It’s not a matter of “if”….

By Michaela Barry, Counsel, Potomac Law

Do you have a plan for data breach?  Just about every company, large or small, will eventually be caught up in a data breach scenario, whether real or assumed.  Do you know what you’ll do?

According to forensics company Stroz Friedberg, 52% of senior leadership gave corporate America’s response to cyber threats a grade of C or lower.  That hardly fosters optimism.  The Washington Post reported that in 2013, federal agents informed over 3000 companies that their systems had been hacked.  This included Target’s system, which was breached with millions of personal records exposed, which caused a dramatic loss of sales.  April 3, 2014, the Heartbleed exploit was discovered.  It is not known how much information was compromised.  April 30, 2014, ex counterterrorism czar Richard Clarke warned that Russia may use cyber warfare against the US and Ukraine. May 19, the New York Times reported that 5 Chinese Army personnel had been indicted for hacking US systems.  May 21, eBay was hacked, including its e-commerce pseudo-banking site PayPal  The damage to consumers is still unknown. May 22, Bloomberg News reported that “UglyGorilla,” one of the 5 indicted Chinese, is claimed to have hacked into Westinghouse and US Steel.

These are merely the publicized exploits.  Meantime, there are tens of thousands of attempts to break in, usually by “script kiddies,” or kids who collect malicious code on the Internet that they use to try to break into random systems.  Usually, these attacks are not very sophisticated.  My blog’s automatic blocking of people who try to get in too many times has been triggered thousands of times this year.  More savvy attacks would easily have gotten in.  Of course, they wouldn’t have found anything except my articles, for which I have backups.

But what about the small to midsized defense contractors, software/hardware developers with intellectual property secrets, customer lists, employee SSNs, pay records and direct deposit accounts? What if you’re a HIPAA Business Associate with Private Health Information (PHI)?

It is very important for all companies to have systematic procedures in place long before the intrusion or possible intrusion happens.  A sample team for a small company might include your system administrator, chief technical officer, legal counsel and the CEO.  You should have identified and contracted with a competent computer forensics company and outside counsel who are well versed in cybersecurity.  All team members should be involved with writing your company’s plan and with doing table top simulations so they’re comfortable with the procedures.

So, what do you need a lawyer for?  Shouldn’t the forensics company in combination with the company IT staff be more than capable of handling an investigation?  Maybe.  If the techs find that no data was compromised, that the intrusion alarm went off for nothing and all is well, then you really don’t need legal assistance.  What happens, however, if you find that customer data, protected medical information, employee SSNs or other identifying information has been disclosed?  What if you have data from several states?  What if you have international data?   Trade secret information or classified materials?  Would you know where to begin, and whether the company could be civilly or criminally liable?

All companies that deal with protected data of any kind that may be vulnerable to cyber attack (which is any data on a network), should have competent cybersecurity counsel, either as in house or outside counsel (hopefully both if your investigation needs attorney/client privilege), assisting in the creation of a comprehensive response plan.  The lawyer should work closely with the technical and operations staff, a forensics company, as well as C level executives to draft a workable, easily understandable plan.  The plan should be kept up to date with appropriate names and contact information, and scenarios should be simulated against the plan with changes made as necessary.

Having a rehearsed plan immediately implemented can make the difference in the outcome of any cyber incident.  Rapid identification, verification, and containment, followed by ensuring compliance in reporting or other requirements, appropriately involving law enforcement, and improving safeguards as well as response, may keep your company out of the news.