Security

Cybersecurity: How to Handle the Nontechnical Aspects of a Data Breach

Should the business pay a ransom? When and what should it tell the public? Good incident response means more than stopping the breach.

Kelly Frey and Joseph Damon

Kelly Frey and Joseph Damon are attorneys in the Nashville office of Nelson Mullins Riley & Scarborough LLP, where they represent clients in technology transactions, licensing, compliance and other corporate matters.

Companies today are under constant attack from increasingly sophisticated threat actors, and businesses often go weeks or months before becoming aware that they’ve been breached.

But once a business does become aware of a cybersecurity incident, what should it do? Sure, it needs to activate its incident response plan, and that plan should outline roles, responsibilities and timelines critical to mitigating and remediating the damages from a cybersecurity incident.

But what about the other aspects of a breach? How should the business respond to a threat actor’s demand for a ransom payment? How should it handle notification to the public, insurers and authorities? Questions like these are not technical in nature. But they should be addressed in the business’s incident response plan. Here are the key steps.

When Protecting Your Data, Prepare for the Worst

Every organization should start by creating a data “map” showing where its sensitive data is and how many places it is replicated, sometimes needlessly, across the IT system. Then look at where the business operates, taking note of the national and state laws that apply in each location. How do these laws define the type of data — usually personally identifiable information — that is protected, and what do they say about notice and mitigation responsibilities in case of a breach?

Since the costliest cybersecurity incidents often involve the business’ use of third-party vendors, businesses should review vendor contracts to make sure they include the same level of cybersecurity protection and due diligence that the business imposes on itself, and they should include indemnification and insurance just in case the vendor’s systems are breached.

Every incident response plan should be in writing and approved at the highest level in the organization. Incident response planning is not strictly an IT issue; a business’s data is as important to the capital value and revenue potential of the company as its physical offices or manufacturing facilities, and often more so.

Categorize stakeholders as “responsible,” “accountable,” “consultative” or “informed.” The plan should describe the business’ data breach response team with an allocation of roles for investigating, mitigating and informing necessary parties about any cybersecurity incident. The team should regularly assess and document the effectiveness of the plan and make required updates as security incidents become more sophisticated. A dusty plan sitting in a desk doesn’t work; continuous revisions are essential.

Know What's Required After a Breach

When a breach is detected and the response plan is invoked, moving quickly is critical to managing the implications to the company brand and financials.

Stopping the breach is, of course, the first order of business. When that’s done, analyze the scope of the incident, the type of data involved and the affected individuals so that the business can manage the post-incident repercussions. Management and corporate relations — not the IT staff — should assess communications outside the company. Have the legal department (or outside counsel) assess the statutory duties to inform affected individuals, insurance carriers and state or federal officials.

All 50 states and the District of Columbia require notification on some level, depending on the type and extent of the affected data. And federal laws such as the Gramm-Leach-Bliley Act require notification of data breaches for specific types of financial data. Businesses that operate internationally must consider whether the overarching provisions of Europe’s General Data Protection Regulation apply. And don’t forget to check the business’ own privacy policies and contractual commitments, which may require a higher duty than the relevant laws.

Whatever the particular legal requirements, it’s almost always best when news of a breach comes from the company rather than being leaked. Some companies have attempted to hide data breaches that later became public. The result is always negative for their reputation and brand value.

However, the details you must disclose after a data breach depend on a combination of legal and contractual requirements, including the types of data breached, the extent of the breach and the source of the breached data. A best practice is to have a template letter that the business’ legal counsel can adapt as part of its incident response plan. The template should include the date of the notice, the entity notifying the affected individual, contact information for questions, a brief description of the incident, the date of the breach (as best as the business can tell), the types of data breached, the organization’s efforts to contain the breach and prevent similar future breaches, and contact information for the applicable credit reporting and government resources (if necessary). The letter comes from the highest position within the company, as the official voice of the company, in responding.

To Pay or Not to Pay

Should a business that is victimized by a ransomware attack pay the ransom? It’s a complicated question.

The FBI recommends not paying in almost all cases. But it is not their company at risk, and there have been many cases where a company’s management decided to pay ransom in hopes of receiving a promised encryption key to unlock their data and contain the incident. Certainly, there is no guarantee that the threat actor will supply the encryption key once paid. And the malware may damage the data, making it unusable even with the encryption key.

But these types of decisions are strictly business decisions — not for lawyers or authorities — and the decision-makers are ultimately responsible to their investors and other stakeholders for this type of cybersecurity incident, as they are for every other major corporate decision.

Plan, respond, mitigate, rehabilitate: four words that need to be part of every discussion on cybersecurity.

How to Limit the Damage After a Breach

Now comes the hard part: remediation.

After the fire is out and the smoke clears — the business has implemented its incident response plan successfully — it’s time to pick up the pieces and move forward. Internally, the response plan needs to be amended to account for the lapse that created the incident. The business’s internal data maps and data systems need to be augmented, which may mean allocating more money to IT security budgets.

Externally, conduct damage control. Partner with the organization’s cyber-insurance carrier to address the very real concerns that customers may have about any release of their personally identifiable information. This includes implementing credit monitoring or identity theft insurance programs for them (use this as a positive PR opportunity to convey that you care about your customers and their plight without admitting liability).

Once again, address any legal concerns, including compliance with statutes and regulations and reporting any criminal activities — and document everything. Just because the business has moved on from a security incident doesn’t mean that affected individuals (and their attorneys) have. In many U.S. jurisdictions, there is private civil action these individuals can take against the company. In any court proceedings, business records demonstrating that the organization acted in a commercially reasonable manner consistent with industry standards and statutory requirements are essential in minimizing exposure.

a_Taiga/Getty Images