February 13, 2017
By Teru Olsen
As the headlines fill with news of hacks and data breaches, more businesses are starting to realize they, too, may be vulnerable to a cyber-attack. “Denial of Service” attacks, malware infection, and ransomware extortion are terms that until recently would have been given short shrift in a boardroom. Now, not having someone in the boardroom who understands the risks of these attacks could subject your company to liability from customers seeking damages under various breach notification statutes. With the proliferation of the Internet of Things, cheap data storage, and efficient software solutions that allow even small companies to realize on the value of personal information, we have seen a congruent rise in the dark market for transactions of personal data, health records, malware and sophisticated hacking code.
While more and more companies understand the need for defensive strategies, there is a dearth of information about dealing with an actual response to a threat after notice of a breach. Your company should have an incident response and digital forensic policy as part of an overall data policy and procedure strategy ready to execute. Whether your company does or not, here are some high-level tips and guidance to companies that are looking to address a response to a cyber incident.
1. Identify the Threat and Act. Initial discovery of a cyber threat to your system could come from a number of sources like anti-virus software, network monitoring, or an employee who confesses to clicking on a link that locked up the system. At the point of discovery, the IT head in your organization should have the authority to immediately initiate your incident response plan and activate the roles of your incident response team. Understanding the extent of the threat as soon as possible is critical, to enable a freeze of your system’s log information and determine the level of response. Notice of a threat could be as simple as a technological glitch, but if it is a malicious attack, the timing of a response and initial assessment is critical. If your company is unprepared to assess the level of a threat, you may do more harm than good in taking expensive and unnecessary measures that would be avoidable if a response team was in place with clearly communicated and practiced roles.
2. Preserve and Contain. Should an initial assessment discover a real cyber breach, your response plan should escalate in-kind to deal with the threat and involve the necessary third parties. If you have the opportunity to stop the bleeding, you may need to effectively isolate and take down various hardware components, identify infected systems and forensically copy them, abandon the network and restore it from back-ups. If your internal team is unable to carry out these tasks, you should utilize previously identified outside forensic incident response experts to step in and execute a response plan. Containing and segregating out the affected systems, and maintaining the system logs (instead of wiping everything clean and getting a workstation back online) is a material step in order for forensic analysts and cyber security experts to be able to identify and understand the root cause of the breach, as well as preserve as evidence for potential litigation.
There are significant costs involved for things like collection, containment and preservation of data. However, these up-front costs are worth the investment. Cyber breaches often cause business loss in the form of reputational damage, business interruption, fees for cyber-security professionals, attorneys’ fees, new hardware and software, and premiums for a future insurance policy. On the other hand, not being prepared can put your company in a position to pay off a ransomware hack to restore maliciously encrypted files.
Outside attorneys should be involved at this point in order to counsel the company as to the legal ramifications of the breach, review insurance policies, and direct investigations and interviews under work product and attorney-client protection to segregate regular course of business recovery efforts versus preparation for potential litigation. Federal courts have recognized the application of the attorney-client privilege in the latter, but not the former. Utilize the attorney client privilege to ensure that the CEO does not have to be deposed about correspondence that could appear like a panicked e-mail sent in response to a hack.
3. Business Recovery, Remediation, and Eradication. Bringing your business back online may consist of fixing vulnerabilities identified during the investigation, patching your network’s architecture, blocking suspicious IP addresses, and changing all passwords and codes for network access. This step should be carried out collectively between your internal IT team and outside experts as there is no one correct solution to prevention in the future. If your investigation turns up suspected criminal behavior, involve your local FBI branch. The FBI can alter your responsibilities under breach notification statutes and provide a potential avenue for quicker remediation due to their experience and the potential that they have encountered the “hacking signature” before.
Your company should execute a communication plan and notify the proper personnel within the organization of the breach. This includes reviewing compliance regulations with outside counsel and preparing notices under the breach notification statutes that may govern your company. Also conduct another round of review of the compromised personal data and any contracts that relate to the data to ensure that all third party owners of the data are aware of the breach. Set up and train either company personnel or a vendor to handle the responses you may receive from those affected by the breach because there are bound to be clients that will want answers about their personal information potentially being made public or sold on the dark market.
4. Act Now and Get a Plan in Place. There are many resources out there that outline the steps identified above in more detail, like the U.S. Department of Justice’s April 2015 “Best Practices for Victim Response and Reporting of Cyber Incidents” memo. What is consistent throughout all these resources though, is the importance of having an incident response plan and team in place before an attack. If your company doesn’t have a plan, or wants to bring it up to snuff given the changing laws and regulations, getting a plan in place and reaching out to a network of consultants and cyber security experts will position you to be ready for an attack. Remember, your company has either already been burned by a hack, has been hacked and doesn’t know it yet, or is next in line.
This message has been created by the Litigation Group at Ryan, Swanson & Cleveland, PLLC to advise of recent developments in the law. Because each situation is different, this information is intended for general information purposes only and is not intended to provide legal advice on any specific facts and circumstances. Ryan, Swanson & Cleveland, PLLC is a full-service law firm located in Seattle, Washington.