Preparing for the Inevitable: How to Get Ready for and Respond to a Data Breach
Cyber attacks threaten all businesses and, sooner or later, every business finds themselves to be the victim of one. Responding to a cyber incident quickly and effectively can help businesses avoid substantial fines and litigation. But how do you prepare? By using facts and scenarios from actual cases, and reviewing the latest developments in the law, this course will provide practical advice for attorneys in helping their clients prepare for and respond to a data breach.
Joseph Facciponti: Hello and welcome to Quimbee's online CLE course on "Preparing for the Inevitable, How To Get Ready for and Respond to a Data Breach." Hi, my name is Joseph Facciponti and I'll be presenting this class today. Before we begin, let me tell you a little about myself. I'm a Partner and the Head of Cybersecurity and Data Privacy Practice Group at Murphy & McGonigle, a boutique financial services law firm. I assist clients in responding to data breaches and then improving their cybersecurity compliance programs. Prior to my current role, I served as deputy head of internal investigations at a global financial institution. And prior to that, I was a federal prosecutor for nine years at the US Attorney's Office in Manhattan, where I prosecuted cyber crimes and intellectual property theft cases. I also teach a cyber crime class at Cornell Law School.
Let's start with an introduction to our program. The first thing you need to know is that cyber attacks are inevitable. For the past 25 years, we've been in the grip of a digital revolution that has seen more and more business and everyday activities move from the real brick and mortar world to the online digital world. And just like there have always been bank robbers and shoplifters and catch-me-if-you-can identity thieves and con artists in the real world, there are criminals who perform the same actions in the digital world.
The next basic thing you need to appreciate is that cyber attacks are inevitable. Former FBI Director, Robert S. Mueller said in 2012, that, "I am convinced that there are only two types of companies, those that have been hacked and those that will be." And even they are converging into one category, companies that have been hacked and will be hacked again. In fact, you probably experience several cyber attacks each day. I, for example, have been getting calls saying that there hasn't been an unauthorized transaction on my Coinbase account, except, of course, I don't have a Coinbase account. And the calls are obviously a phishing attack to get me to reveal my access credentials if I did happen to have a Coinbase account. Similarly, recently I got an email purporting to be from the managing partner of my firm's New York office. But these kinds of attacks are easily handled if you know what to look for. There are more serious threat actors out there, which I like to talk about.
And that takes us to our third introductory point, which is that cyber attacks, particularly harmful ransomware attacks are on the rise. High-profile ransomware attacks, like the attacks on the Colonial Pipeline and major meat processing company, JBS USA Holdings, Inc dominated headlines in 2021 and caused major supply chain disruptions, including temporary gasoline shortages on the East Coast. According to data on suspicious activity reports, which are known as SARs, filed by financial institutions with the Treasury Department's Financial Crimes Enforcement Network or FinCEN, the number of SARs filed for ransomware attacks in the first half of 2020 were up 30% over the total number of SARs for all of 2020. Similarly, according to the Federal Bureau of Investigation, ransomware cases that have been reported increased by 21% and reported losses increased by 225% between 2019 and 2020.
What's more is that no business is too small to be targeted. If you have money, you can pay a ransom. And the amount of the ransom is often targeted to an amount a small business can pay. I've seen ransom demands for as low as $10,000 or $20,000.
Now, before we move on, let us pause for a minute to talk about what ransomware is if you're not familiar with it already. While it's likely that everyone has heard of ransomware attacks by now, for those that don't know, they are a form of cyber attack in which cyber criminals use an encryption program to encrypt the computer files of all or part of a business's computer network, whether those files are stored on prem in the business's premises themselves or in the cloud. When successful, a ransomware attack can effectively shut a business down. Think of a hospital without access to any patient records or an online retailer without a website. Many ransomware groups will also steal sensitive data from victims and thereby request a double ransom. Payment to receive the encryption key or decryption program to unlock the files and another payment for the hackers to not release the files that they stole. The request in ransomware is almost always to be paid in cryptocurrency, such as Bitcoin or so-called privacy coins, such as Monero, which have features in their blockchains that make it harder for law enforcement to trace where the money went.
What's driving the explosion in ransomware? Well, for one, it's become easy and affordable to use and deploy ransomware, which is offered by ransomware developers as MaaS or malware-as-a-service. For a fee, ransomware developers offer user-friendly services by which hackers can lease ransomware. And then the reason why ransomware is on the rise is because businesses regularly pay the ransoms. It's often the fastest way to get your files back. It's also often covered by insurance. And finally, ransomware groups tend to be reliable in releasing the files after receiving payment. They want to have a good reputation to encourage victims to pay the ransom.
So, at this point, it makes sense to review who are the threat actors and what do they want? Well, the threat actors fall into a few categories based primarily on their motives.
The first is what you might call the state-sponsored actors. They work for nation states. They are well-resourced, sophisticated, can play a long game, and they're focused on the following activities. Things like espionage, the theft of trade secrets, the theft of money, acts of war and destruction, destabilization, misinformation, things that can provide advantage for their nation on the world stage. The nations that are primarily engaged in this are North Korea, Russia, China, Iran, and also the United States.
The next type of threat actor is what I call the for-profit hacker. These hackers are motivated almost primarily by the opportunity to steal money. Think of them as bank robbers and fraudsters with computers. Most commonly, they are the ones who are trying to steal your identity and raid your bank account. And they're the ones who are using ransomware to extort money out of businesses.
The final group of threat actors are those who are known as hacktivists. These are hackers who have political agendas, or maybe they just seek disruption or intimidation, fame or what they call the "lols" or laughs. To be honest, we don't see too much of this anymore. This is a big deal around the time of the Arab spring in 2011 and into 2012. But then that kind of died down if there were a number of takedowns of members of the low-sec branch of anonymous, which I had something to do with while I was at the US Attorney's Office. But these things move in cycles. So, I expect to see a wave of hacktivism come back at one point in time in some form or another in the future. It's also important to realize that threat actors can have more than one motive. State assets can moonlight as for-profit hackers and for-profit hackers can get recruited or coerced to work for nation states and intelligence agencies.
And finally there's someone also who's important to realize is that many threat actors are not just external hackers, but they could also be a company's own employees. Rogue employees can do a significant amount of damage to companies and they can fall into any of these three categories that I just described.
Now that I've explained a bit about the background on data breaches and the threat actors responsible for them, let's talk about what you can do to protect yourself or your clients.
So, how do you prepare for a breach? The first thing you need to do is to try to prevent the breach from happening in the first place. You need to have a robust cybersecurity and data privacy program. Robust here doesn't necessarily mean expensive. It means that someone has to put some thought into what your businesses risks are and what the best way to address them would be. A robust program though, often involves the following. The first is written policies and procedures so that your employees and managers know what is expected of them and they have the protocols to follow in handling incidents and mitigating risks, along with clear reporting lines. The second is understanding what sensitive data and assets you have. In other words, conducting a data mapping exercise. What information or assets does your business have that a hacker might want to steal? And how can you protect it? I've seen clients struck by ransomware attacks that proved to be ineffective because threat actors only encrypted non-essential parts of the client's computer network. That was because their more sensitive servers were segmented and subject to enhanced security.
You also need to conduct threat assessments and audits of your program. This shows you where your vulnerabilities and blind spots are and how you might fix them. Having a solid threat assessment prepared by a reputable cybersecurity vendor is the first step in designing or improving a robust cybersecurity program. You need to have buy-in and oversight from senior management and the board of directors if you have one, who needs to be involved in this process and asking questions and ensuring that your cybersecurity function is appropriately staffed and funded. You also need employee training because the biggest cybersecurity risk is often human error. It's your employees who are going to click on a corrupted hyperlink, or handover their access credentials to a threat actor. So, providing the training so they know not to do that.
You also need to manage your third-party vendor risk. Like employees, your vendors might already have privileged access to your system, which means that your vendors might be the weakest link in your defenses. Think of the target breach, where threat actors were able to steal payment card information from millions of Target's customers after they were able to access Target's network through an HVAC vendor, HVAC being heating, vacuuming, and air conditioning. To the best you are able, conduct diligence of your vendors and do not provide them with greater access to your systems beyond what they need to do a job for you.
You also need to segment your network. This goes to what I was saying earlier, to add additional protection to the most sensitive parts of your network, so that if someone were to get access to one part of your network through a vendor or through employee error, for example, they wouldn't be able to access the rest of your network. You need to implement access controls, least privilege, and multifactor authentication. These are basic, cheap, and easy steps for any organization to take to protect itself. Ensure that the only people who have access to sensitive data are the ones who need that access to do their jobs. Ensure that you have access controls in place so that only those persons who are authorized to access your network and data can access your network and data. And add multi-factor authentication or two-factor authentication as a really easy way to protect your network even if one of your employee's passwords is compromised. It goes without saying, but technological solutions such as firewalls and point protection, data loss prevention software, and the like are essential to protecting your network and you should invest in them.
And finally, you should keep backups of your system and periodically test them to make sure they work. You wouldn't want to try and restore your system after a ransomware attack or some other devastating cyber attack to realize that the backups you had been retaining were corrupted or unusable or otherwise can't be used to easily restore your system.
Why does all of this matter?
Well, having these defenses in place does not only prevent cyber attacks, but it's also required by law. Many regulators, such as the Federal Trade Commission, the New York Department of Financial Services, or state attorneys general or private litigants, such as customers and investors will look at the robustness of your cybersecurity defenses in assessing whether to impose penalties or seek damages in the wake of a harmful cyber attack. If they find that your company had not done enough to protect itself, you may be singled out for additional liability from these regulators. In addition, many states and many federal laws require that businesses and companies have some measure of cybersecurity defenses in place. Further, it goes without saying that liability might not depend on whether your customers were even harmed by the incident.
So, typically, after there's been a data breach and your customer's personal information or bank account information or something along those lines were stolen, you might get sued by those customers, claiming that they were harmed by that. If they can prove actual damages that someone stole money from them and they didn't get it back, then they would have a valid claim to go forward without litigation. Oftentimes though, they stumble in federal litigation because they have a hard time proving that they actually were harmed by the breach. Many judges have thrown out these cases saying that just because somebody took their personal information, doesn't mean they've actually suffered an injury, in fact, such that they can get into federal court to bring a lawsuit. That's all fine and good for businesses.
But a number of states, including California, are enacting laws that contain private rights of action for cybersecurity or privacy-related issues. And those private rights of action have statutory damages penalties, which do not require that a customer prove that they were harmed. So, under the California Consumer Privacy Act, a private right of action is allowed for data breaches where a business cannot show that it had reasonable cybersecurity program and customers can collect statutory damages between $100 and $750 per customer per incident for California residents whose data was affected by a data breach. So, if a business in California had a data breach involving 100,000 customers, they could be liable for as much as $75 million in damages even if none of those customers could prove that they were actually harmed by the breach.
Another example of how not having a robust cybersecurity program in place can get you in trouble is recent guidance issued by the Treasury Department's Office of Foreign Assets Control, OFAC. OFAC is responsible for overseeing United States' sanctions programs. If you wire money to Iran or North Korea, you're violating in most instances, US law. OFAC also publishes lists of individuals and entities and also Bitcoin wallets that are also on its sanctioned lists. And if you wire money or transfer money to them, you are also violating the law. Civil penalties by OFAC are strict liability, meaning that you don't necessarily need to know that you're wiring the money to somebody who you shouldn't be wiring the money to. Why does this apply to cybersecurity and data breaches? Well, if you pay a ransom to a ransomware threat, to a threat actor that is on one of OFAC sanctioned list, you're breaking the law and you could be held liable for that even if you didn't know that the person was on the sanctions list. OFAC has said that it would consider the strength of a business's cybersecurity program in determining whether to impose a penalty in that instance. The thinking behind OFAC statement is that a business that fails to invest in its cybersecurity program and just reasons that if it's hit with a ransomware attack, it will just pay the ransom regardless of whoever's responsible for the ransomware attack is inviting trouble and therefore would not get credit for being a victim in that instance. And it would be potentially sanctioned by OFAC and have to pay a fine.
So, it's important that you have a robust cybersecurity program. But it's not the only way you need to protect yourself prior to a data breach.
Another way to protect yourself is to buy cyber insurance for your business. It's important here, however, that you read the fine print on the policy and understand what is covered and what is not. And also understand that insurance companies can provide resources to assist you with your cybersecurity program and can provide vendors to help you investigate and recover from an attack. Another important part of preparing for a cyber attack is having what's known as an incident response plan or IRP.
What is an IRP? An incident response plan is a written document that details a business's plan for responding to a cyber attack. An IRP helps companies evaluate whether a cyber event requires a response, how to escalate and report the events, who should respond and how, the kind of things you don't want to be figuring out while you're in the middle of responding to an attack.
Why is it a good idea to have an IRP? Companies tend to respond better to cyber attacks if they have an incident response plan. And they also may be required by law. For example, the New York Department of Financial Services, which is a banking and insurance regulator in New York State requires the entities that it regulates to have IRPs.
So, what are some of the essential components of an incident response plan? Well, typically they'll contain information on how staff should assess the severity of an incident. Is this even an incident that's worth escalating, for example, or is it something that can be handled by the IT team? And it identifies the members of the incident response team and how to reach them in an emergency, particularly if the company's email or communications aren't available due to an attack, for example, a ransomware attack. It details protocols for responding to particular types of incidents, because how you respond to a business email compromise where hackers send you a fraudulent email to get you to wire money someplace or take control of one of your employee's email accounts, it will be different from how you respond to a compromise of your customer database and theft of customer information. The incident response plan will also help you identify insurance contacts of your insurer, so you can evoke coverage. And will also identify essential vendors to aid in the cyber investigation and mitigation efforts.
Who should be part of an incident response team? Well, that depends on your organization and how big it is. But typically, depending on the severity of the breach, the CISO or chief information security officer, if you have one, IT staff, your information security department, senior people in risk compliance and legal. I've seen CFOs, chief financial officers included on IRPs and public and investor relations, if you're a public company and might have to make a public announcement regarding the breach. These are all people and functions who are typically involved in incident response plans.
Should you have IRPs for particular types of incidents? Well, if you're a large company, you probably should. You should probably have gamed out what you would do in response to various cyber scenarios in advance. But if you're a smaller company, having a general incident response plan may be sufficient for you.
Another thing that should be planned out in an incident response plan as something to consider is how do you plan for third-party breaches? Suppose you rely on a vendor to provide payment processing for you or to manage your customer management system and they get breached, what do you do then? It's not a breach of your system, but it affects your business. That could be mapped out in an incident response plan as well.
Once you have an incident response plan in place, you'll need to practice by conducting what's known as a tabletop exercise with the key participants identified in the plan. This can be conducted in-house, this can be conducted by external vendors or with the assistance of counsel, but it gives you an opportunity to conduct a dry run of a potential incident and builds muscle memory for key team members of issues to watch for. Particularly, if you're not familiar with the ins and outs of the cybersecurity world, this is a good introduction for them to get them thinking for how they respond if there was really an incident and to understand what role they would play on the incident response team. So, those are things you can do and steps you can take to prepare yourself for a data breach or cyber security incident. The more you plan and the more preparation you put in, and the more you defend your business, the less likely it will be that you'll suffer a devastated cybersecurity incident.
But as I said before, being the victim of cyber attacks is inevitable and is part of the cost of doing business in a modern digital world. So, now let's assume that an incident has happened. How do you respond? The first thing you need to understand is that you might not know an incident is even happening. And if you do know an incident is happening, you might not know what your legal obligations are with respect to what has happened.
So, let's review three scenarios quickly.
You arrive at work one morning and your computer will not connect to the network. Your chief information security officer or CISO calls you on your personal cell phone and says there has been a ransomware attack and the threat actors are demanding a ransom payment in Bitcoin. Obviously this is a situation in which you know that you have been the victim of a cyber attack. That much is clear. But as a ransomware attack, the full extent of it, did the hackers do anything else to your system before they encrypted it? Did they steal any sensitive data, for example, and that they did steal sensitive data, sensitive customer data, sensitive personal information, do you have to notify your customers or any regulators? And if so, what do you say? Do you have to tell them that their personal data has been compromised, which may require formal notice under state data breach notification laws? Or do you mainly have to tell them that your system is down because of a cyber incident? Or do you have to say anything at all if the ransomware attack did not involve access to any personal data? So, even when the situation is obvious that you've been the victim of a breach, you still need to dig deeper to understand what might've happened and what your obligations are.
So, let's take that same scenario that you're the victim of a ransomware attack, except now the threat actors are also demanding an additional payment for them to delete data they claim to have stolen from your system. So, again, yes, this is an obvious cyber incident. And now in addition to dealing with the ransomware, you have to consider what data the threat actors might've stolen and what that might mean in terms of notifying your customers, employees, and regulators. Or it could be that the threat actors are just lying to get more money from you.
And finally, let's say you arrive at work one morning and you learn that your payment card processor, that you're an online retailer, for example, says that a bank has identified your business as a potential common point of purchase for payment cards. So, credit and debit cards that have been compromised. What is a common point of purchase? Well, it typically means that banks when they notice a pattern of compromised credit cards, will do a review of their accounts and they might identify that all of say a particular batch of credit cards that have been compromised, all made transactions at one particular retailer in the months prior to when they were compromised. And so, the banks may think, well, perhaps there was a compromise at that particular retailer, and that's how the threat actors got ahold of those credit cards. So, you retain a forensic vendor to review your network and they find vulnerabilities, but no evidence that any payment card data was actually compromised. Is this actually a data breach? You'd be surprised at how many breach investigations yield inconclusive results. You have some indication that something might've gone wrong or maybe something was stolen, but you can't say for certain. You're confident that you can fix any vulnerabilities in your system that might've been identified through any investigation. But what if anything, do you have to tell anybody. Recognizing that there's potential liability for getting the answer to that question wrong.
So, what do you do? Well, we can start by looking at some examples of how the law defines data breaches. I'll take an example, I'll take two, I'll take a couple of examples here.
We'll start with Europe's general data protection regulation. If you work at all in the cybersecurity or data privacy space, you've heard of this law. It's a law that applies to all EU member states and also the United Kingdom, which adopted it into its national law before Brexit. And it defines personal data breach as applying to personal information, which is any information that could be used to identify a natural person, as a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed. That's how it defines data breach.
The New York Department of Financial Services, which I mentioned earlier, has cybersecurity rules that apply to banks and insurance companies that are licensed to do business in New York, by the New York DFS defines cybersecurity breaches differently. Cybersecurity events for the New York DFS don't just apply to personal data. A cybersecurity event means any act or attempt, successful or unsuccessful, to gain unauthorized access to disrupt or misuse an information system or information stored on such information system. In other words, any attempt to get access to your system to disrupt or misuse your system, even if unsuccessful, could be considered a cybersecurity event.
Colorado's data breach notification law, one of the laws that are in effect in all 50 states, plus the district of Columbia plus several certain US territories, and they vary state by state and we'll talk about them in a little bit, defines data breach as an unauthorized acquisition of unencrypted data that compromises the security, confidentiality, or integrity of personal information maintained by a covered entity. So, Colorado defines this again, like the GDPR is dealing with personal information, but unencrypted personal information and when the breach compromises security, confidentiality, or integrity of that information. So, you need to know the definition to data breach to sometimes help you decide if the situation you're facing is covered by these laws and therefore invokes your obligations under those laws that tell people that you have suffered a breach.
If you have an incident response plan, it should help provide criteria in determining whether to activate your incident response team and alert senior management and whether you have obligations to make any notice to anybody. But the bottom line here is that you often cannot determine the legal consequences of a breach, or even if a breach occurred until you have conducted a full investigation of the matter.
So, let's talk about conducting investigations into potential cyber incidents.
Well, the first and one of the most consequential decisions you can make is not the most obvious one. But the first decision you really need to make is if you want to conduct the investigation into the data breach under legal privilege, remember legal privilege, whether it's the attorney-client communication privilege, or attorney-work-product privilege, can't shield the facts of what happened from civil litigants or regulators. But if you're concerned that this is the kind of breach that might lead to liability for your company, you may be sued and you may have regulators investigate you and you may be asked to turn over information about the investigation and the breach. And while you will be required to disclose things like server access logs and information about databases that were compromised and things of that nature, privilege can protect the kinds of heated frantic communications between members of the incident response team that could be fodder and potentially problematic for the company if disclosed to an adversary in litigation or a government body. And legal privilege can also protect any reports of the incident prepared internally or by an external vendor, which might detail security vulnerabilities and potential missteps of the company. But the privilege has to be properly invoked and maintained.
What are the best ways to maintain privilege?
First, external or in-house counsel must lead the investigation. And that's because for the attorney to be covered for the investigation to be covered by the attorney-client privilege, the investigation must be conducted for the purpose of gathering facts to allow counsel to provide legal advice to the company. Typically, when folks are trying to triage a situation and trying to figure out what happened, the IT staff and the CISO may not want to have a investigation nominally led by counsel. But if you wanna maintain privilege, it has to be. Any vendors, such as cybersecurity forensic vendors, forensic accountants, et cetera, who are retained should be retained by counsel and not the business. And the engagement letters should reflect that the vendors are being retained by council so that they can do work in the service of allowing the council to provide legal advice to their clients.
The investigation team must also be kept small and only include those with a need to know. If information concerning the investigation is disseminated widely within the company or even outside the company, there's a possibility that it will breach privilege and the privilege will be waived. Communications between members of the incident response team should be marked appropriately. They should be marked privileged and confidential, just so they could be flagged for later on in case there's is a request for them to be produced, you can know that these should be marked as privileged. Any written reports should not be shared widely outside the investigative team again. So, there's no chance that any privilege claim over the reports can be waived. And special care must be taken in sharing facts and the investigation with third parties, such as regulators, customers, and investors so that privilege is not waived. I say this, but the reality is, is that at the end of the day, you can follow these steps and a court can still potentially find that your investigation was not privileged. But if you follow these steps, you'll have be in the best position to protect the privilege over your investigation.
The Capital One data breach, which happened a few years ago, in that incident, a court found that the investigative report for that breach was not privileged and ordered the bank to turn it over to the plaintiff's lawyers that were suing the bank over the data breach. A couple of things that they noted, which was that initially, lawyers were not involved in the investigation and the external vendors were paid, not out of the bank's legal budget, but out of a different budget. And they found that as a result, it did not appear that the investigation was initially was occurring so that counsel could provide legal advice to the company among other things.
So, let's say you've taken now all the steps to preserve privilege, and you have your investigative team in place.
What do you need to do next? You need to preserve evidence. You need to make forensic copies of any effected servers. And note, and this is something that should be done before a breach ever happens. Make sure appropriate logging was enabled on those servers. I've seen data breach investigations, where the company was never able to figure out what happened because logging had not been enabled on certain servers, so it was unclear whether any outside parties had ever accessed them. So, make forensic copies of the effected servers and any logs. Distribute a legal hold notice to your company and any people who might have information related to the breach. For those of you not familiar, a legal hold is simply a memo or an email or a notice that gets sent out by a company's legal department or external counsel, which instructs staff who receive it to preserve their records and not delete anything that's related to the investigation that's being conducted. The company should also suspend document retention policies and automated purges of backups, logs, and data. I once saw a business nearly lose evidence of a data breach because the logs that contain that evidence were slated to be deleted by a 30-day retention policy. But they were retrieved just, I think, on the 29th day before they were going to be deleted. And document the timeline of events and keep records of the investigatory steps taken so that you can show later that you did a thorough investigation of this matter. Particularly if you end up concluding that nothing happened, or the evidence is insufficient to say that something happened.
Do you have to take any special steps in dealing with a ransomware attack? Yes.
First, as I said earlier, do you have backups from which to restore your network? If so, how long would it take to restore your network from the backups versus paying the ransom? How important is it for you to have your network restored? Is this a low-level server for a website that's not particularly used frequently and not important to a business? Or is this servers that have to do with an online retailer during the holiday shopping season that is costing millions of dollars for every hour that they're down? If you could take the time to restore your system from your backups, it's obviously the ideal way to do it because it saves you money and also doesn't make ransomware profitable for the ransomware attackers. But the reality is, is most businesses end up paying the ransom because that's the quickest way to restore their network.
So, if you go in to pay the ransom, do the threat actor, you have to answer the question, do the threat actors or malware appear to be associated with any known ransomware criminal organizations? And if so, what is their reputation for actually delivering the key to decrypt your system if you pay? As I said, some ransomware organizations want to have a good reputation for honoring payment by providing decrypter, but some are less trustworthy, if you can call them that, and won't give you the key even if you do pay them. Another thing you need to determine is if the ransomware a group or crypto wallet that they provided or nation state they may be from, if you can determine that, are in any OFAC sanctions lists. As I said earlier, getting this wrong can result in liability from OFAC for a sanctions violation. Another thing to consider is have the ransomware actors threatened to release any stolen data? Have they claimed to have stolen any data? What you might wanna do when you negotiate with them is ask them to provide a sample of the data they've stolen so that you know you have some assurance that they actually have stolen data and you're not paying them for no reason.
And then finally, do you have cryptocurrency to provide to them? Like I said, payments of ransom for ransomware is inevitably made as a request for cryptocurrency. But most businesses, especially most small businesses are not going to have Bitcoin or Monero at the ready to pay ransom. So, there's one of your cybersecurity vendors. Can they provide that service for you? Can your insurance company assist with that? Can the insurance company suggest a vendor who can provide, who can help with the payment? After you pay the ransom, and assuming the actors provide you with the decrypter to decrypt your files and get your system back online, you're going to wanna do a thorough review of your system to make sure to see what you can find out about what the threat actors did in your system. How they got access, number one, and what they did once they did get access. Did they simply immediately download the ransomware onto your system and go about encrypting your system? Or did they poke around and steal anything? And can you find any evidence that they stole anything? Because if you do, if they did, then as they said before, you might have to make notice to people who were affected by that.
Another issue that you'll have to address when responding to a data breach is whether to notify law enforcement. And I've spoken about making notice to customers, to regulators before. But notifying law enforcement is different. It's not like notifying customers or regulators. You typically have absolutely no duty to notify law enforcement of anything. But there might be some advantages in doing so. And you should consider the following.
First, typically it's a good look for your business. It shows that you are taking the incident seriously. If you have to later issue a press release about the breach, you can put in the press release that you've contacted the FBI and they're investigating or something along those lines. It's also the right thing to do because it helps law enforcement track down and find people who are responsible for cyber crime.
On the other hand, quite frankly, law enforcement is very busy with cyber cases to investigate. So, unless your breach involves millions of dollars in losses, or has unique and significant issues associated with it, you likely won't get personal attention from them. But you can still report the breach to law enforcement, typically through the FBI's Internet Crime or IC3 internet portal. And you can also try reporting it to local law enforcement if they have cybersecurity capacity. For example, the New York County District Attorney's Office has a whole cyber crime bureau that's dedicated to investigating and prosecuting cyber crimes. What will happen with the information you share with law enforcement?
Some businesses are worried that there'll be investigated by law enforcement for having lack cybersecurity, just like they might be investigated by a state attorney general or the SEC or the Federal Trade Commission. But the Department of Justice's position has always been to treat the victim of a cyber attack as a victim. And they typically won't share the information you provide to them with other regulators. They want to encourage you to report cyber attacks to them. So, they're not gonna turn it around and provide information to the SEC, which will then if you're a broker dealer or investment advisor, then turn around and investigate you for having lack of cybersecurity protocols. And also the information you provide to law enforcement, if it's pursuant to a grand jury subpoena, it would be subject to grand jury secrecy. And they may not be able to share it easily with other regulators.
Will law enforcement nonetheless publicize your breach and how will they shield your confidential information? Well, typically law enforcement are not gonna publicize your breach right away, but there may come a time if they do identify the threat actors involved and they prosecute them, then there will be public indictment or public complaint filed. And typically what they'll do if you ask them particularly, well, to obfuscate the name. So, if you're a bank, they'll call you financial institution one. Or if you're a company, they'll just call you company one or victim one in their documents. But if there's ever a public trial, then yes, information about the breach in your company will come out at that public trial. So, there is some possibility that if you go to law enforcement, your breach will ultimately get publicized. Who controls the investigation? Well, if you go to law enforcement, law enforcement controls the investigation. They're not external counsel. You don't control them. And they'll often share information. The information sharing will be one-sided. You'll share information with them, but they will not be at liberty to tell you about why everything that they're learning about the investigation.
So, now let's say your investigation is finished and you need to decide if you must make any data breach notifications.
First, what laws apply to your business? Do any foreign laws apply? And before you say, "No, my business operates entirely within United States," okay, does it have any Canadian customers? Or does it have any customers based in European Union? Because foreign countries have their own data privacy and data protection laws. And some of them contain data breach notification provisions. And so, going back to the GDPR, which I mentioned earlier, it has a territorial scope that includes businesses that do not have operations in a European Union member state. If they want solicit business of European data subjects people or monitor the behavior of people in Europe.
So, even if your business is based entirely in the US, if you solicit sales from EU-based folks, or you monitor their behavior through say a tracking cookie, you are subject to the GDPR. And the GDPR is data breach notification rules. As I mentioned earlier, all 50 states, the district of Columbia, Puerto Rico, and several other US territories have data breach notification laws. Now, they vary among each state in terms of how they define a breach, how they define data that's covered by the law. Typically, it's name plus account number. So, security number, password number, or a driver's license number. Some states cover biometric data and health information, and some states cover usernames and passwords or security questions and answers. T
hey also vary by deadlines by which a business must make disclosure and additional parties to which disclosure must be made in addition to the customers themselves. State attorneys general, state police, or other state agencies and consumer credit bureaus. Other regulators such as the New York DFS have their own breach notification obligations as does the Health and Human Services Department, if HIPAA applies to your business. And just because you have personal health information doesn't mean that HIPAA applies. So, you need to double-check that. If you are a publicly traded company in the words that you issue securities that are traded in the United States, you might have a duty to disclose any material, cybersecurity and data privacy risks, and any material cybersecurity and data privacy incidents to the investing public. And I note that Facebook, for example, was fined $100 million by the SEC for allegedly making misleading public statements in connection with the Cambridge Analytica scandal. And if you remember that scandal, Facebook was ultimately fined $5 billion by the Federal Trade Commission for the actual privacy breach. But the SEC, the Securities and Exchange Commission fined Facebook and additional $100 million for misleading the investing public about the nature of the privacy breach.
So, if you are a publicly traded company, you might have to make a disclosure to the public as well. What are the deadlines to make these disclosures? Well, some laws like the GDPR and the New York DFS rules have a very strict 72-hour notice period. And that's 72 hours and for most of these deadlines goes from when you know you've had a breach. And as I said before, you often don't know right away if you have a breach. Sometimes you need to do an investigation. So, at 72 hours from the time that you figure out that you actually have a breach. US state data breach notification laws vary from a minimum of 30 days to know set deadline. But generally, as soon as practicable and without undue delay. Whether the contents of the notice to customers, well, you have to provide a description of what happened, the timing of when breach happened and was discovered, the description of data that was compromised, the business contact information for more so customers can get more information, information about protecting the customer's identity, and the contact info of regulators and credit reporting agencies.
And I keep mentioning customers, but that's usually the most typical scenario. But it applies to any personal information that a business has. So if your employees' information was stolen, you need to make notice to them. If other personal information that you have for people who aren't customers gets stolen, then you have to make notice for them as well. And the contents of the notice to the customers, to the entity and the individuals, you also have to provide contact information of regulators and credit reporting agencies. It's a couple of methods of making notice to customers. Typically, these laws provide that you can make notice by mail, notice by telephone, notice by email in certain circumstances, and also by posting a notice on your website, again, in certain circumstances.
Now, again, when you're making notice, you have to, this is where another incident in another place where an incident response plan will come in handy. Because if your data breach involves a very large number of individuals to whom you have to make notice, you're not gonna be able to do that within the 30-day period, to assemble thousands and thousands of letters that need to be mailed, or even to create an email to email to all those folks. It's gonna take a long time. And you may need to retain a company that can help you make notice to your customers. That's also something that should be in your incident response plan. It would be helpful if you had that there. So, keep in mind that if you get to the point where you think you're going to have to make notice under the state data breach notification laws, you're gonna have to start planning immediately to make that notice, if it seems like a sizeable number of folks are compromised.
Also keep in mind that because the standards by which every state measures what a data breach is and what information is covered by a breach varies from state to state, certain data breaches may trigger an obligation to make notice in some states, but not others. And you may be confronted with a situation in which you don't have to make notice in all states in which affected individuals live. Typically, what I advise is that you're going to make notice to some of your customers, you might as well make notices to all of your customers who are affected by that breach, simply because you're going to be asking for trouble when the customers who were not given notice sue you for not having disclosed to them that they had been the victim of a data breach. Because once you do make notice, as I said, you also sometimes have to make notice to state attorneys general. Again, each state varies widely. And whether you have to make notice to the state attorney general, or whether a certain threshold needs to be met, say more than 100 individuals in that state or 1000 individuals in that state before you have to make notice to the attorney general. Some attorney generals, however, will post your data breach notification online, which is where a plaintiff's lawyers can get their hands on it and turn it into a complaint to sue you for not having a proper cyber security systems in place. So, keep in mind, once you make notice to the public, it's gonna be posted online. And you may even have to post it on your website as well. And that's typically a good practice.
Once you do make notice to state's attorneys general, you should expect that at least some of them are going to follow up with additional questions for you. Now, most state attorney generals don't have a robust cybersecurity department within their organization that will follow up with every single data breach notice that they receive. But there almost always are questions. They may have questions about how you learned of the breach. They may have questions about how long it took you to conduct your investigation. They may think you took too long to conduct the investigation. They may have questions about when you officially determined that a breach had occurred and whether that complied with the state's timeline for making notice to customers or to the attorney general. You should expect that you may be subject to regulatory investigations as a result of making notice. In most instances, though, they don't amount to anything. In some instances they may, especially if maybe you didn't have robust cybersecurity practices beforehand, they may amount to something more serious. And again, also don't forget about looking at your exposure to foreign laws and foreign jurisdictions that may apply to you, even though you do not have business operations in them, but you may have obligations there as well.
Finally, at the end of this entire unpleasant painful process, you'll want to write a memo to your file that documents everything that you did, when you learned to the breach, what investigation steps you took, what decisions you made with respect to providing notice to customers or to regulators, or if you, didn't, why you think you didn't need to make those notifications and save it to file in case any of this ever comes up down the road, because it might. Because six months later, or a year later, you may be breached again. It's not unusual. It can happen. And that might actually trigger a requirement for you to make notice to regulators. And then they in their follow-up questions may ask if you've had any other cyber incidents within the past few years. And suddenly may be investigated for this prior incident as well. So, it's good to have that closing memo to your file. So, that essentially brings us to the end of our program here today.
Obviously, we covered a lot of ground and there's a lot of information to take in. The main takeaway, however, is the more prepared you are for a cyberattack, the better shape you'll be in when the inevitable unfortunately happens. And with that, I wanna thank you for listening and wish you a good day. Thanks and goodbye.