LEGAL VIEW: Eight action steps to take when a hacker steals ­company data

James Farwell, Geoff Elkins and Michael Bagneris
BridgeTower Media Newswires

When Sony Pictures and Equifax got hacked, it cost them tens of millions. Sadly, studies indicate over half of companies can expect to be hacked. There is no fool-proof way to stop an incident breach. So what should you do if your company is attacked? You need to be ready on the front end, so that you can respond when the attack occurs. Here are eight broad action steps:

Consult your information security plan. Companies should have in place an information security plan to identify, prevent, detect, respond and recover from hacking attacks. This plan should outline your company's defenses against hackers and provide a blueprint for what to do when you are hacked.

Implement incident response procedures per your information security plan. You need to assemble an incident breach response team before a breach occurs. The team should include key management; your chief security information officer (CISO); IT department heads; physical security department head; public relations experts; and both in-house and outside counsel. Often outside counsel lead the effort in dealing with incident breaches to ensure compliance with governing law and to establish attorney client privilege for the company's response efforts. The faster you act, the better your chances of limiting loss, damage, and legal exposure.

Consult with legal counsel to cover all obligations. Identify your legal and contractual obligations. Depending on what industry you are in, these vary. Regulators often require that you notify them and affected customers on a particular timeline. You face severe penalties for failure to comply.

Determine insurance coverage and contract providers. Meet with your insurance broker and both in-house and outside legal counsel to determine what coverage you have in place and who you have to notify about what. Cyber insurance policies can vary considerably. You need to understand your rights and obligations, including what time limits for discovering an incident apply and how they are triggered. Policies may limit your freedom to select your own attorney, your public relations team, and what insurance will pay for in notifying affected customers and taking remedial steps.

Engage professional forensic investigators to work closely with your IT team. This will enable you to help determine the scope of the breach, the lines of attack and what data was affected. Your IT experts need to move fast when an incident occurs. The ability to figure out how a breach occurred lessens by the minute. You must isolate, preserve and document compromised computer systems and networks to contain the damage.

Notify affected individuals as required by law. Notification can get complicated because you need to have your counsel check the law of each state in which an affected customer resides. Each state has its own law you must comply with and states are not consistent, so be careful.

There is a key exception that can be found in some laws: You may not need to notify if, after a reasonable investigation, you determine there is not a reasonable likelihood of harm to a customer. If you do have to notify, the law prescribes various methods of notification. You must notify in the most expedient time possible and without unreasonable delay.

You need to engage communications and public relations personnel to craft communications and public messaging, and counsel needs to review the messaging and press releases to ensure that these comply with each state law.

Federal laws that govern the health care, financial services and other industries may have their own requirements, including notification to regulators. You need to coordinate closely with counsel in addressing these challenges.

Review the information security plan and identify lessons from the breach. The information security plan should always be reviewed after the company has been hacked. You need to make certain that your information security plan enables you to act quickly, limit damage and provide lessons learned from the attack that will produce a stronger security plan in the future.

Make certain especially where ransomware is involved that you have a plan for resiliency so that an attacker does not shut you down. Hackers are increasingly infiltrating computer systems and networks, injecting malware and encrypting your data unless you pay a ransom. One of the best ways to thwart somebody who holds you ransom is to store a duplicate set of data in a separate, secure location so that you can shut down the system that is being held for ransom and keep operations going by using back up duplicate data.

The threat of cyberattack cannot be eliminated. Being ready for when one does occur can save you a great deal of money.


James Farwell and Geoff Elkins are attorneys with Elkins PLC of New Orleans and have expertise in cybersecurity law. They have co-authored a new book with Virginia Roddy and Yvonne Chalker, "The Architecture of Cybersecurity." Michael Bagneris, former chief judge for the Orleans Civil District Court, is Of Counsel to Elkins PLC for cybersecurity.