In a perfect world, companies would prepare ahead of time for a problem that on average costs them $7.91 million. This “not if, but when” problem? *Cue Jeopardy response*: What is a “data breach”.
In this two-part series, I want to discuss the ten things every organization must consider when dealing with a data breach. This post deals with considerations applicable to what I like to call “data breach triage”. In Part 2 of this series, I’ll conclude with the remaining 5 things companies must think about when putting public data breach response plans into action (PR, notifications, etc).
1. Any suspicion of a data breach should immediately prompt a call to outside counsel
Yes, the clock is ticking and time indeed is very precious, but outside counsel as first point of contact accomplishes a number of important objectives. For starters, outside counsel should first assess whether the incident in question even rises to the level of what states commonly define as a “security breach” (aka data breach). Maybe the situation does not and the problem thus resolved. Congratulations, this call just saved your business a tremendous amount of money better spent on solving actual problems (like why you don’t have a good cybersecurity response plan in the first place). Secondly, the hiring of a third-party forensics firm should always come at the direction of outside counsel. Why? For privilege purposes in the event of future litigation and discovery. Lastly, the retention of outside counsel with specialized knowledge over the use of in-house attorney(s) mitigates the risk of taking advice from someone who doesn’t know what they are doing.
2. Ask forensics the right questions
I’m as big a fan of Simon Sinek as any one, but now is not the time to start with why. The more appropriate question should center on “how long” and evolve from there. How long before forensics can stop the immediate bleeding? How long before forensics can assess how widespread the damage is? Just to be extremely safe so as to not waive privilege, these questions and corresponding answers should funnel to and from the company/forensics through outside counsel. Arguably the biggest “how long” pertains to timely notification (a point soon to come).
3. Determine whether or not to contact law enforcement
There is no black or white answer on whether you should contact law enforcement like the FBI or the U.S. Secret Service after a data breach. However, note that some states like New York and New Jersey explicitly require that companies notify state police. Seek the input of both outside counsel and forensics, weighing the pros and cons to ultimately include/exclude law enforcement.
4. Brief Executive Management (and if applicable Board of Directors)
Depending upon the size of your organization, you need to involve executive management. For a publicly traded company and its Board of Directors, a breach implicates future concerns surrounding shareholder derivative lawsuits. I’m beating a dead horse here but counsel should be intimately involved with the decision to internally disclose information about the breach to the appropriate people.
5. Determine the timeline for required notification
Once the forensics team assesses the information lost and the number affected, legal should provide you with thorough analysis on what notification laws come into play. Based upon where the affected people live, you face the harsh reality of working with legal on how to respond to a patchwork of state breach notification laws (50 to be precise, along with D.C., Guam, Puerto Rico and the Virgin Islands). If you have consumers in the EU, the General Data Protection Regulation (GDPR) also applies (and features a three-day time notification period — Yikes). All of these laws feature different timelines in which you must provide notice to affected consumers. And be forewarned, untimely notice can prompt enforcement actions from state regulators.
Look back soon for Part Two. Have any questions about what your business would do if you suffered a data breach? Contact us today.