response planning. The company’s entire e-mail system might be unavailable. Office telephones, which are increasingly themselves mere internet devices, might not work. Company-controlled cellular telephones might be remotely wiped or locked — in any event, the contacts contained on cellular telephones, which are often synchronized with the company’s e-mail servers, might be missing. And even if these systems appear to be unaffected by a cyberattack, the intruders could be monitoring the company’s response efforts.
To ensure that key stakeholders can communicate and coordinate the company’s response, it is important that a company’s response plan contemplate how its stakeholders will be notified about cybersecurity incidents, and how the response team will communicate regarding its efforts. Alternate communications plans should contemplate the above circumstances and include the necessary information (such as home telephone numbers) that might be necessary for stakeholders to reach each other in an emergency.
Planning for, or responding to, a cybersecurity incident is a complex endeavor with multiple competing considerations. As such, outside counsel knowledgeable about cybersecurity issues can be an invaluable addition to such efforts. Determining to whom a company is required to self-report a cyber breach, and within which period such reports are required, can be a daunting task. And reporting cyber incidents to federal or state authorities often results in collateral consequences to the reporting companies that must be effectively managed, such as investigations of the company itself. While legal counsel might not themselves be able to prevent a cybersecurity breach, like a corporate IT department, counsel can nevertheless be an invaluable part of cybersecurity planning and responses.