As cybercrime becomes increasingly widespread, businesses should not only have a policy to reduce the likelihood of a cyber-intrusion, but also be prepared on how to respond if and when they are hacked. Advance preparation, including a response plan, can minimize the adverse effects and opportunity costs that are inherent in every data breach. There are several common issues which arise in many data breaches. This checklist will help you and your team determine some of your responsibilities and obligations to respond effectively following an intrusion, which, in addition to the technical response of containing, eradicating, and recovering from the incident, is an important part of an effective response to a data breach.
1. Triage the Breach: Determine the Who, What, Where, When and How
- When did the intrusion occur?
- How did the intrusion occur?
- Where did the data reside?
- Was the server or were the servers shared in any way? If so, with whom?
- How was the data accessible?
- Who were your vendors at the time?
- Was one or more of those vendors affected? If so, how widespread?
- Was there anything that you or one of your vendors could have done to prevent it, or was it the result of something a third party didn’t do or should have done differently?
- What was accessed?
- What was downloaded?
- Of those, what was encrypted? How would a third party be able to decrypt it?
- What notification has been sent, and to whom?
- Have you received a ransom demand?
2. Identify Who Your Users and Other Constituents Are
Many of your obligations are dependent on who your users are, what your relationship is with them, and where they’re located. Also note that you owe each constituency a different duty, and that your communications with one constituency may trigger obligations to a discrete constituency. For example, telling the media that you are taking an action that you otherwise didn’t have a legal obligation to take may create a certain level of responsibility to take such an action when you might not otherwise have an obligation to do so.
3. Communicate to Your Users and Others
Many state and federal laws and regulations require early notice to users – potentially before you have sufficient information to provide such notice. Depending on how your data was accessed, and the type of information which you believe may have been taken, you may also have an obligation to notify certain third parties, such as credit bureaus, of the breach. In addition, the laws of any state in which you have customers or users will dictate the notice requirement for the residents of that state whose information may have been jeopardized. Finally, you may have contractual obligations over and above statutory or regulatory requirements; you should promptly determine what contracts you have in place which could require you to notify users in the event of a breach (or, better yet, have a list prepared before an incident occurs).
4. Review Vendor Relationships
If the breach was the result of an action or inaction by one of your vendors, is such a situation referenced in a service level agreement or master services agreement? If so, look to that agreement to determine who is responsible for taking which actions, including notification. However, be aware that you may have a statutory or contractual duty to notify certain users and third parties even if your vendor has a contractual duty to do so.
5. Contact your Professional Team
As more and more businesses suffer denial of service attacks and data theft, and as identity theft becomes more prevalent, state and federal legislators and regulators are looking for ways to protect businesses and consumers from cybercrime. Therefore, the law in this area – including requirements for the timing and content of notifying users of a data breach – are constantly changing. Reach out to your professional team for the support and guidance you need to minimize the organization’s risk and liability.More Legal Alerts