Since the global coronavirus (COVID-19) pandemic began, attempted cyberattacks have increased dramatically. It is no longer a question of whether bad actors will target a company; it’s a question of when a cyberattack will occur. Now more than ever, companies must diligently prepare for a cyberincident response. Such preparation can save a company’s reputation, money, and prevent or limit liability in litigation or government investigations related to the incident.
- Statutes governing jurisdictions vary in several ways, such as what personal information triggers the statue and the required disclosure timeline. When responding to a cyberincident, companies should first consider in which jurisdictions the incident occurred. In 14 US states, compromising username and password data is enough to trigger the statue. In the United Kingdom, the GDPR requires disclosure when any information that can identify an individual is compromised; however, there is an exemption for lack of harm.
- Many companies are seeking to strategically invest in cybersecurity. The US Department of Justice and the Federal Trade Commission provide insights into key areas where companies should consider spending money to prepare for a cyberincident. Their guidance recommends, among other steps, to identify and secure a company’s “crown jewels,” personal information such as Social Security numbers, employee data, and health data. Protecting this data should be a top priority for companies.
- The NIST Framework was first created to provide companies that provide “critical infrastructure” with guidance on how to prepare for and respond to cyberincidents. Now, about 60% of US companies turn to this framework and it is considered the gold standard for a data breach response.
- The California Consumer Privacy Act (CCPA) includes a provision that allows for private action by consumers in relation to data breaches. Plaintiffs will have to show that there was a breach of reasonable care on the part of the company in preventing against or responding to a cyberincident. A cyber response will often require a contract review and a review of negligence principles.
- When forming an incident response team, companies should identify individuals from across the organization to play a role in the response; an organization’s legal, communications, and human resource departments all have essential roles to play in a response. Providers outside of the organization, such as outside counsel, a third-party investigator, or a PR agency also play a role in the response and should be involved in preparing for a response. Companies should also consider the basics when preparing for a response: ensuring contact information is up to date and preparing a high-level description of the role each actor will play in the response. This Data Breach Checklist includes more information on key actions companies should take when responding to a cyberincident.