A data breach requires you, the general counsel, to quickly assess the situation and be able to give a coherent initial report to your CEO. If you are well organized you should be able to prepare an effective CEO initial briefing in about 30 minutes. Here are some tips from working with 52 data breaches /data compromises in the past year. With advanced planning, every GC can master the first steps of a computer intrusion smoothly. Try to follow these nine steps in the order offered.
Step 1: The Debrief. This is the initial debriefing from the IT director, the HR director or whoever presents the information about the compromise. This may also be a vendor, a bank or law enforcement. Get the bad news straight the first time. This is a quick “who, what, where, when, why and how” big conversation. Take no more than 10 minutes with this. Try to define if this was a ping or an actual breach. Determine whether the intrusion is still underway.
What was lost or compromised: personal information, trade secrets, credit cards numbers, health information, financial information? Get the best possible estimate of the number of individual records compromised. If a vendor was involved, have someone locate a copy of the contract so you can later determine, as quickly as possible, if you have immediate audit rights.
(Note: all data breaches come to light on Friday afternoon after 3:30 and require follow-up calls by you and members of the incident response team on Saturday and Sunday.)
Step 2: Call outside cyber security counsel. Locate experienced outside legal counsel before the compromise. Choose an attorney with experience with computer intrusions who understands the technical, legal and regulatory implications of particular types of breaches. You will also discuss the applicability of the attorney-client work product privilege in this investigation. Note: current case law requires the attorney-client relationship to be established at the earliest possible time.
Step 3: Direct IT staff to freeze all internal audit trails – including vendor traffic. This is not only a way to stop the immediate bleeding, but also a complete document preservation effort. It needs to be practiced in advance to make sure that all relevant documents are preserved. An internal data mapping project, completed in advance of any breach, will enable you and the IT director to know exactly the systems that store the critical records.
Step 4: Convene a meeting of the Incident Response Team within one hour. This should not be the first time the Incident Response Team has met. They will have been selected for their particular positions as a result of the company’s data mapping exercise. They will also have received training on the company’s Incident Response Plan and, hopefully, gone through practice drills involving various intrusion and compromise situations.
The Incident Response Team will follow the guidance of the Incident Response Plan, which will include:
- Defining the significance of the incident
- Determining reporting responsibility to senior leaders
- Defining containment strategies
- Preserving evidence
- Documenting the incident
- Identifying forensic analysis of the breach
- Ensuring business partner compliance evaluation
- Defining notification process and timing
- Reinforcing remediation and post-incident reviews
The activities and findings of the team should be closely held and covered by the attorney-client/ work product privilege. At a later point, it may be determined that the information gathered will include both privileged and non-privileged information.
The public relations staff should be alerted that an investigation is underway, but they should not be included in the incident response meetings. The goal here is to avoid a public comment that claims no security breach has taken place, when, in fact, a major breach is under investigation. Better to say nothing than to accidently provide misinformation.
Step 5: Advise CFO. The CFO must be alerted so that he or she can immediately keep an eye on all banking activity. Wire transfers should be closely watched and partner banks should be advised that a compromise has taken place, and that all unusual transfers by size and/or recipient should require specific CFO approval until further notice. The success of a hacker’s phishing attacks depends greatly on illegally transferring funds from the victim to overseas accounts, and doing so as quickly as possible. If the attack involves the theft of credit card data, you will contact the acquiring bank and start discussing that credit card losses may be involved.
Step 6: Law Enforcement or Not. Prior to this incident, and as part of the incident response plan, you will have located contact information for the local FBI, the U.S. Secret Service and a good local forensic examiner. Make sure you have those numbers at hand, but DO NOT CALL THEM YET. Multiple considerations factor into this decision. If this is a financial crime, then the Secret Service would be the logical contact. If it is a Distributed Denial of Service attack or a phishing attack, then the FBI might be contacted. If this appears to be a trade secret theft, then a forensic examiner might be selected. Finally, if this is an internal employee issue or a vendor-based compromise, then the Incident Response Team and upper management might decide to handle the matter internally.
Step 7: Check insurance coverage. In the first 30 minutes, you should delegate someone to start pulling your cyber insurance policies, including first-party loss and third-party loss insurance. Check for the following specific insurance coverages:
- Litigation and regulatory costs
- Regulatory response
- Notifications costs
- Crisis management
- Credit monitoring
- Medical liability
- Privacy liability
Step 8: Start calculating your intrusion cost tab. The time and expense that a company puts into responding to a security incident has multiple impacts. Keeping track of the money spent responding shows that the company is taking the intrusion seriously and trying hard to protect compromised consumer information and lost trade-secret information. It shows regulators and state attorneys general that the company was trying to do the right thing by consumers and investors. A documented record of the cost of the intrusion also forms a clear basis for recovering damages from vendors or other organizations if the facts support that type of litigation. But, it is critical that expense records be maintained from the beginning of the incident.
Step 9: Contact CEO. After this 30-minute drill, you will have the information necessary to provide an initial briefing to your CEO about breach situation. The CEO will want to know how much this breach is likely to cost. The answer depends on what was compromised (trade secrets vs. personal information about consumers and employees), the regulatory agencies involved, and the likelihood of litigation. As a rule, the average consolidated cost of lost records in a data breach is $201 per record. (Stated otherwise, 10,000 lost records equal a $2 million loss.) (Ponemon Institute: 2014 Cost of Data Breach Study: Global Analysis).
The investigation, regulatory impact and potential litigation may continue on for years, but following the above nine steps will enable your company to establish that it acted with advanced planning and due diligence to immediately start its data breach response.
Client Alert 2015-118