(Editor’s note: This is the first of a two-part series on business-related cybersecurity issues. See part two here.)
YOU’RE SURROUNDED BY FAMILY and friends on your birthday, and you’re about to blow out the candles on your cake. Just as you take a deep breath, your cellphone lights up with a text from your information technology guru: “We’ve been hacked!” The urgent message is followed by an uncomfortably long string of “Face Screaming In Fear” emojis.
When a company’s data is compromised, every moment is critical. So the goal is to make your communications rapid and precise. However, long before the emergency takes place, two critical steps must be taken:
• Determine what data your company possesses and how it needs to be protected. You can do this by maintaining a detailed inventory and data mapping of your information, as it is exponentially more difficult to protect or recover what you don’t know you have. You should work with all departments to track where sensitive data enters and exits your business, where it resides, who has access to it, and what controls are in place to protect it.
• Work with your legal department or counsel to determine which regulations apply to the different types of information you possess so that you can develop response plans so you can recover from a breach expeditiously. Once you know what data you possess, you are now armed with the knowledge of how to react if compromised.
In terms of internal communications, start by contacting an attorney, preferably one with which you have an established relationship and who is familiar with cybersecurity and breach response. Involve them in the response process so that no compliance steps are overlooked. The next call should be to a resource with expertise in breach response and who can quickly strategize and mobilize to stop the damage, determine what has been compromised, and begin the recovery. While this call may be to your existing IT department or consultant, a cybersecurity specialist possesses a different set of skills than an IT specialist. Although both resources are critically important after a breach, they are more often than not treated as the same. And since the costs related to responding to a data breach can quickly add up, take a moment to contact your insurance company to put them on notice of the potential loss and confirm if you have coverage.
Of vital importance is external communications. Your communications team should be ready to work with your legal counsel to contact law enforcement and address any compliance requirements. For example, if you maintain protected health information, there are specific reporting communications that need to be made to comply with Health Insurance Portability and Accountability Act privacy regulations. Virtually all types of sensitive data have compliance requirements. Be sure that your company is familiar with the related communication protocols. Also, assign a qualified individual to quarterback any communications with the media. When your data is hacked, efficient communications are critically important. Familiarize yourself with the many communications that will be required and rehearse them so your business will have the best chance of quickly and completely recovering from a data breach.
Being prepared is the only way to properly deal with a data breach. Having a plan in place that addresses the communications requirements is critical because failure to communicate is not an option when your company has been hacked.
Brian J. Lamoureux is a partner at Pannone Lopes Devereaux & O’Gara LLC. Kevin Ricci is a director in cybersecurity at Citrin Cooperman.