Friday at 5:15 p.m. your chief information officer calls saying she thinks the company has been hacked. The allegedly hacked customer records have not been posted, yet the tip appears legitimate. The CIO asks: “What do we do?”
Scenarios like this are increasingly common, and the reputational, regulatory and operational effects can be devastating. Your response should be swift and focused, and it should include:
MOBILIZATION: Responding to a data breach will involve resources from across your company’s functional groups — IT, HR, legal, risk, accounting, marketing — and from the C-suite to the affected line of business, as well as external resources such as breach counsel, forensic investigators, crisis management and PR teams, and notification mail processors. You should have a response plan in place before the incident, and you should mobilize your team immediately.
Many of the issues you face next will have civil and regulatory implications, and your discussions should have the benefit of legal privilege. You should consider engaging breach counsel first.
STABILIZATION: The first step in getting control of your data postincident is to patch whatever leak you may have. Your technical team should lock down any stolen or misused credentials, devices or system vulnerabilities and preserve evidence.
INVESTIGATION: Once the technical vulnerabilities have been addressed, identify the scope and duration of the incident; use outside forensic examiners, if necessary. At the same time, review contracts with any implicated third-party service providers, and identify applicable responsive insurance.
ANALYSIS: Data breaches are addressed primarily as a matter of state law, with every state defining and prescribing responses to a breach differently. You may also have obligations related to data breaches under contracts with your commercial vendors or suppliers. Understanding your responsibilities — to customers, regulators, counterparties and investors — turns heavily on the language of the data breach statutes in each implicated state, and the language of your contracts. Which states are implicated is largely determined by the location of your customers and your business operations. Whether your counterparties must be involved is determined by the language of your agreements. This is a highly fact-specific, largely “legal” analysis.
NOTIFICATION: Once you have identified the “what,” “how” and “who,” it’s time to notify your external stakeholders. This may involve notifying customers, contractual counterparties and investors, and will most-assuredly involve notifying state attorneys general. Notification requirements differ by state, both as to timing and substance. The timing for most statutes runs from knowledge of the breach, and may be as short as 24 hours.
EVOLUTION: To the extent there is a benefit to a data breach, it lies in identifying the facts and circumstances that led to the breach and using them to anticipate future threats and improve your systems and practices.
Chris Couch is a member (partner) in McGlinchey Stafford’s Birmingham, Ala., office and a Certified Information Privacy Professional (CIPP-US). Chris can be reached at firstname.lastname@example.org or (205) 725-6404. McGlinchey Stafford is the Compliance Partner of Auto Finance Excellence (AutoFinanceExcellence.org), a sister service of Auto Finance News.