What Colorado Companies Need to Know to Respond to a Data Breach
Responding to a known or potential data breach is a difficult task for any company. It frequently involves conducting an emergency investigation and making difficult decisions based on limited information. Following the below measures will maximize your company’s ability to appropriately respond to the breach and minimize the potential harm.
Identify the Appropriate Internal Incident Response Team MembersIf your company has a crisis management team or incident response team you should mobilize those individuals. If not, at a minimum, the data response team should include the company’s president/CEO, chief legal officer, chief information security officer, head of IT, and chief privacy officer. Depending on the company, other team members can include the chief financial officers and heads of human resources and communications.
When communicating, team members should avoid company email accounts if there is any indication or belief that those accounts may have been compromised in the data breach. If a hacker has access to a company’s email accounts, he or she can monitor communications to understand how the company is responding to the account. Team members should consider using text messages, phone calls, or private email addresses to communicate.
Depending on the type of data security incident it may be necessary to analyze emails, logs, and electronic devices, such as computers, smartphones, tablets, and servers. Preserving this evidence should be a priority. To avoid losing evidence, companies should not turn off computers and, instead, consider disconnecting them from the company’s network and the internet. If a company has overwriting procedures (e.g., overwriting backup tapes) it should analyze whether those procedures need to be suspended.
Contact an Experienced Data Breach Attorney
An experienced data breach attorney can quarterback your breach response while at the same time cloaking the investigation in the attorney-client privilege and attorney work product doctrine. Experienced data breach attorneys will walk you through every step of the breach response process and ensure your company is complying with its legal responsibilities. They also will be able to refer you to qualified forensic experts and have relationships with the appropriate law enforcement officials. To reach one of our data breach attorneys call our incident response hotline at 888.898.6035.
Retain an External Forensic Expert
Data security events come in many different forms and combinations: ransomware; malware; phishing; and wire fraud, to name a few. You will need to determine what occurred, how it occurred, and what information has been compromised. Depending on the sophistication of the attack and the company’s internal information security capabilities, it may be necessary to retain an external forensic expert to answer these questions. Even if a company has internal information security staff, an external forensic vendor may have access to analytical tools, manpower, and experience handling similar incidents to provide valuable assistance. If the malicious actor is still in your system, an external forensic expert will be able to eradicate the threat.
Contact Law Enforcement
If you were the victim of ransomware, wire fraud, or another form of theft you should consult with your attorney to determine how quickly to contact law enforcement. In wire fraud cases, the FBI has means to claw back fraudulent wire transfers if notified immediately. In ransomware cases, the FBI may already have the encryption key or may know from prior experience whether the malicious actor will unlock your system if the ransom is paid.
Secure and Restore
The nature of the security event will dictate the amount of time and effort necessary to get your company’s system secured and functioning again. However, generally speaking, this will need to be a high priority for any company.
Over the past few years more and more companies have purchased insurance to cover the costs of data security events. If your company has such insurance, you or your attorney should contact your insurance broker to determine whether your policy covers your event and, if so, what resources may be available through your insurance carrier.
Determine Whether You Must Notify Your Regulator
A growing number of regulators demand to be notified quickly about a data security event affecting a covered entity. If your company is subject to a regulatory agency you will want to work with your counsel to ensure that you are complying with your regulator's requirements.
Provide Notice to Business Partners
If the security event affected data that belongs to a business partner, you need to consider whether you are contractually or otherwise legally required to provide notice to that business partner. Experienced data security attorneys can guide you through that process.
Provide Notice to Affected Individuals as Required by Law
Colorado's breach notification statute requires that entities notify individuals if their personal identifying information has been compromised. That law and its requirements are discussed at length in Chapter 1 of the Colorado Privacy & Cybersecurity Handbook. In addition to Colorado, HIPAA and 47 other states have breach notification laws. Unfortunately, these laws vary in important respects. The essential takeaway, however, is that if your security incident involved the loss or compromise of private information you need to consult with a data breach attorney to determine whether you are legally obligated to provide notice to affected individuals.
Provide Notice to Others
Bad news travels fast. You should consider whether you should notify employees, valued clients/customers, and/or important business relations.