My company’s data server was hacked. Now what?
In February, 2020, the FBI released the Internet Crime Complaint Center (IC3) 2019 Internet Crime Report.The Report details that, in 2019 alone, the number of cybercrime complaints from individuals and business organizations totaled 467,361 and the total cost of those reported crimes exceeded $3.5 billion [i]. In just the last 2 months, business organizations have relied even more heavily on their cybernetwork strength and security to support remote working arrangements. This increased usage correlates to increased opportunities for cybercrime [ii].
These bad cyber-actors (or “hackers”) are targeting businesses to obtain any and all information that might have some form of value.It is imperative that companies have a set of steps in place to respond quickly for the sake of those affected and to comply with any and all regulating state or federal authorities, such as any applicable State Attorney General’s offices.
First, determine the nature of the attack.
For example, a ransomware attack prevents your organization from operating unless and until the hackers receive a demanded sum of money. Failure to pay the ransom may result in an inability to operate a business.A spoofing or spear-phishing attack may be the beginning of a more targeted campaign. This kind of attack may be easily thwarted by simply not opening or responding to a particular email.If your organization has in-house IT personnel, consult them immediately. A primary goal is to determine how this incident occurred so that the breach does not becoming a continuing problem.
Second, determine the nature of the compromised data.
A bad actor could obtain unauthorized access to your company’s clients or customer contacts, employees’ personal identifying information (such as dates of birth, social security numbers, physical or email addresses), trade secrets and intellectual property, or bank information that could allow a hacker to intercept wire transfers. The specific mitigation strategy will depend on the type and amount of data that has been compromised.
Third, determine if your company has- cyber insurance coverage that could assist.
Although these policies are becoming more standardized, coverage benefits still vary greatly and may be tailored to fit the nature of your business or the kind of data you maintain. Standard Commercial General Liability (CGL) policies will likely not provide the coverage or benefits your business will need if it falls victim to a cyber-crime. Cyber insurance policies will provide access to a variety of vendors to mitigate the effects of an attack. Benefits under these policies may include: legal services for advising you through the incident and the handling of any self-reporting obligations; computer forensics or other IT support; enrollment in credit monitoring services for affected persons; and consultations with public relations experts for advce on how best to address the public’s reaction to the event.
Data Breach Plan
As soon as your company notices or suspects that “unauthorized access” (a breach) has occurred, your plan should be ready to execute. A solid response plan will identify a team of selected people that consist of internal employees who oversee information technology, key management personnel, and any external advisors/vendors, such as legal counsel or a more sophisticated IT service provider.
In conjunction with the topics identified above, a company’s response plan should consist of:
- Steps to determine and record details about the breach, including dates of discovery, the manner of discovery, and the nature and scope of data that might have been compromised.
- Instructions to issue immediate instructions that all employees change passwords immediately.
- Locate the applicable cybersecurity insurance policy.Also, have at the ready the names and contact information for the vendors you would prefer to use on this breach response. (Some insurance underwriters will permit policyholders to use their preferred counsel if said counsel has experience with cyber breach responses).
Many states will require notices to be sent to affected persons. Each state may require certain information to be shared. Your counsel should work with your company’s designated response representative to determine whether a report must be made to a particular State Attorney General and what the content of each notice letter to affected persons should include. Be advised that, depending on the nature and scope of the breach, individuals may have private rights of action against your company that may entitle them to actual damages, statutory damages and recovery of attorney fees.
Unfortunately, the risk of cyber-breach is part of doing business in today’s business world. But a company can protect itself and stay ahead of an incident by implementing strong firewall and network security, obtaining and understanding their cyber insurance policy, and having a data breach plan in place before any unauthorized access is discovered.
For answers to any additional questions, contact James O’Connor at email@example.com.