If you’ve suffered from a cybersecurity breach, you’ll need to undergo an investigation. During your investigation, you’ll need to focus on many legal considerations. Your security incident responders will already have some guidance, but, depending on the incident’s size or how heavily regulated your industry is, you’re probably going to want to talk to a lawyer. That lawyer may be an in-house counsel, a third-party breach-and-privacy specialist, or your college buddy that went to law school. No matter whom you choose to speak with, you’ll need to cover the following baseline of topics.
After a security breach, there are PR considerations regarding whom to notify; how and when to notify them; and, possibly, whether or not to notify them at all. Legally, however, you may not have a choice: You might have to notify affected individuals in a certain manner and timeframe.
HIPAA– (Health Insurance Portability and Accountability Act-)covered entities have a litany of eventualities to consider. Did the breach cover more than 500 people? Are you able to directly notify them via first-class mail? How long do you have to leave a notification of the breach on your website? These are just some examples of questions that may arise; there are many more. I wouldn’t expect you to know all the considerations, which is why it is best to consult legal counsel about victim notification.
Another topic to cover with an attorney is the involvement of law enforcement and other governmental agencies in your breach. Again, in heavily regulated environments, you may be compelled by law to report the incident to a law enforcement entity such as the FBI. Among all the other issues you’re dealing with, you’re not going to want to deal with fines or sanctions because you didn’t make a simple phone call to law enforcement. You may find that the FBI or Cybersecurity and Infrastructure Agency (CISA) can provide you with support and information that you would not otherwise have access to.
Do you dread the idea of airing your dirty laundry on the 6 o’clock news? It can be much worse for the media to find out on its own than if you had been upfront. Having a lawyer as a dispassionate third party can be helpful in considering what the best course of action may be. Lawyers can also help with identifying the pitfalls and benefits of each direction and provide guidance on how to proceed. Should you decide to involve the media, your lawyer will also be able to help you draft a statement that makes sense. The lawyer can also be your spokesperson and take some of the burden off you during this busy time.
During all these notifications that you may or may not be making, you’re going to want to make sure that someone has your back. Most likely, you were the victim of a crime in this situation, but you may also be liable for damages if your team was not as diligent as it could have been. You want to have someone who knows the law and has your interests in mind during this time. Someone you can speak with frankly and someone that can give it to you straight. Better to find out that you may be liable in the early stages. This way, you have time to properly plan for how to handle it rather than have it unceremoniously thrust upon you when you least expect it.
These are just a few of the issues that having good legal counsel can help with during your breach. Many, many issues arise during an incident investigation that will be easier to address with the help of an attorney. Lastly, I will leave you with this idea. You do not want to be shopping for your privacy-and-breach specialist attorney amid your investigation. I urge you to start a relationship with someone ahead of time so you have one less thing on your mind during this tumultuous period in the life of your business.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: