Uh oh! Your IT manager tells you – after hours, of course, - that your systems have been hacked. What now? 

Just as is the case when someone is physically injured and substantial medical attention will be needed to facilitate their full recovery, a good deal of professional assistance will be needed to fully resume operations. However, the best medical attention may go for naught if first responders exacerbate the injury, and the best system restoration efforts are useless if the immediate responses are not suitable. If first responders do not properly stop bleeding and stabilize broken limbs, the best surgeon or internist may have little to contribute. 

At the same time you do the following, you will want to contact your FisherBroyles lead to immediately assist with required notices and avoidance of prejudicial statements.  

An essential step to be taken prior to such situation arising is to compile and share with the internal team tasked with dealing with the situation, a full list of contact information for internal and external contacts, including key vendor and insurance providers. Key internal contacts, apart from IT management include senior members of legal, financial, sales and PR groups. Such list should also include a schedule of key contracts. 

Equally fundamental is to identify and engage with technical vendors, forensic investigators and other experts, who are versed in such situations, before they are needed so that they have adequate information and incentive to jump in when needed. It is often desirable from a legal standpoint to engage such persons through outside counsel, in order to maintain the confidentiality of your discussions if litigation does occur. 

Once this is done and key players are notified, we suggest the following, when the time comes:

  • If recommended by forensic and repair personnel, take appropriate preliminary steps to mitigate spread of, and isolate, malicious code and data encryption, amongst other events, while preserving operating systems and key application software, which may or may not include, by way of example only, removing the internet or other connections – but not power connection - of all relevant devices.
  • Advise all hands of problem and urgent need to avoid opening any unfamiliar links or attachments. 
  • If practicable, tentatively identify impacted files, databases and systems, emphasizing consumer data, and determine whether data has been wrongfully accessed but is still present and accurate, has been corrupted or is no longer present.
  • Where disaster recovery plans exist and involve third party off-site support, notify vendors of need to activate.
  • Access back-up media or services.
  • Do NOT publicly or privately apologize or accept responsibility. If public statement is needed, it should be noncommittal – e.g ‘we are aware of situation and conducting investigation’. Engage FisherBroyles to determine applicable laws requiring consumer or other notices and remedial steps and whether law enforcement should be notified.
  • Notify cloud and SaaS vendors to determine if issue emanates there.
  • Pull all insurance policies and other relevant documents, especially cyber-liability and error/omission policies or endorsements, and notify issuers of latter.
  • To facilitate efforts of law enforcement or forensic investigators, do NOT delete files of any kind. These steps are intended only to freeze the situation and avoid additional harm or legally prejudicial statements or actions

These steps are intended only to freeze the situation and avoid additional harm or legally prejudicial statements or actions. They are most definitely not a full prescription for remedial action. They must be augmented by detailed involvement of technical personnel. However, such involvement will be much more efficient and you will be back up much faster if the right first aid steps are taken in advance.