This is the second in a series of four articles by Strauss Troy about cybersecurity preparedness and response. See Part I here.
A cybersecurity or data breach is a security violation that exposes protected or confidential information to an unauthorized individual or group. As more and more jobs operate in a connected (and sometimes remote) environment, the opportunity for data breaches increases, through both technology vulnerabilities and user behavior.
In the past few years, ransomware incidents have become more common and more destructive. Infiltrators target critical data and can spread ransomware across entire networks, while making recovery more difficult by also deleting system backups. To make matters worse, infiltrators will pressure victims for payment by threatening to release stolen data if they refuse to pay. Publicly naming and shaming victims can be a secondary form of extortion.
As we learned in our last article, if a data breach happens, two of the first things to do are 1) stop the attack and, 2) notify your insurance carrier. It’s critical to detect and eliminate any continued access to the network and learn what data was compromised. The next step—forensics investigation—will impact your company’s required response and potential liability.
Investigating the Breach
Cyber attacks are becoming harder to investigate, thanks to the pandemic. As more businesses have transitioned to remote work or are utilizing these resources more frequently, communications have moved to text, instant messaging like Slack or Teams, and videoconferences like Zoom, Skype, and Teams. This means cloud data is more frequently outside corporate firewalls, limiting ways to access the data for analysis.
After a data breach, and once you’ve identified and eliminated any continued access to your network, it’s time to begin forensics. During the investigation, you’ll need to determine a few things:
- Was data exfiltrated?
- What data was exfiltrated?
- Who is holding your data hostage?
- Is your company able and prepared to pay ransomware?
As you’re considering how to get any data back, do you know the reputation of the infiltrators? Ransomware negotiators exist. These individuals and companies will make direct contact with the attacker and attempt to negotiate the amount demanded for ransom. These negotiators also have means to determine whether the attacker has a reputation for keeping his word. That is, after being paid will he unlock your data and will he not release your data onto the dark web. The FBI also keeps track of how the attacker responded in other known cases.
Remediating and Reporting
As you determine the extent of the attack, you’ll need to begin remediating data and report the breach. While there is no general federal breach notification law, some industries require notification. HIPAA, the Securities & Exchange Commission, and the FTC all have rules requiring notification regarding data breaches. Reporting is also required of attorneys and companies with contractual obligations.
When there’s a breach of personal information, timely notification is required, and a number of people or organizations should be notified: the Attorney General, the affected individual, any relevant consumer reporting agencies. Ohio requires disclosure to residents of any unauthorized access of personal information that is believed to cause a material risk of identity theft or fraud to the resident.
In Ohio, A data breach must be reported no more than 45 days after discovery or after measures to determine the scope of the breach. When reporting, a company will need to explain:
- When the breach happened
- How it was discovered
- What security measures had been in place
- That an investigation was conducted
A company’s response and preparation for a data breach can affect both civil and regulatory liability. A general rule is that identification and disclosure are key to avoiding liability, but lax data security and a lack of quick response to mitigating the damage can increase the risk of liability.
In Part III of this series on cybersecurity, we’ll review the legal implications of data breaches, including civil lawsuits and liability for third party breaches. In Part VI, we will discuss the direct and indirect costs of a data breach to your company. As cybersecurity breaches—and the damage they inflict to businesses—continue to become more commonplace, the cybersecurity services of the attorneys at Strauss Troy can help you prepare for and respond to potential threats.