Top 5 Things to Do If You Suspect a Business Data Breach
By Shawn A. Morgan
Are you ready for a data breach? Is your business prepared to address the potential data loss if a hacker infiltrates the network server housing your customers’ personal information?
Read on to learn how to answer the million-dollar questions that will inevitably come your way when a data breach occurs.
Typical Data Breach Scenarios
Businesses must plan ahead to be vigilant for data breach threats. The following scenarios are becoming increasingly common:
- An employee accidentally clicks on a link in an e-mail, introducing malware that paralyzes your computer systems;
- Your CEO responds to an e-mail (she mistakenly believes the CFO sent it) by attaching all of your employees’ W-2s and thereby divulging the information to a thief;
- A hacker sends a bogus e-mail asking your accounting department to change the wiring instructions for payment to an important vendor, and the money disappears after being deposited into a fraudulent bank account;
- Someone pretending to be a company executive calls and asks your accounting department to change the payroll deposit details for the exec, and requires an e-mail confirming the particulars;
- A denial-of-service (DoS) attack prevents customers from accessing your business websites and webpages to place orders for an extended period of time; and
- A disgruntled employee takes confidential data for use in working with or on behalf of a competitor.
How Often Breaches Occur
The U.S. Department of Justice defines a data breach as “the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, access for an unauthorized purpose, or other unauthorized access, to data, whether physical or electronic.” The breaches now occur with greater frequency because of our dependence on technology to conduct all aspects of business transactions.
The Privacy Rights Clearinghouse, which has chronicled reported data breaches in the United States for nearly 15 years, details more than 4,500 breaches (involving 816 million individual records) during that time frame. Their incidence has multiplied exponentially—from around 150 in 2005 to more than 1,500 in 2017.
A leading cybersecurity philosophy—assumption of breach—is based on the notion that businesses should assume their databases and systems eventually will be breached, so they must prepare for the eventuality. Responding to suspected data breaches is becoming the new “normal” for American businesses, with most invasions arising from hacking attacks and smaller numbers of incidents caused by employee errors or misconduct.
While the timing of future data breaches remains unknown, their negative impact is clear. In addition to disrupting business operations, breaches can profoundly affect an organization’s reputation and solvency. By extension, they also may gravely affect customers and employees. To address the impacts, each time a suspected breach is identified, executives will need to assess the myriad of potential consequences for the business. The five most important considerations include (but aren’t limited to):
- Carefully determining what data is at risk;
- Consulting with information technology (IT) experts;
- Assessing whether to notify insurers;
- Identifying applicable breach notification obligations; and
- Consulting with legal counsel.
1. Determine What Data Is at Risk
First, a business that suspects a breach has occurred must determine what data it holds that’s at risk. Chiefly, that will involve identifying the scope of the possible breach. Does it involve client/customer data, employee data, confidential business data, or some combination of those categories of information?
To confirm the breach’s scope, it will be vitally important for you to review the data map documenting where all company information is housed. You can compare the breach’s scope with the data map to ascertain the full measure of the information at risk.
When doing so, the company should endeavor to identify the potential causes of the suspected breach (e.g., phishing, ransomware, malware, or employee error). You should determine how long the breach has been occurring. You also should carefully document all information about what may have caused or permitted the breach to occur.
2. Consult with an Appropriate IT Expert
Once the scope of a data breach has been determined, your second concern must be to consult with the IT expert about appropriate “next steps.”
If a breach is small in scope, with a finite amount of lost data confirmed, it may be possible for you to work solely with your internal IT staff to isolate and rectify the situation that caused (or allowed) the attack to occur.
On the other hand, if you cannot ascertain the full scope of a breach or it can’t be quickly remedied, you should consider involving an external IT expert. For example, if your computer systems have been frozen because of ransomware, an external IT expert may be necessary to restore and/or replace lost data.
Sometimes, a digital forensics expert may be needed to analyze the data breach’s scope. Other times, such an expert may be needed to prepare a mirror image of a computer hard drive, in order to investigate how and when information was downloaded or distributed beyond the business’ network.
Digital forensics experts vary in terms of training and experience. For that reason, you should carefully assess whether the internal or external expert can meet your needs. You shouldn’t hesitate to hire an external expert when the circumstances require it.
3. Consider Notifying Insurance Company
Third, if a data breach occurs, you must promptly decide if insurance notification is required. The decision will be based on factors such as whether (1) your applicable insurance policies provide coverage for that type of loss and (2) the scope of the loss exceeds any deductible or self-insured retainer. The considerations are unique to each business and insurance policy, but they can have short-term and long-term financial consequences for your company.
Moreover, it’s vital to understand the time frame within which insurance notifications must be made. Otherwise, applicable coverage could be foreclosed.
4. Identify Applicable Breach Notification Obligations
Fourth, when your business determines a data breach has occurred, it’s paramount you consider how the attack affects your compliance obligations. Specifically, depending on the type of breach, you must be able to verify that you’ve identified, and made timely notifications pursuant to, all applicable breach notification provisions. They include (but aren’t limited to) contracts and vendor agreements as well as federal statutes and regulations, such as:
- HIPAA (health care providers/protected health information);
- Graham-Leach-Bliley Act (financial institutions/nonpublic personal information);
- FERPA (educational institutions/student records);
- State breach notification laws; and
- International laws, like the European Union’s General Data Protection Regulation, when applicable.
An organization’s failures to abide by the applicable breach notification laws can result in the imposition of significant civil penalties by federal and state governments. Additionally, companies can face potential lawsuits by those affected by a breach.
Such lawsuits could be filed by (or on behalf of) customers, clients, vendors, employees, or shareholders negatively affected by the loss of sensitive data and the untimely notification of a breach. Early and thorough analysis of the issues can help to foreclose potential compliance investigations, audits, and needless litigation.
5. Consult with Legal Counsel for Guidance as Needed
Finally, seeking legal advice about an actual (or suspected) data breach remains critical. You should obtain a lawyer’s opinion if you’re uncertain about your breach notification obligations or whether your planned actions comport with the law. Likewise, you should seek guidance if a dispute arises with an employee, vendor, or party to a contract or if compliance issues pop up.
In anticipation of avoiding costly litigation and compliance issues, the attorney can review contracts in light of the applicable statutes and regulations and help your business avoid costly pitfalls. The attorney also can assist you with obtaining contract modifications and seeking payment or indemnification in the event of a covered breach. The attorney also can advise you about insurance coverage opinions and how to respond to regulatory inquiries about a breach.
Weathering a data breach remains challenging, but thoughtful planning and careful analysis can aid your business in successfully resolving the crisis.
Shawn A. Morgan is an attorney with Steptoe & Johnson PLLC in Bridgeport, West Virginia—and a contributor to West Virginia Employment Law Letter.