When customers should be notified of a data breach, how to react if a breach occurs and best practices for preserving data were the topics of a panel at Georgetown Law Center's Cybersecurity Law Institute on Thursday.
“Potential Legal Exposure/Aftermath of a Breach: A Simulation” discussed potential data breach scenarios and how they can best be handled. The moderator of the panel was Kimberly Peretti, a partner at Alston & Bird. Panelists included: Thomas Hibarger, managing director of Stroz Friedberg in Washington, D.C.; Pablo Martinez, managing director of global investigations and cybercrime at Citibank; Joseph Moan, associate general counsel handling employment law and data privacy at Coca-Cola Co.; and Greg Schaffer, CEO of the cybersecurity firm First72 Cyber.
Before a data breach is announced to the public, it is best to make sure that the number of affected users is accurate, said Schaffer, otherwise that number might have to be revised, which can be embarrassing. “It’s not the event that gets you killed,” said Schaffer. “It’s the cover-up that gets you killed.”
Law enforcement might ask that notification be delayed to help aid the investigation of catching the cyber “bad guy” behind the attack, said Martinez, as the incident could potentially be linked to another crime. In the event of a breach, contaminated servers should be taken offline and information necessary to the case should be preserved, said Martinez.
In some instances, law enforcement agencies that have good working relationships with outside counsel will use the firm as a point of contact—for example, if the firm asks to receive the subpoena instead of its client. In that scenario, law enforcement must receive the information they are requesting in a timely manner, and a forensic report must be conducted by a third party, Martinez said.
When a data breach hits, companies are well-advised to overact, rather than underreact, observed Hibarger.
The panelists each shared three data security tips:
Hibarger: 1) Take a proactive step by creating an incident response plan; 2) have a good information governance policy in place; and 3) make sure that your antianxiety medication is up-to-date, joked Hibarger.
Moan: 1) Have the right data security personnel in place; 2) if a breach occurs, tap the highest-level executives at your organization for a more strategic view of the issues at hand; and 3) get to know government regulators ahead of time.
Martinez: 1) Properly train employees; 2) have a playbook; and 3) make sure that there is an internal communication plan in place before a crisis happens.
Schaffer: 1) Know your data security plan and procedures (so it does not have to be pulled off the shelf in the event of a breach); 2) know your assets (e.g., where your data is and where it flows through an enterprise); and 3) know your vendors (how your data is moving around in the vendor’s system) and acquisitions.