National – and local – news headlines have been filled recently with news of cybersecurity attacks. From phishing schemes to ransomware software, businesses both large and small are under attack. Gone are the days of receiving emails from alleged princes in foreign lands requesting help with inheritances located somewhere in the U.S. As well, a security breach today is more than just a job for the IT department, it can impact a company’s entire workforce and operations.
These recent attacks are sophisticated and hard to detect. Be it a phishing scheme, where an email appears to be from a colleague or a legitimate link in an email that locks down your entire corporate infrastructure, smart companies are falling prey to these attacks every day. These breaches require immediate action. Woods Rogers attorneys believe in a proactive approach to counsel on cybersecurity – it’s not a question of if but when.
In the first precious minutes after you learn of a breach, what should you do?
1. Disconnect. Take steps to address the breach ASAP with your IT department. Your IT team needs to know about the attack immediately so they can take the necessary steps to protect your company’s servers or email system. You want to do as much as possible to ensure the attack does not spread.
2. Form a task force. If you have not already done so, create a team of individuals who can work to address all the necessary components of dealing with an attack. For example, if you have been hit with a phishing scheme where employee W-2 information has been sent outside of the company, your task force might include representatives from accounting, human resources, information technology, your bank, and outside legal counsel. Immediate involvement and direction from outside counsel can help to establish your investigation as falling under the protection of attorney-client privilege.
3. Determine what you need to report and to whom. Notification laws vary based on the nature of the information impacted, the type of business involved (for example whether it is a “covered entity” under HIPAA), the number of individuals impacted, and the location of the breach. In addition all entities, including covered entities under HIPAA, also must comply with state requirements. Virginia, for instance, has enacted Virginia Code Section 18.2-186.6, which requires that a company provide notice to individuals whose private information may have been the subject of a data breach in certain instances and, if it provides such notice to more than 1,000 persons at one time, the company must also notify the Office of the Attorney General and all consumer credit reporting agencies. If personal health information is involved in the breach, then the requirements change. Knowing what to report, and to whom, is not only complicated, but also requires that a company act without unreasonable delay (which can result in fines). Finally, you should also reach out to law enforcement to report the crime so they can also open an investigation into the incident.
Cyber crime is growing. The best way to handle an attempted breach is to be prepared. Establish software systems and firewalls to prevent a breach. Create backup copies in the event you are impacted by a ransomware attack – which can lock up an entire software system with encryption until you pay for a key to unlock it – so you are able to access important information. Have a task force ready to go and run through the protocols of a breach regularly. Finally, train your most important resource – your employees – to be vigilant. This step is the first line of defense you can take to prevent a breach.
Woods Rogers offers training on the legal aspects of cybersecurity and advises companies large and small on privacy and data security issues.