February 29, 2016 Practice Points

Five Key Steps to Take If Your Company Experiences a Cybersecurity Attack

Limit exposure to litigation and regulatory actions.

By Brian Rubin and Amy Xu

What do the largest companies in the world, as well as the St. Louis Federal Reserve, the IRS, and the White House have in common? Each of them has experienced notable cybersecurity breaches and consequently had to respond. Cybersecurity attacks happen to companies of all sizes across many different sectors, and the effects of such attacks can be harmful to an organization’s reputation and bottom line. When a cybersecurity attack inevitably occurs, here are five steps that in-house counsel may consider taking to minimize detrimental effect.

1. Preserve the Data

After a cybersecurity attack, in-house counsel may consider recommending that their corporate client preserve all data surrounding the attack. This information may be necessary to determine the cause of the breach and to provide information to employees, customers, business partners, and government agencies about the attack. Some actions to consider that will aid in data preservation include disconnecting infected machines, calling forensic experts to image infected machines, saving log files, pulling needed backups out of rotation, saving keycard data and surveillance tapes, starting a real-time packet capture, and forcing employees to change passwords.

2. Recommend Appointing One Individual to Lead Response to the Cybersecurity Attack

Consider recommending that the company that experienced the breach appoint one individual to head the incident response team. For privilege purposes, the individual leading the incident response team will ideally be either the general counsel or another attorney in a position to coordinate across organizational units. The team may include people from the following functions: legal, information technology, executive management, public relations, risk management, customer service, compliance, and building security/facilities (if physical security is involved).

3. Take Steps to Prevent Future Harm or Mitigate Existing Harm

If the breach is active or ongoing, take steps to prevent or contain the data breach. Consider identifying how the cybersecurity attack exploited the company’s vulnerabilities, and consider implementing remediation actions to address how the breach occurred. These mitigation efforts may be viewed favorably in the face of future enforcement actions, litigation, and class actions and may minimize monetary and data loss to clients.

4. Collect Evidence to Determine What Caused the Cybersecurity Attack

In-house counsel may recommend beginning an investigation to determine the source of the cybersecurity attack. If criminal activity is suspected, consider whether law enforcement should be involved in the collection of evidence. Potential investigatory actions include: conducting interviews with company personnel, determining whether information and data were lost in the breach, determining who may exploit the information lost in the breach, and investigating whether the initial breach may have provided access or opportunities for additional exposure of data.  

5. Notify Relevant Parties

Companies that have been breached should consider notifying parties affected by the breach. These parties may include customers, business partners, and government agencies. If personally identifiable information (PII) has been compromised, counsel will need to determine the best way to communicate with consumers. Companies may be bound by state and federal laws and regulations that describe who must comply with the law; definitions of PII; what constitutes a breach (e.g. unauthorized acquisition of data); and requirements for notice (e.g. timing, method of notice, people to be notified). Companies that have experienced a breach may consider notifying business partners if the breach affects existing relationships or results in potential contract breaches.

If criminal activity is suspected, consider notifying law enforcement. Further, government regulators may also need to be notified. Financial institutions, in particular, are subject to regulations by the Financial Industry Regulatory Authority and the Securities Exchange Commission, which may require disclosure of cybersecurity breaches. Public companies may be required to disclose material information regarding cybersecurity breaches to investors. Consider if insurance providers, banks, or credit-card processors, among other parties, also need to be notified. Regardless of what parties are notified, all forms of communications need to be documented in detail.

Despite the prevalence of cybersecurity attacks, implementing these five key steps following a cybersecurity breach may limit exposure to litigation and regulatory actions, as well as decrease reputational and financial harm to the corporation and its clients.

— Brian Rubin and Amy Xu, Sutherland Asbill & Brennan LLP, Washington, D.C.

Copyright © 2016, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).