This year’s Data Privacy Week theme is Take Control of Your Data. In this blog, Jennifer Hunter provides quick advice on what to do when you lose control…
When a cyber-incident and privacy breach occurs, immediate steps need to be taken to mitigate against the potential (and costly) harm that can result. Here is a brief overview and step-by-step guide to managing those first few hours.
Step 1 – Shut it down
As soon as an incident is identified, contact your IT department or service provider so they can take the necessary steps to protect the security of your network from further infiltration and/or compromise. Note that your own internal professionals should not begin an investigation without receiving further advice. The first step is just about turning off or disconnecting devices to “stop the spread.” They will likely also be in the best position to form an initial assessment of the compromise and the extent to which restoration from backups may be possible.
Step 2 – Notify your internal crisis management team
This may be more or less formal and include more or fewer people depending on your organization. Perhaps it is the entire executive team. Maybe it includes all directors, or a select group of managers. Hopefully, there is a predetermined list. The goal here is to notify the people inside the organization who need to know what is going on and take immediate action by managing employees, clients, the public, or others. Ideally, you already have this group identified in preparation for any sort of crisis. These are the team members who will go “all hands on deck” and likely include managers from IT, HR, communications, and accounting/finance. You will communicate or meet with these key individuals regularly in the upcoming days and weeks. Together, you will manage the incident response, develop internal and external communications, contact necessary stakeholders, and weather the storm.
Step 3 – Contact the professionals
This is when you bring in the experts who can help, which should occur within hours of learning of the incident. You will very likely need and benefit from breach counsel (aka cyber and privacy lawyer). This professional will have experience managing cyber incidents and will help guide you through the next steps. They can also provide you and the decision-makers with advice around such issues as reporting to regulators, notifying affected individuals, communicating with law enforcement, making public statements, and responding to the demands of threat actors.
You will also need an IT forensic team to assist with containment, restoration, investigation, and, if needed, negotiation. These professionals bring valuable expertise and experience in responding to cyber-attacks that cannot be matched by your internal staff or regular third-party consultant. The forensic team will almost certainly be familiar with the threat actors and their methods and can provide helpful guidance.
Lastly, and as always, in times of loss, contact your insurer. Whether or not you have a specific cyber policy or other cyber coverage, put your insurer on notice. They will begin working immediately to find out if coverage is available, which can help lessen the financial burden these incidents inevitably bring.
In addition to the above, depending on the size of your organization, you may also consider retaining a public relations or communication firm.
Step 4 – Formulate your message
At the initial stage, you will likely need to communicate with employees, and if services are down, you may also want to make a public statement. Often, websites are not available, but social media accounts are. Keep initial statements brief and factual without inferring what may or may not be happening. An early statement such as, “We are experiencing technical difficulties, and all systems are currently down. All locations are closed while we investigate. More information to come.” If possible, have counsel review statements before they are posted. Be prepared when the media contacts you by identifying your spokesperson and ensuring they have a script, which will be updated as the response progresses.
The initial moments of a cyber-attack will be disorienting. Even when an organization is prepared, such events are never expected. It will be most helpful if you can, as quickly as possible, reach out to the individuals who can provide support and guide you through.