In our first article, we suggested several practical steps in-house counsel should take in order to enhance their companies’ network security, prepare their companies to respond effectively to a network intrusion and protect their companies from some of the potential legal consequences of an intrusion. No matter how forward-leaning your company is in preventing and preparing for intrusions, however, you are unlikely to be able to stop a persistent, sophisticated intruder from compromising your network.
As Alan Paller, director of research for the SANS Institute (a provider of network security and training certifications) recently observed, “nation-states willing to spend unlimited amounts of money for technology, intelligence gathering and bribery can overcome just about any defense.”
In other words, if the Chinese government targets your company’s network, as it has the networks of many of America’s top companies, it isn’t a question of whether it’ll get in, it’s a question of when it will and how quickly your company will detect it.
Therefore, in this article, we discuss measures you can take immediately after your company discovers an intrusion to limit the resulting legal and reputational risks and recover much of the expense incurred.
1. Initiate your incident response plan (IRP): If you read our first article, you will have developed an IRP and trained your company’s personnel to follow it. That prophylactic investment now pays off—the first thing your company should do upon discovering an intrusion is notify the interdisciplinary team identified in your IRP so they can immediately assume their roles.
2. Engage the right vendors to preserve evidence, conduct forensic analysis, and reclaim your network. Very few companies’ IT departments are equipped to investigate, respond to, remediate and rebuild their network after a sophisticated intrusion. Fortunately, there are a number of vendors that specialize in each of these areas. Hiring the right team of vendors to perform each of these critical functions will help your company stop the bleeding, diagnose the injury and take the right first steps toward recovery.
3. Consider notifying law enforcement: In developing your IRP, you will have established a point of contact with an appropriate law enforcement liaison. Consider the advantages and disadvantages of notifying law enforcement about the intrusion. If you decide in favor of notification (most often the right decision), we recommend that you contact a Federal Bureau of Investigation (FBI) field office for your district. Many field offices have a dedicated cyber squad or cyber task force. The FBI often will provide information or resources helpful in responding to an intrusion and, under federal law, law enforcement has special authorities to monitor the activities of the intruder on your network. 4. Contact insurance carriers and document loss: In developing your IRP, you will have reviewed your company’s insurance policies to identify coverage areas and fill in any gaps. You can protect your company from suffering a big hit to its bottom line by notifying your insurance carriers early and documenting the losses and response costs associated with a computer intrusion so that you can submit them for recovery.
5. Assess legal risks and obligations resulting from intrusion: As part of preparing to effectively respond to a network intrusion, you will have identified protected or sensitive information on your network, considered duties of confidentiality arising out of contract or common law and reviewed your company’s network security policies and practices. You will be well-positioned, as the details of the intrusion become clear, to determine whether and to whom breach notification must be given, to assess potential litigation risks and to suggest steps your company can take to minimize such risks (such as credit monitoring and identity theft insurance).
6. Develop a communications plan: For a company responding to a network intrusion, there is perhaps no decision more consequential than what (if anything) you say about the intrusion to your customers, to government agencies and to the press and public. Your company should develop a comprehensive communications plan immediately upon discovering a network intrusion that separately addresses each of these three audiences, and you should continue to update the plan as your understanding of the intrusion evolves.
Taking these steps immediately upon discovering that your company has been the victim of a network intrusion will ensure an effective response that minimizes loss, maximizes recovery of related expenses and manages the legal and reputational risks resulting from the intrusion.