It is a day that virtually every business owner fears, when you receive word from your IT department that your company’s computer system has been hacked. A million thoughts rush through your head, but they all come back to one question: what do I do right now to protect my company, my employees and my customers? The answer may seem daunting, but an answer does exist. This article attempts to provide you with a few of the basics on how to respond to a cyber-attack, focusing on the first step: Establishing your cyber-response team.
The first step to be taken upon learning of a cyber-breach is to understand what happened and what type of breach occurred. For example, is your system being held hostage by Ransomware, or did an employee mistakenly release confidential information? There are a number of common circumstances for cyber-breaches, such as: employee negligence like losing a laptop or flash drive containing personally identifiable information (“PII”) or protected health information (“PHI”); malicious insider behavior, such as the disgruntled or dishonest employee who steals company information to use for some nefarious purpose against the company; and perhaps the most wildly publicized breach as of late, hacking and cybercriminal activity.
In order to understand what happened and how best to react, the initial step is to assemble a team of cybersecurity professionals who can assist with all facets of the cyber-breach. In a perfect world, your company has already established its own cyber-breach response team, but if you have not done so, you will need to hire professionals as soon as possible after learning of the cyber-attack. This means engaging individuals who possess expertise in Information Technology and are experienced in evaluating the severity and scope of a cyber-breach. The cyber-breach needs to be quickly identified, affected systems need to be isolated, defenses to future breaches need to be put in place and steps to retrieve data need to be taken.
Do not attempt to cure the cyber-breach on your own such as by running anti-virus software, as that may cause more harm than good. Cybersecurity response professionals possess unique training and experience that allow them to identify the type of cyber-breach, craft a response to preserve or restore lost data, possibly unlock data that has been “captured” by malware such as a Ransomware attack, and not least of all, preserve the evidence of the cyber-breach, which may become invaluable to the defense of any subsequent litigation that may arise.
It also means consulting with legal counsel to determine what laws and regulations are implicated by the cyber-breach and what type of response is warranted. Depending on the nature of the breach, different state and federal laws could be implicated, which will guide how to respond to insure that the response itself will pass governmental scrutiny. New Jersey law defines a “breach” as occurring when customer’s personal information was or is reasonably believed to have been accessed by an unauthorized person. N.J.S.A. 56:8-163(a). When a breach occurs, New Jersey mandates certain disclosures be made, beginning with contacting the Division of State Police, Department of Law and Public Safety.
However, such disclosures may not be required based on the nature of the breach. For example, what constitutes “accessing” personal information can be affected by the existence of encryption tools that prevent an intruder from opening the data. If the information is encrypted and the encryption key is not accessed during the breach, the data is not accessible under the Statute. Likewise, if the information accessed is not “personal information”, then that determination impacts what, if any, notice is required to be made. Under New Jersey law, “personal Information” means a person’s first and last name along with either a social security number, driver’s license number or state identifier, or account or credit card number in combination with required security access code or password that would permit access to an individual’s financial account. Moreover, even if name and social security number are in separate data sets, a breach can be found to include personal information if the name and social security numbers can be linked together. An attorney familiar with cybersecurity and data privacy can assist you in determining if there was a breach of personal information, thereby improving your chances of satisfying any legal notice requirements.
Engaging your cyber-response team further means involving executives, department heads and human resources to help determine which employees’ and customers’ respective information has been accessed and how to communicate that information to them. In addition to keeping your own employees advised of the breach to insure their own privacy concerns are protected, keep in mind that someone must be prepared to explain to your employees how to respond to inquiries from customers as well. Finally, it may also mean engaging public relations professionals to craft a response to the public, as protecting the company’s reputation in the wake of a cyberattack is critical to the continued survival of any company. A poor response to a question from the media can be as damaging to your company as the cyber-breach itself.
Most business leaders are not adept at addressing cyber-breaches and should therefore rely on the expertise of others to assist them in protecting their companies from cyber-breaches. Plan for the breach before it ever happens and partner with the people who can properly respond on your behalf. Establishing a cyber-response team before any attack ever occurs provides a company with the agility to move quickly should that fateful day arrive.