Who should you call when you suspect, or are certain of, a data breach? Data breaches and other cybersecurity incidents have become of a fact of life. Yahoo! recently disclosed that data for over one billion users was compromised in 2013. Hundreds of incidents affecting millions of records were reported in 2016 alone. So when — not if — your company suffers a breach, a prompt and effective response is crucial.
Below I examine who you should call, even if you’re not required to; who you must call, by operation of statute or regulation; and who you can call, if circumstances warrant.
The Experts: Who You Should Call
An effective response requires knowing the extent of the breach: was there actually a breach, and if so, what kind and how much data was compromised? A technical expert that specializes in breach response can help answer this question, and therefore should be one of your first calls. Beyond identifying the scope of the breach, a technical expert can also help identify the cause of the breach, removing that vulnerability, and making your systems more technically secure to safeguard against future breaches. Crucially, these experts should be able to accomplish these tasks in a manner that preserves existing data. Data preservation has practical benefits (such as allowing accurate after-the-fact analysis of the breach), but also is vitally important in the event litigation arises from the breach. A judge or jury could presume that lost evidence is harmful to you — even if it was not intentionally destroyed.
A data breach is likely accompanied by myriad legal ramifications, which is why a call to a legal expert – such a law firm with breach response experience (Foley Hoag, which maintains an in-house Cybersecurity Incident Response Team, is one of them) — should also be a priority. Most states have mandatory reporting laws, and there are often additional laws (some of which overlap) in play. Beyond identifying the necessary immediate actions, an experienced legal team can help sort through other implications: What is the possible exposure from lawsuits by consumers? Is the cost of the breach covered by any of the company’s insurance? Is there any beneficial non-mandatory notification or reporting that should be done?
Depending on the capabilities of your organization, in-house personnel could perform some of the same functions. But even in large, sophisticated companies, independent technical and legal teams that specialize in incident response can bring unique expertise and a fresh perspective, and thus can prove invaluable.
Mandatory Reporting: Who You Must Call
As discussed above, most U.S. jurisdictions have statutes and regulations that mandate notification and reporting in the event of a breach. Although the details vary from state to state, notification and reporting is generally triggered by the unauthorized use or access of unencrypted personal data (or encrypted data if a third party has potential access to the encryption key): for example, first and last names accompanied by a Social Security number, driver’s license number, bank account information, or credit card number. Other laws may have specialized notification and reporting requirements, such as HIPAA for health data (depending on whether it applies to a particular organization) or EU regulations, if the breach affects EU citizens.
You probably will need a legal expert to determine whether your incident is a breach, whether that breach triggers notification requirements, and, even if there are no legal obligations, whether notification and/or reporting is nevertheless prudent.
The applicable mandatory notification and reporting laws can also carry different requirements. Notification to those whose data was affected is the most common. Certain laws may also necessitate notification of law enforcement (which is normally the state’s Attorney General office, although in any particular case notifying the local police department or the FBI might be necessary). Other laws may require reporting to a credit agency (often this depends on how many people are affected). Further complicating matters, the laws often come with strict timing requirements, and late reporting can prove costly.
You night also have contractual reporting requirements, the most common of which is reporting to an insurance carrier. (Failure to report to your insurer probably isn’t a crime, but losing coverage because of not reporting might as well be.)
Further Notification: Who You Could Call (If It Makes Sense)
Apart from assembling your team of experts and issuing the proper notifications, there might be strategic reasons for voluntary reporting to certain groups. For example, you might wish to voluntarily reach out to law enforcement. This could seem contrary to common sense — why would I want to invite the FBI to investigate me and potentially take control of something that has affected my company? — but it could make strategic sense to proactively get out ahead of any issues. Your legal counsel can help you weigh the pros and cons. Similarly, you might want to voluntary inform consumers, even if you don’t have to. Candor can foster goodwill, and again, having the right story — your story — out first can forestall headaches down the line. Hiring a public relations expert could be important so you can help communicate to the broader public, if necessary. Finally, internal communication might be warranted. For example, you might want to develop a policy regarding commenting on the breach and distribute them to employees. An experienced response team can help you analyze your situation and make the right calls.