Responding to a known or potential data breach is a difficult task for any company. It frequently involves conducting an emergency investigation and making difficult decisions based on limited information. Following the measures outlined below will maximize a company’s ability to appropriately respond to the breach and minimize the potential harm.  

Identify the Appropriate Internal Incident Response Team Members

For large-scale and/or ongoing data security events, you likely will need to make decisions quickly. If your company has a crisis management or incident response team, you should mobilize those individuals. If not, at a minimum, the data breach response team should include the company’s president/CEO or designee, chief legal officer, chief information security officer, head of IT, and chief privacy officer. Depending on the company, other team members can include the chief financial officers and heads of human resources and communications.

When communicating, team members should avoid company email accounts if there is any indication or belief that those accounts may have been compromised in the data breach. If a hacker has access to a company’s email accounts, he or she can monitor communications to understand how the company is responding to the event. Team members should consider using text messages, phone calls, or private email addresses to communicate when they cannot do so in person.

Preserve Evidence

Depending on the type of data security incident, it may be necessary to analyze emails, logs, other system or user data, and electronic devices such as computers, smart phones, tablets, and servers. Preserving this evidence should be a priority. To avoid losing evidence, companies should not turn off computers where feasible, and instead should consider disconnecting them from the company’s network and the internet. If a company has overwriting procedures (e.g., overwriting backup tapes), it should analyze whether those procedures need to be suspended.  

Contact an Experienced Data Breach Attorney

An experienced data breach attorney can quarterback your breach response while at the same time cloaking the investigation in attorney-client privilege and the attorney work product doctrine. Experienced data breach attorneys will walk you through every step of the breach response process and ensure your company is complying with its legal responsibilities. They also will be able to refer you to qualified forensic experts and have relationships with the appropriate law enforcement officials. To reach one of our data breach attorneys, call our incident response hotline at 888.898.6035.    

Retain an External Forensic Expert

Data security events come in many different forms and combinations: ransomware, malware, phishing, and wire fraud, to name a few. You will need to determine what occurred, how it occurred, and what information has been compromised. Depending on the sophistication of the attack and the company’s internal information security capabilities, it may be necessary to retain an external forensic expert to answer these questions. Even if a company has internal information security staff, an external forensic vendor may have access to analytical tools, manpower, and experience handling similar incidents to provide valuable assistance. If the malicious actor is still in your system, an external forensic expert will be able to eradicate the threat.

Contact Law Enforcement

If you were the victim of ransomware, wire fraud, or another form of theft you should consult with your attorney on contacting law enforcement. In wire fraud cases, the FBI has means to potentially claw back fraudulent wire transfers if notified immediately. In ransomware cases, the FBI may already have the encryption key or may know from prior experience whether the malicious actor will unlock your system if the ransom is paid.

Secure and Restore

The nature of the breach will dictate the amount of time and effort necessary to get your company’s system secured and functioning again. It often takes longer than companies anticipate, particularly where attacks hit critical network components. Incorporating business continuity models will ensure that your organization has a plan for restoring or re-creating communications, document management, and other critical functions in the event of an attack that renders your network unavailable.

Cybersecurity Insurance

If your company has cybersecurity insurance, you or your attorney should contact your insurance agent to determine whether your policy covers your event and, if so, what resources may be available through your carrier.

Determine Whether You Must Notify Your Regulator

A growing number of regulators demand to be notified quickly about a data security event affecting a covered entity. If your company is subject to a regulatory agency, you will want to work with your counsel to ensure that you are complying with requirements.

Provide Notice to Business Partners

If the security event affected data that belongs to a business partner, you need to consider whether you are contractually or otherwise legally required to provide notice to that business partner. Experienced data security attorneys can guide you through that process.

Provide Notice to Affected Individuals as Required by Law

New Mexico’s breach notification statute requires that entities notify individuals if their personal identifying information has been compromised. The law defines personal identifying information (PII) to mean an individual’s first name or first initial and last name in combination with a social security number, driver’s license number, government-issued identification card, account number, credit card number, or debit card number in combination with any required security or access code or password that would permit access to a person’s financial account. Biometric authentication data such as fingerprints and voiceprints are also defined as PII.

Notice must be provided in the most expedient time possible but not later than 45 days following discovery of the data breach. The notice must provide specific information about the breach and how individuals can protect themselves against identity theft. Entities that possess or maintain personal identifying information that they do not own (e.g., a payroll vendor or cloud service provider) must notify the owner of the information within the 45-day time frame after discovery of a security breach.

In addition to New Mexico, 47 other states have breach notification laws. There are also a variety of federal laws with breach notification provisions—such as HIPAA and GLBA—that may apply depending on the type of entity and data at issue.  Unfortunately, these laws vary in important respects. The essential takeaway, however, is that if your security incident involved the loss or compromise of private information, you need to consult with a data breach attorney to determine whether you are legally obligated to provide notice to affected individuals. 

Provide Notice to Others

Bad news travels fast. You should consider whether you should notify employees, valued clients/customers, and/or important business relations.

Ballard Spahr's Privacy and Data Security Group provides a full range of cybersecurity counseling, transactional, regulatory, investigative, and litigation services. We help clients around the world identify, manage, and mitigate cyber risk, including designing and executing breach response protocol.

Related Practices