Legal Steps to Take When Your Company is Hacked

Use these links to jump to different sections:

• Having a Response Plan is Essential
• Running Drills for Cyberattack and Security Breaches
• Getting Your IT and Legal Teams on the Same Page
• Now What: Steps Business Owners Should Immediately Take
• Find an Attorney Experienced in Data Privacy and Cybersecurity

These days the “data breach call” has become almost commonplace: You’ve been hacked, and customers’ data has been stolen by cybercriminals.

So what can companies do to manage the risk?

Having a Response Plan is Essential

Planning beforehand often dictates how big the mess might become.

Critical decisions and procedures should already be in place and well-rehearsed when the bad news arrives. In particular, you should know the answer to these critical questions:

• Who gets the first call?
• Who drives the investigation?

Figuring out an incident-response plan during the post-hack chaos—sometimes called the “fog of breach”—is just too late.

“A company that has not done numerous tabletop exercises doesn’t have a constantly evolving state-of-the-art team,” warns Lisa Sotto, who chairs the privacy and cybersecurity practice at Hunton Andrews Kurth.

Running Drills for Cyberattack and Security Breaches

Tabletop exercises are essentially breach “fire drills” that bring together stakeholders from the tech and legal departments, as well as outside cybersecurity experts as your incident response team.

But keeping those exercises real is a big challenge, says Sotto. Firms have to do fire drills repeatedly to find out where things are broken and to keep threat intelligence current.

Many critical mistakes are of the bureaucratic kind, she adds, such as out-of-date emergency contact lists. One of Sotto’s biggest pet peeves: 24-hour contacts who don’t have delegates listed for when they are on vacation or otherwise out of reach.

Company data breaches have a nasty habit of happening at inconvenient times.

Getting Your IT and Legal Teams on the Same Page

Boris Segalis, who is vice chair of Cooley’s cyber/data/privacy practice, says that, at many firms, IT teams and legal teams are speaking different languages.

“When a breach happens, IT says, ‘We need to fix it and restart it and keep going because we’re losing $1 million a day.’ The legal department is thinking, ‘If we don’t preserve evidence and investigate which individuals are affected, we might expose ourselves to a $10 million liability risk.’ So it might take five days and cost $5 million, but you avoid that $10 million risk. Once we connect on that level, both groups are on the same page.”

He cites other pitfalls that can hamper recovery. “Mistake No. 1 is that it’s not properly reported within a company,” Segalis says. “It sits somewhere. It percolates. The key issue is the escalation process.”

One big source of trouble in the 2014 Yahoo hack was a communication breakdown between the executive and IT teams. When Russians first entered Yahoo systems that December, Yahoo said in an SEC filing, “It is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team.”

Now What: Steps Business Owners Should Immediately Take

When the red flag goes up, Sotto stresses the importance of getting someone from legal involved, with a clear leader empowered to make quick decisions.

1. Bringing in Outside IT Services

An early choice: when and how to bring in an outside cyber-forensic team of security experts. If a firm hopes to retain attorney-client privilege over its investigation, it must hire that team the right way, Sotto says. “Privilege with respect to nonlawyer experts is not always easy to maintain,” she adds.

2. Deciding Whether to Put Holds on Communications

Sotto also warns businesses to make quick choices about placing legally required holds on communications and other potential evidence after a hack.

That can be more complex than it sounds, given realities like encrypted messaging apps and short-term storage policies. Equifax was called out by Congress for failing to preserve evidence after its hack. A Senate report found that, even though a legal hold was placed, some employee instant messages were deleted anyway.

3. Handling Disclosures with Customers and the Public

Disclosure might be the trickiest thicket of all.

There is pressure to share the bad news with customers as soon as possible, but Sotto advises against going public prematurely. “If you notify within 24 hours, you are criticized,” she says. “If you notify within 24 days, you are criticized. But going out without appropriate information is really problematic. It means you will likely be wrong and have to correct it.”

Even when media pressure forces premature disclosure, it’s best to admit what you don’t know, Segalis adds. Hacked companies have a bad habit of releasing the number of impacted victims, then repeatedly adjusting it—up or down, it doesn’t matter. Each release creates more negative headlines.

“If you don’t know something or you’re not sure, say, ‘I don’t know this,’” says Segalis. “It’s not that hard.”

Find an Attorney Experienced in Data Privacy and Cybersecurity

The bottom line is that if your company has been the victim of a hacker or cybercrime, you need to act quickly and with expert legal guidance.

For legal advice assessing your company’s security vulnerabilities and cyberattack/ransomware response plan, use the Super Lawyers’ directory to find an experienced lawyer in your jurisdiction.

For more information on this area, see our technology transactions overview.