​My company’s data server was hacked. Now what?

In February, 2020, the FBI released the Internet Crime Complaint Center (IC3) 2019 Internet Crime Report.The Report details that, in 2019 alone, the number of cybercrime complaints from individuals and business organizations totaled 467,361 and the total cost of those reported crimes exceeded $3.5 billion [i]. In just the last 2 months, business organizations have relied even more heavily on their cybernetwork strength and security to support remote working arrangements. This increased usage correlates to increased opportunities for cybercrime [ii].

These bad cyber-actors (or “hackers”) are targeting businesses to obtain any and all information that might have some form of value.It is imperative that companies have a set of steps in place to respond quickly for the sake of those affected and to comply with any and all regulating state or federal authorities, such as any applicable State Attorney General’s offices.

First, determine the nature of the attack. 

For example, a ransomware attack prevents your organization from operating unless and until the hackers receive a demanded sum of money. Failure to pay the ransom may result in an inability to operate a business.A spoofing or spear-phishing attack may be the beginning of a more targeted campaign. This kind of attack may be easily thwarted by simply not opening or responding to a particular email.If your organization has in-house IT personnel, consult them immediately. A primary goal is to determine how this incident occurred so that the breach does not becoming a continuing problem.

Second, determine the nature of the compromised data.

A bad actor could obtain unauthorized access to your company’s clients or customer contacts, employees’ personal identifying information (such as dates of birth, social security numbers, physical or email addresses), trade secrets and intellectual property, or bank information that could allow a hacker to intercept wire transfers. The specific mitigation strategy will depend on the type and amount of data that has been compromised.

Third, determine if your company has- cyber insurance coverage that could assist.

Although these policies are becoming more standardized, coverage benefits still vary greatly and may be tailored to fit the nature of your business or the kind of data you maintain. Standard Commercial General Liability (CGL) policies will likely not provide the coverage or benefits your business will need if it falls victim to a cyber-crime. Cyber insurance policies will provide access to a variety of vendors to mitigate the effects of an attack. Benefits under these policies may include: legal services for advising you through the incident and the handling of any self-reporting obligations; computer forensics or other IT support; enrollment in credit monitoring services for affected persons; and consultations with public relations experts for advce on how best to address the public’s reaction to the event.

Data Breach Plan

As soon as your company notices or suspects that “unauthorized access” (a breach) has occurred, your plan should be ready to execute. A solid response plan will identify a team of selected people that consist of internal employees who oversee information technology, key management personnel, and any external advisors/vendors, such as legal counsel or a more sophisticated IT service provider.

In conjunction with the topics identified above, a company’s response plan should consist of:

  • Steps to determine and record details about the breach, including dates of discovery, the manner of discovery, and the nature and scope of data that might have been compromised.
  • Instructions to issue immediate instructions that all employees change passwords immediately.
  • Locate the applicable cybersecurity insurance policy.Also, have at the ready the names and contact information for the vendors you would prefer to use on this breach response. (Some insurance underwriters will permit policyholders to use their preferred counsel if said counsel has experience with cyber breach responses).

Many states will require notices to be sent to affected persons. Each state may require certain information to be shared. Your counsel should work with your company’s designated response representative to determine whether a report must be made to a particular State Attorney General and what the content of each notice letter to affected persons should include. Be advised that, depending on the nature and scope of the breach, individuals may have private rights of action against your company that may entitle them to actual damages, statutory damages and recovery of attorney fees.

Unfortunately, the risk of cyber-breach is part of doing business in today’s business world. But a company can protect itself and stay ahead of an incident by implementing strong firewall and network security, obtaining and understanding their cyber insurance policy, and having a data breach plan in place before any unauthorized access is discovered.

For answers to any additional questions, contact James O’Connor at jjo@barrettlaw.com.


[i] https://www.forbes.com/sites/daveywinder/2020/02/13/the-fbi-issues-a-powerful-35-billion-cybercrime-warning/#11af5bf5187f

[ii] https://www.ic3.gov/media/2020/200401.aspx

Barrett McNagny LLP

Legal Disclaimer

The information contained in the Barrett McNagny LLP website is for informational purposes only and should not be considered legal advice on any subject matter. Furthermore, the information contained on our website may not reflect the most current legal developments. You should not act upon this information without consulting legal counsel.

Your transmission and receipt of information on the Barrett McNagny LLP website, or sending an e-mail to one of our attorneys or staff, will not create an attorney-client relationship between you and Barrett McNagny LLP. If you need legal advice and want to establish an attorney-client relationship with Barrett McNagny LLP, please contact one of our attorneys by telephone, email, or other means of communication, and allow the attorney to confirm that the firm does not represent other persons or entities involved in the matter and that the firm is willing to accept representation. Until such confirmation is provided by one of our attorneys, you should not transmit information to us that you consider confidential. If you do provide information to us, and no attorney-client relationship is established, the information will not be considered confidential or privileged, and our receipt of such information will not preclude us from representing another client in a matter adverse to you.

Any links to other websites are not intended to be referrals or endorsements of those sites.

Privacy Policy

Terms of Use

ADA Compliance

Contact Us
Hello,
My name is
 
and I am a(n)
seeking legal counsel in the area of 
.
Please
me at
as soon as you can.

Thank you for contacting us!

A representative will be in touch with you shortly.

An attorney-client relationship will NOT be formed merely by sending an email to Barrett McNagny, LLP or to any of its attorneys. Please do not send any information specific to your legal needs until you obtain approval from a Barrett McNagny, LLP attorney, as the content of such email will not be considered confidential or privileged. By sending us an email, you confirm your understanding of this notification. If you agree, you may use the e-mail links on this page to contact an attorney.
YesNo