The Essential 60 Minute GC Computer Intrusion Response Plan
Data breaches are now part of the daily routine. Russia, China, North Korea, the hacker down the block, the dis gruntled guy in IT looking for a new job. Forensic experts like to say you either will be, have been, or are currently being hacked.
Yet the best protocol for handling compromise events continues to allude general counsel. A data breach requires the GC to make a series of quick assessments followed quickly by a coherent initial strategy for the CEO. If you have anticipated the problem and thought through your response in advance, you will be able to give your first briefing to the CEO in about two hours. Approach this the same as any other business continuity problem. By the same token, don’t let it be viewed by the organization as just an IT problem that needs only the attention of the IT Department.
That sounds impossible, but it’s not. After working with companies and organizations on hundreds of data breaches/ insider attacks/ attacks from foreign governments and entities I assure you it is not. Your first report will not be a full response (that may take weeks or months to assemble) but you will be able to give the CEO a meaningful report on:
· The general nature of the attack;
· What your company’s potential information exposure may be;
· What type of internal incident response team you have assembled;
· What your insurance coverage outlook is;
· What your liability and litigation exposure may be;
· Whether or not outside experts need to be brought in and at what cost;
· The results of your first conversation with outside counsel about the legal ramifications;
· Whether the investigation should be (can be) covered by the attorney-client privilege;
· Is it appropriate to hire outside forensic assistance to help your internal IT support person or team; and
· Is it appropriate to contact law enforcement at some level at this point?
I’ve broken this down to 9 steps. If you are one of those people who need things in groups of 10 then you can add “Step 10: pray.”
With advanced planning, every GC can master the first steps of a computer intrusion and avoid that “deer in the headlights” look. Follow these nine steps in the order offered.
Step 1: The Initial Debrief.
This is the initial debriefing from the IT director, the HR director, or whoever presents the problem first. This may also be a vendor, a bank, or law enforcement officer. Try to get the bad news straight the first time. This is a quick "who, what, where, when, why and how” exercise. Take no more than 10 to 30 minutes with this. Try to define if this was a ping or an actual breach. Get a sense of whether the intrusion is still underway. (This might also be a good time to ask your IT person if there have been other earlier events he has not mentioned.) The chances are good you are the victim of a phishing compromise, so your IT section will be immediately involved with a tracing challenge to find out who else has been compromised.
A note of caution, especially at this early stage: it is important to avoid turf wars with the IT section. It’s their ballgame at this point and you are there to learn everything they can tell you. This is a “blame free” zone.
Try to determine what was lost or compromised: personal information, trade secrets, credit card numbers, health information, financial information, student information, etc. Get the best possible estimate of the number of records compromised. If a vendor was involved, have someone locate a copy of the vendor contract so you can quickly determine if you have immediate vendor audit rights you can exercise. Did the records involve European nationals? Is the GDPR implicated in your situation?
(I note in passing that all data breaches come to light on Friday afternoon after 3:30 and require follow-up calls by you and members of the incident response team on Saturday and Sunday.)
Step 2: Call outside Cyber Security Counsel.
This is self-serving, but you must quickly contact experienced outside legal counsel. This vetting process needs to be done before the compromise. Choose an attorney who has experience with computer intrusions who understands the technical, legal and regulatory implications of various types of breaches. Currently, a good working knowledge of the GDPR, knowledge of current Computer Fraud and Abuse findings and all 50 State data privacy laws is critical. Try to find a counsel with a conservative, realistic approach to breach notification.
The attorney should have a network of solid forensic firms that can assist you at a cost within your budget. Finally, the attorney should have great current contacts with the FBI and Secret Service Computer Crime Squads. With only a brief overview, the attorney will be able to tell you what to expect.
You will also discuss the applicability of the attorney-client work product privilege in this investigation. Note: current case law requires the attorney-client relationship to be established at the earliest possible time.
Outside counsel should be on standby when you meet with the CEO in a couple of hours.
Step 3: Direct IT staff to freeze and/or preserve all internal audit trails including vendor traffic.
This may stop the immediate bleeding of information. It will also document you’re your due diligence preservation of evidence. Practice this in advance to make sure you know where all critical documents are stored. Internal data-mapping, done in advance, enables you and the IT director to exactly know the systems that store the critical records and whether they are involved in the breach.
Step 4: Convene a meeting of the Incident Response Team within one hour.
This should not be the first time the Incident Response Team has met They will have been selected for their positions because of the company's data-mapping exercise. They will also have received training on the company's Incident Response Plan and, hopefully, gone through practice drills involving various potential intrusion and compromise situations.
The Incident Response Team will follow the guidance of the incident Response Plan, which will include:
· Defining the significance of various the incidents;
· Defining which members of the Incident Response Team should be involved;
· Determining reporting responsibility to senior leaders;
· Defining containment strategies;
· Preserving evidence;
· Documenting the incident;
· Identifying forensic analysis of the breach; and
· Ensuring business partner compliance evaluation.
· Defining notification process and timing
· Reinforcing remediation and post-incident reviews
The activities and findings of the team should be closely held, directed by, and with counsel to preserve the attorney-client/ work product privilege. At a later point, it may be determined that the information gathered will include both privileged and non-privileged information (facts).
The public relations staff should be alerted that an investigation is underway, but they should not be included in the incident response meetings. The goal here is to avoid a public comment that claims no security breach has taken place, when, in fact, a major breach is under investigation. Better to say nothing than to accidently provide misinformation.
As a final note, experience shows the entire Incident Response Team may not be necessary for all intrusion events. Too many cooks can spoil the broth. Not every possible team member will have something relevant to say at all meetings. Focus on getting only the most likely responsible members at the initial meeting. Again, an effective data map will tell you who the right people are.
Step 5: Advise CFO.
The CFO must be alerted so that he or she can immediately keep an eye on all banking activity. Wire transfers should be closely watched, and partner banks should be advised that a compromise has taken place, and that all unusual transfers by size and/or recipient should require specific CFO approval until further notice. The success of a hacker's phishing attacks depends greatly on illegally transferring funds from the victim to overseas accounts and doing so as quickly as possible. If the attack involves the theft of credit card data, you must contact the acquiring bank and start discussing how credit card losses may be minimized.
Step 6: Law Enforcement or Not?
Prior to this incident, and as part of the incident response plan workup, you will have located contact information for the local FBI, the U.S. Secret Service, and a good local forensic examiner. Make sure you have those numbers at hand, but DO NOT CALL THEM YET. Multiple considerations factor into this decision. If this is a financial crime, then the Secret Service would be the logical contact. If it is a Distributed Denial of Service attack or a phishing compromise, then the Incident Response Team and upper management might decide to handle the matter internally
Step 7: Check insurance coverage.
In the first 30 minutes, you should delegate someone to start pulling your cyber insurance policies, including first-party loss and third-party loss insurance. Check for the following specific insurance coverages:
· Litigation and regulatory costs
· Regulatory response
· Notifications costs
· Crisis management
· Credit monitoring
· Medical liability
· Privacy liability
In every case, notify your insurance underwriter the same day that the intrusion/problem is noticed. Document your conversation with the underwriter.
Step 8: Start calculating your intrusion cost tab.
The time and expense put into responding to a security incident has multiple impacts. Keeping track of the money spent responding shows that the company is taking the intrusion seriously and trying to protect compromised consumer information and lost trade-secret information. It shows regulators and state attorney generals that the company was trying to do the right thing by consumers and investors. A documented record of the cost of the intrusion also forms a clear basis for recovering damages from vendors or other organizations if the facts support that type of litigation. It is critical that expense records be maintained from the beginning of the incident.
Step 9: Contact CEO: What you know and what you don’t know
After this 30-minute drill, you will have the information necessary to provide an initial briefing to your CEO about the breach situation. It may be wise to have outside counsel either on the phone or available to help answer questions.
The CEO will want to know how much this breach is likely to cost. The answer depends on what was compromised (trade secrets vs. personal information about consumers and employees), the regulatory agencies involved (the FTC, state privacy officials and AGs), whether the GDPR has been triggered, and the likelihood of litigation. As a rule, the average consolidated cost of lost records in a data breach is $201 per record. (Stated otherwise, 10,000 lost records equal a $2 million loss.) You should tell him about the creation of the Incident Response Team created for the apparent crisis involved. You should get his approval to contact your insurance underwriter and indicate whether the IT staff believes the matter is serious enough to hire outside forensic support. You should be prepared to give him a ballpark figure of the cost of forensic assistance.
Here is what you don’t know:
· How big the breach will become?
· How much will the breach cost?
· Whether one or more of you vendors is involved and/or responsible?
· What is the exact scope of your insurance coverage?
· Whether breach notification under state laws and the GDPR are required?
· Whether you face litigation for lost third-party trade secrets?
· Whether law enforcement should be notified?
The investigation, regulatory impact, and potential litigation may continue for years but following the above nine steps will enable your company to establish, it acted with advanced planning and due diligence to immediately start its data breach response.
There is no substitute for preparation. In many places, this article presupposes the existence of at least bare bone policies: incident response, qualified outside legal counsel, data mapping, insurance coverage and document control systems. Even a little advanced planning can be critical here.
William J. Cook (Bill Cook) has provided counselling to the government and private organizations on key, current privacy and security laws up to and including the EU General Data Protection Regulations (GDPR) for 35 years. In just the past three years he has handled 53 computer intrusions and incident response cases for Fortune 500 companies. He has tried 83 cases as a federal prosecutor and in private practice and 25 of them have involved computer intrusions, trade secret theft and contractual matters related to computer and telecommunications technology. As a result, he is uniquely qualified to train, manage and organize data privacy and security practices and work on the remediation, policies and practices that best meet their information protection needs and respond to cyber challenges.
Both in the government and in private practice, Mr. Cook has counselled organizations on organizational incident response and continuity planning. He has drafted business continuity plans and policies that enable organizations address challenges from across the threat spectrum.
This article is presented for informational purposes only and is not intended to constitute legal advice.
Copyright 2018 Cook Consulting Group