United States: Data Breach? Top 10 Things to Do Next

Whether you are in-house counsel or external counsel, upon first hearing of a massive data breach affecting your client, your first reaction will likely be at least a twinge of panic.  So first, take a deep breath and calm down.  Unfortunately, these days this happens all the time.  Below are the top ten things to do after enjoying that deep breath.

1. Consult Your Incident Response Plan

Hopefully you have an incident response plan and team already place.  Hopefully, you've even done some run-throughs or rehearsals in the past and already know the players.  If you do have an Incident Response Plan -- follow it.  Failing to follow your own plan may give rise to claims of gross negligence or recklessness.  Hopefully, when you formulated your Incident Response Plan, you made sure it was one you could adhere to and live with.

If you or your clients do not have an Incident Response Plan, this is something you should definitely put in place.  Not only is it extremely useful, but it is the first thing that regulatory authorities and plaintiffs' lawyers will ask for.  The lack of one will undoubtedly be used by adverse parties (and the courts) to assess liability.  Every company should at least have some sort of response plan in place.

But if you don't, there's not much to be done about it once the breach occurs -- except to create one on the fly.

2. Preserve the Attorney-Client Privilege

So the next thing to think about is preserving the attorney-client privilege and work product doctrine with regard to documents and communications pertaining to the cause, and remediation, of the breach.  You should definitely make sure that in-house counsel and external counsel are involved in all communications relating to the breach, as you are certainly in anticipation of litigation mode. 

Ideally, external counsel should be in charge, working hand in hand with in-house counsel and the technical people discussed next.  The external counsel should be involved in the selection and retention of these experts, and perhaps be the procuring party, to give your company the best option to preserve privilege.  This is particularly the case if in-house counsel is located outside the United States, in a country where the attorney-client privilege may not apply to in-house counsel.

Of course, you should make sure that privileged communications bear the "privileged and confidential" header or footer placed prominently thereon, and take all precautions to preserve privilege while you are learning and assessing how the data breach occurred and what should be done about it. 

3. Use Alternative Modes of Communication

As your company's system has been compromised, and you may not know the full extent, you should seriously consider refraining from using your company's email system, which may be compromised as well.  Meetings, phone calls or texts are preferable.  You may even consider resorting to that old stand-by, inter-office mail, as opposed to emails.  You should also refrain from other methods of communication using your company's systems, such as Skype or other live-chat mechanisms, at least until you can be confident that the system is once again secure.

4. Retain a Forensic Consultant

Next, you should make sure you have qualified IT personnel and a forensic consultant investigating the breach.  Hopefully, you or your counsel already have one on retainer, or at least on speed-dial, as part of your Incident Response Plan. But if not, you need to act, or have your counsel act, fast.  You need your forensic consultant to quickly figure out what type of information has been exposed, the cause of the breach, the date of the breach, the duration of the breach, how to cut off the threat, and how to stop the flow of information from spreading. 

5. Document Preservation

You also need to be extremely focused on document preservation, to avoid spoliation claims and also to preserve evidence for your defense. Documents to be preserved include all system log files, including the firewall, VPN, mail, network, client, web, server and intrusion systems logs.  These are key.  Proving the methods used to enter your company's system may be integral to your defense.  If you can prove that your company took reasonable precautions, using up-to-date technology, but you are nevertheless a victim of a state-sponsored hacker or sophisticated criminal organization you will have a much stronger defense.  For example, your contracts with business partners may have force majeure clauses providing that your company is not liable for "malicious acts of third parties" or "acts of terrorism."  Thus, it is extremely important to preserve the evidence demonstrating the breach has the earmarks of a terrorist act.

It is vital that you balance three sometimes competing workstreams at the same time:

1. investigating and stopping the threat;

2. while preserving attorney-client privilege; and

3. preserving evidence.

6. Consider Telling Law Enforcement

You also must consider notifying law enforcement.  In many states, this is required.  It may also help get you obtain leniency in any investigation.  Law enforcement may also be of assistance in resolving and remediating the problem, as they may have seen the same type of breach before.  However, keep in mind that law enforcement will sometimes be more focused on catching the perpetrator as opposed to helping your company.  Law enforcement involvement may also cause distractions, such as by sending information requests while holding back evidence.  If the breach is contained and you can quickly get it under control, and third parties' personal identifying information is unaffected, you may not need to alert law enforcement.  All of these factors should be considered.  You should also be cognizant of the type of law enforcement that is involved.  Civil regulators may be much more focused on your company as a target rather than viewing your company as a victim.

7. Notifications

Once you get a handle on what type of information has been exposed, and the locations of the individuals or business whose information has been exposed, you may begin addressing notice requirements.  Nearly every state has a notification requirement, and there are several federal notification requirements as well. 

You need to determine whether unencrypted personally identifying information has been exposed, such as a customer's or employer's name and  social security number, drivers license number, credit card number or bank account number with password.  Sometimes this type of information is stored separately from a company's main systems, so it is possible that a data breach can occur that does not expose personal identifying information.  More than likely, however, notifications will be required and differ under many states.

In an ideal world, you will already have draft notifications written for the relevant jurisdictions.  Otherwise, you have some serious work to do.  The good news is that there are many vendors that specialize in drafting and sending out the notifications, so if you don't already have one lined up, you might want to consider enlisting one.  Of course, this should be covered in your Incident Response Plan.

Before you send out notifications, you should consult with any involved law enforcement, as they may want to keep as much information confidential as possible to attempt to catch the perpetrator.  In many states, a law enforcement request to refrain from sending notifications constitutes a defense to claims of unreasonably late notifications.  Also note that many state statutes require notification of credit reporting agencies as well.

8. Press Releases/Communications

Regardless of the required notifications, word of data breaches gets around quickly, and soon your customers and business partners may get wind of it.  Assuming law enforcement has no objection, you need to consider a press release or an email to customers or business partners

Any such communication should describe what occurred accurately yet in as non-inflammatory matter as possible.  Obviously, you do not want to provide plaintiffs' lawyers with "Exhibit A" in a litigation.

You should describe what occurred, what information may have been exposed, how you are remediating the situation, and emphasize that you are focused on doing so.  You should also consider setting up a hotline or email address for those with questions.  Also, you might want to consider getting ahead of the curve and offering credit monitoring, identity theft insurance, identity theft help, or even set up claims for compensation, right away, to keep the customers or business partners on your side. 

However, often at the time of any such communication, you may not know the full extent of the facts, so you should be careful to state that you are still investigating.  Once more facts are known, you may have to update the communication so it does not become false, misleading, or incomplete.

9. Insurance

Hopefully you already have cyber insurance lined up, because if you do not, it will obviously be quite hard to come by at this point.  Insurance companies do not like to insure burning buildings.  If you are fortunate enough to have cyber insurance, you need to look into your insurance coverage and advise your insurance company immediately.  Your insurer may have requirements regarding the attorneys and/or forensic consultant you may retain and obtain reimbursement, so you should confer with your insurance company as soon as possible upon learning of the breach.  Also, consider the types of insurance you may have.  Are you insured against claims asserted by credit card companies?  Against extortion, as hackers sometimes demand payments for the return of your information?  Are you insured for losses due to business interruption? All of this  may affect your go-forward strategies.

10. Indemnification/Lawsuits

Next, you may want to consider whether any third person, such as an outside vendor, is either responsible for allowing the breach to occur, such third person may be liable, or for failing to detect the breach earlier, resulting in the damages. 

At the same time, you should be gearing up to respond to information requests and the variety of lawsuits that will surely be filed.  You should think about having several legal teams working in tandem; one investigating the cause of the breach and the remediation, another preparing for the wave of information requests the company will surely get from law enforcement and civil regulators, who will be seeking responses on an expedited basis; one responding to the inevitable lawsuits; and one pursuing action against potential third parties who allowed the breach to occur or did not detect it sooner.

CONCLUSION:

While obviously the more you have prepared for the data breach the better, you will, in all likelihood, get through the breach and move on.  Remember that. Stay calm and focused as you work though these 10 steps.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Topics
 
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions