By: Rebecca L. Rakoski, Esquire
Patrick D. Isbill, Esquire
Two words typically come up to describe the initial discovery of a cyber data breach and/or incident – panic and confusion. These same words are also not coincidentally the endgame for most hackers and cyber criminals. Because while a company may be sounding the alarm over the discovery of smoke inside the tower walls, the fire has likely been raging with reams of valuable personal information and digital infrastructure having already been siphoned out in less time than it took to read this sentence. And the perpetrator of this chaos is nowhere to be found of course, exiting through the digital side portal long before any substantive discovery. Keep in mind too when it comes to digital breaches, seconds may as well be years.
So what is usually step one in the process of digital remediation? Calling IT immediately is a knee-jerk reaction if not a conditioned response. A solid choice and frankly a smart one. There are no better solution-makers at this stage to digitally mortar the point of entry. After all, the pressing goal is to keep additional prying eyes out and any leaking data in. But what about the abrupt aftermath? Is breathing a sigh of relief and just leaving it to IT enough?
Needless to say, there are 24-48 hours post discovery where an often overlooked and certainly underacknowledged clock is ticking so loudly that it is time and again barely heard. And the next question still hangs in the air as key decision-makers decide how to move to what is likely step two in the breached company’s digital remediation. In other words, who gets, or should get at least, the very next call?
Legally Technical or Technology Applied to Legal
The expected answer, but commonly not so obvious, is legal. Specifically, businesses are naturally conditioned to think first about its in-house counsel and/or corporate business attorneys. These highly competent attorneys are brought in to sift through what can only be fairly described as a dizzying array of facts that are equal parts legally technical as it is technology applied to legal. Essentially the medical equivalent of calling in the corporation’s primary care physician. The one stop solution for all things law related. Admittedly efficient and effective for a majority of reactive matters affecting the corporation but candidly not when it comes to acting decisively in and around the all-too-common, ultra-tight margins surrounding data compliance management, breach response, and data regulation/enforcement.
Meanwhile, valuable time is ticking on a clock, and a cyber attorney who regularly practices in this discrete, and often highly technical, area of the law is not considered soon enough or even thought to be brought in at all as part of the team until much later in the digital diagnosis. On the positive side, by the time such a decision is finally made, the damage has a difficult time spreading much further. On the other hand, the legal issues and obligations are by circumstance rapidly compounding with each tick on the clock, patiently waiting to be acknowledged and definitely not going anywhere on its own any time soon.
In order to truly mitigate the fallout from a cyber breach or event, a corporation must think proactively. Recognizing that today’s digital infrastructures which are moving at faster and faster speeds are prime targets for cyber criminals, and further conceding that it is not a matter of “if” but “when” such an event will happen. The ABA seemingly agrees with such an assessment, issuing Formal Opinion 483 (Lawyers’ Obligations After an Electronic Data Breach or Cyberattack) in 2018 where it clearly sets forth even then on the first page of its “Introduction” the following: “[T]he data security threat is so high that law enforcement officials regularly divide business entities into two categories: those that have been hacked and those that will be.” A hard pill to swallow for sure but nonetheless a digital, if not financial, truth every corporation must accept.
Time is Flying and the Corporation Needs a Pilot Now
Time is indeed of the essence. No truer phrase is oftentimes spoken at the beginning of remediation post discovery of a data breach or cyber incident. In fact, varying state laws across the U.S. require data breach notification obligations. A good number of those states attach “unreasonable delay” when setting forth notice requirements, whereas others attach an additional, more definite time limitation.
Currently, federal laws tend to be industry specific with state laws running parallel and differing in scope and jurisdiction. For example, the U.S. Securities and Exchange Commission (SEC) adopted new rules last year that “will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.” More to the point, “[a]n Item 1.05 Form 8-K will generally be due four [4] business days after a registrant determines that a cybersecurity incident is material.”
Another example is New York State’s Information Security Breach and Notification Act, specifically section 899-aa of the General Business Law, where “[a]ny person or business which owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization.” Such “disclosure shall be made in the most expedient time possible and without unreasonable delay[.]” Furthermore, according to the Office of Information Technology Services pursuant to that same section, “a person or business conducting business must also notify (in addition to the affected NYS residents) three (3) NYS offices: the NYS Attorney General; the NYS Division of State Police; and the Department of State’s Division of Consumer Protection.”
For data breaches involving international data, e.g., those corporations doing business across the globe, the EU’s General Data Protection Regulation (GDPR) under Article 33, section 1 unequivocally states where a personal data breach is discovered, “the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority … unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” The statute goes on to emphasize that “[w]here the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”
All of these examples are really the tip of the iceberg when it comes to regulatory compliance and potentially enforcement following a cyber breach. Ultimately, each business organization is unquestionably unique in its needs and structural blueprint and the applicable rules and regulations it must abide by.
IT + Legal: Threading the Needle
The importance of selecting the right pilot to charter the next steps after discovery of a data breach, or what can be objectively characterized as a potentially catastrophic event, cannot be overstated. The Federal Trade Commission (FTC) echoes this importance in a guide it published in 2021 titled, “Data Breach Response: A Guide for Business.” In this guide, the agency sets forth steps a business should take and who it should contact if personal information may have been exposed or compromised.
First on the FTC’s list is unsurprisingly “secure your operations,” i.e., mobilize quickly to mortar the vulnerability that initially caused the breach. This movement should be immediately followed by activation of the corporation’s breach response team to prevent any further data loss. Once tech has cauterized the point of entry, the corporate entity should “assemble a team of experts to conduct a comprehensive breach response.” The FTC highlights that part of this “assembly” by stressing that a business should include consultation with legal.
As such, and at this critical stage of the remediation cycle, the FTC states specifically that a business “may consider hiring outside legal counsel with privacy and data security expertise.” It attempts to identify to businesses how the strategic use of outside privacy and security counsel from the beginning could bring valuable advice to a fast-moving mobilization “on federal and state laws that may be implicated by a breach.”
All of the above is set forth in the guide even before outlining any of the relatively intuitive subsequent steps in the days and months to follow. For example, fixing vulnerabilities, notifying appropriate parties, and also potentially answering to a regulatory investigation or enforcement action from agencies like the New York State Department of Financial Services (NYDFS) are just some of the heavy challenges confronting a business in the immediate aftermath of a breach.
Also, regulatory compliance is straight up a legal issue, not a tech one. Regulators treat it that way as part of any enforcement actions. So when regulators send notice of an investigation or draw a business into an enforcement action, they will be and are directing any demands to legal, not IT. Looking again at its medical equivalency, and taking into account the recommendations of the FTC, getting a cyber attorney onboard quickly who can move with the business from the ER to the ICU to eventual recovery could significantly increase the corporation’s prognosis for a successful remediation down the road.
Conclusion
While a business is dealing with the initial shock of discovery and then bracing for the mitigation of a financial fallout from internal losses and outside liability, it should be acutely aware there is a clock ticking in the corner over the wail of metaphorical fire engine sirens and nervous discussions over what to do, and more importantly who to call, next. Setting IT to the task and then hastily refusing to take any ensuing measures is not a plan. It is never too early though to “assemble a team of experts” pre-breach who can be relied on “to conduct a comprehensive breach response” in the event the unthinkable does occur. The more difficult problems occur immediately post-breach where panic and confusion lead to lapses and inevitably override even the best-intentioned strategies.
In a final medical equivalency example then, this stage is akin to inflammation following a serious medical event. For years now, researchers have explained this critical bodily response but likewise lament the additional, and obviously unintended, consequential damage it can further cause. Anyone who has endured a minor to moderate sports injury knows the value of ice and the urgency to apply it. Pulling heat away from the site, thereby lowering the temperature of tissues, can in some cases dramatically slow down the process of inflammation and some of its damaging effects. Same principle holds true in a cyber event. Maybe the initial breach is inevitable, but having an assembled response team ready to go could go a long way to drawing down some of the consequences of such an event, legal or otherwise, and increase the probability for a successful return to a more steady state of business.
Reprinted with permission from the July 2, 2024, issue of the New York Law Journal. Further duplication without permission is prohibited. All rights reserved. © 2024 ALM Media Properties, LLC.
This article does not constitute legal advice or create an attorney-client relationship. The information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.