Legal Steps to Take When a New York Company is Hacked
NYC cybersecurity attorneys weigh in
on October 2, 2019
Updated on April 1, 2022
These days the “data breach call” has become almost commonplace: You’ve been hacked and customers’ data has been stolen by cybercriminals. So what can companies do to manage the risk?
Planning beforehand often dictates how big the mess might become. Critical decisions and procedures (who gets the first call; who drives the investigation) should already be in place, and well-rehearsed, when the bad news arrives. Figuring out an incident-response plan during the post-hack chaos—sometimes called the “fog of breach”—is just too late.
“A company that has not done numerous tabletop exercises doesn’t have a constantly evolving state-of-the-art team,” warns Lisa Sotto, who chairs the privacy and cybersecurity practice at Hunton Andrews Kurth.
Preparing for a Cyberattack or Security Breach
Tabletop exercises are essentially breach “fire drills” that bring together stakeholders from the tech and legal departments, as well as outside cybersecurity experts as your incident response team. But keeping those exercises real is a big challenge, says Sotto. Firms have to do fire drills repeatedly to find out where things are broken, and to keep threat intelligence current.
Many critical mistakes are of the bureaucratic kind, she adds, such as out-of-date emergency contact lists. One of Sotto’s biggest pet peeves: 24-hour contacts who don’t have delegates listed for when they are on vacation or otherwise out of reach. Company data breaches have a nasty habit of happening at inconvenient times.
Boris Segalis, who is vice chair of Cooley’s cyber/data/privacy practice, says that, at many firms, IT teams and legal teams are speaking different languages. “When a breach happens,” Segalis says, “IT says, ‘We need to fix it and restart it and keep going because we’re losing $1 million a day.’ The legal department is thinking, ‘If we don’t preserve evidence and investigate which individuals are affected, we might expose ourselves to a $10 million liability risk.’ So it might take five days and cost $5 million, but you avoid that $10 million risk. Once we connect on that level, both groups are on the same page.”
He cites other pitfalls that can hamper recovery. “Mistake No. 1 is that it’s not properly reported within a company,” Segalis says. “It sits somewhere. It percolates. The key issue is the escalation process.”
One big source of trouble in the 2014 Yahoo hack—the largest ever, in terms of number of accounts—was a communication breakdown between the executive and IT teams. When Russians first entered Yahoo systems that December, Yahoo said in an SEC filing, “It is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team.”
Now What: Steps Business Owners Should Take Immediately
When the red flag goes up, Sotto stresses the importance of getting someone from legal involved, with a clear leader empowered to make quick decisions. An early choice: when and how to bring in an outside cyber-forensic team of security experts. If a firm hopes to retain attorney-client privilege over its investigation, it must hire that team the right way, Sotto says. “Privilege with respect to nonlawyer experts is not always easy to maintain,” she adds.
Sotto also warns businesses to make quick choices about placing legally required holds on communications and other potential evidence after a hack. That can be more complex than it sounds, given realities like encrypted messaging apps and short-term storage policies. Equifax was called out by Congress for failing to preserve evidence after its hack. A Senate report found that, even though a legal hold was placed, some employee instant messages were deleted anyway.
Disclosure might be the trickiest thicket of all. There is pressure to share the bad news with customers as soon as possible, but Sotto advises against going public prematurely. “If you notify within 24 hours, you are criticized,” she says. “If you notify within 24 days, you are criticized. But going out without appropriate information is really problematic. It means you will likely be wrong and have to correct it.”
Even when media pressure forces premature disclosure, it’s best to admit what you don’t know, Segalis adds. Hacked companies have a bad habit of releasing the number of impacted victims, then repeatedly adjusting it—up or down, it doesn’t matter. Each release creates more negative headlines.
“If you don’t know something or you’re not sure, say, ‘I don’t know this,’” says Segalis. “It’s not that hard.”
For more information on this area, see our business litigation overview.