First steps to take when there's a data breach at your company
Published Mar 16, 2016
Co-chairs of the Jeffer Mangels Cybersecurity and Privacy Group, Robert E. Braun and Michael A. Gold, discuss the first steps to take when there’s a data breach at your company. The other videos in this 4-part series include: Why companies need a cybersecurity training program; Cybersecurity for middle market companies; and Impact of international privacy laws on U.S. companies.
Bob Braun: In addition to protecting our clients, we're called upon to deal with the issue when they have a breach. So, if there's a breach – if a client says well we think, or we've been told, that our data has been breached – what's the first thing you do, or what's the first thing that you advise that you tell our clients to do?
Michael Gold: The first thing that I advise clients to do is to hire a lawyer. Again, that wasn't the answer you were looking for, right?
Bob Braun: No, that's exactly what I was looking for.
Michael Gold: Okay.
Bob Braun: So why do you tell a client to hire a lawyer?
Michael Gold: The fact of the matter is – and there's really no way of getting around this – anybody who has paid attention to the lurid press coverage of the major data breaches over the last five years has to come to the conclusion that most organizations do not have the first clue about what to do when they think that their systems have been hacked or breached.
So, what really has to happen when there is a reasonable belief that there has been an intrusion by somebody who shouldn't be in the system, is for someone to connect with someone who has been in that space before; who's been through a number of breaches; who knows the steps that need to be taken; knows the kind of stakeholders who need to be involved. This includes lawyers, and I'll get into the lawyer's role in a minute. Outside forensic people who can get into your system to determine what happened and why and what kind of damage needs to be done; crisis public relations people. One of the things we've seen in some of the larger breach responses is public messages that really don't inspire a great deal of confidence. Other steps may need to be taken, depending upon the size and the nature of the breach, the kind of information that may have been lost. Contact needs to be made with law enforcement – sometimes law enforcement at the very highest level. I want to speak briefly about the lawyer's involvement.
Bob, you know you and I use to joke a few years ago about how we will very often be asked questions by clients as if we were engineers. You'll also recall an event where one of the forensic people we work with said, "Would you guys sort of know what engineers know?" Sometimes you're actually mistaken for a systems engineer, and that's why people enjoy working with you.
One of the crucial things about having a lawyer involved is that by training, lawyers are equipped to address problems in a more common, systematic way.
But very crucially, when a lawyer is involved and is essentially the umbrella under which the breach response activities are taking place, there's the opportunity for these activities to be protected by the attorney-client privilege, so that not everything that a company is doing is necessarily going to be subject to public scrutiny. Very often quite a bit of it should not be subject to public scrutiny. There may be internal dialogues going on that really do need to be confidential–not to hide anything from the public–because it really is a matter of a lawyer giving legal advice to his or her client. The same thing goes with communications with law enforcement. These are things that lawyers are far better equipped to do than lay people, even highly-intelligent, highly-trained, very experienced lay people.
Bob Braun: That's something that you and I have discovered, which is there is a general feeling that very often consultants have–that the moment they find that there's been any kind of intrusion in the system, that's something which triggers a public announcement and all of the breach notification requirements–which as you and I know, can be very, very costly. But we've also found that that's not always the case.
Michael Gold: We find that it's typically not the case. I would say probably in the last dozen security incidents we've been involved in, a determination has been made – not only with our involvement but with the involvement of appropriate forensic professionals, computer professionals, system people – that in fact there was no data that was lost. In other words, not every security incident is a data breach, which is associated with the loss of a lot of personal information or personal health information. One of the major mistakes that a lot of companies make is that they start notifying people almost immediately that there's been a breach, when in fact that's really not the right thing to do. Notifying people that there's been a breach when there hasn't been a breach creates some incredibly negative PR. It can wreak some reputational damage on you that was simply unnecessary. And, what it will also do is attract a lot of scrutiny, especially if you're a larger entity, where in fact it may simply not have been necessary. The bottom line is, under the 48 breach notification statutes, data has to be lost. Data has to be stolen, taken or exfiltrated from a system in order for a breach notification to be triggered. And very often, that does not happen.
Bob Braun: There's another side even, when there has been a breach we found that people jump the gun and they notify – they publicize the breach before they really know what has happened. They find that they have to give not one, not two, but three or more notices, which just triples the amount of bad information and creates much less confidence that this company has any ability to control its technology and its information.
Michael Gold: I think one of the worst steps a company can take is prematurely sending out a breach notification, very often with errors, and then having to issue a curative notification. The reputational damage is just enormous. Bob Braun: Mike, coming back to training. If you were to give just one piece of advice to a client on what they and their employees should focus on to try to avoid an infection with malware, what kind of advice would you give? What general statement would you make to them?
Michael Gold: I would give two pieces of advice. Treat passwords very much like underwear: you don't want people to see them, and you should change them often. That's piece of advice number one. Piece of advice number two is to look at the email message carefully before you respond to it; determine whether it's coming from somebody you know or don't know; consider whether the message is unusual; look at the spelling in the "from" line. Is American Express spelled with three s', something that I saw very recently, which was a spear fishing attack? Look before you click.
Bob Braun: And I always tell people that they ought to consider what bad things can happen if I don't click on this link? What bad things can happen if I don't respond to this e-mail? Usually it's not bad.
Michael Gold: Well, this is where you and I differ because I don't think people really think about this.
Bob Braun: I think we both agree that people don't think a lot about this stuff. Thank you. Well listen, it's been a pleasure talking, Mike. I'm sure we will have a chance again as this area changes a lot– we'll have completely new and exciting things to talk about soon.
Michael Gold: I hope so. I'm looking forward to it. Thanks, Bob.