Home / Hacking / 8 steps to take if your company gets hacked – New Orleans CityBusiness

8 steps to take if your company gets hacked – New Orleans CityBusiness

Over half of U.S. companies will be hacked this year. The best way to deal with hacking is to take actions to deter and manage it. That means putting together a team led by management, the chief information security officer, the IT officer, the head of security, public relations advisers and outside counsel. This team can forge an information security plan, including establishing a group to respond to data security problems and developing and executing procedures to respond to a data breach.

Farwell

Farwell

Here are eight steps to take if your company gets hacked:

  1. Recognize that immediate action makes a difference. You need to have the team and a response plan in place prior to any hacking incident. This involves making certain that communications made regarding key decisions are made subject to the attorney-client privilege, which means operating through outside counsel. Prior preparation will not only allow you to respond quicker, but also in a more efficient and less costly manner.

 

  1. Train employees so they know their responsibility if a breach occurs. Breaches may not be discovered immediately. You must train employees to recognize a breach, to whom to report a breach and the consequences of not doing so promptly and properly. That requires setting up a clear procedure for reporting.

 

  1. Train employees differently based on what they need to know. Not everyone needs to know everything when a breach occurs. Most have to secure their own password and secure how they send emails or other messages to avoid hackers, but not everyone needs to be aware of all the details of a data breach response plan. Decide what they need to know and make sure they are trained to take the action they are required to take.
    Elkins

    Elkins

 

  1. Train employees to employ the right language in communications. Depending on the industry, terms like “security” and “breach” may have a legally defined meaning. Communications that assert a “security breach” has taken place may come back to haunt you in a legal proceeding. Qualify the language. For example, talking about a “potential” breach may have different consequences than declaring that a breach has occurred.
  2. Contain the damage. Take action to stop more data from being stolen or damaged. Specific actions depend on your information security plan. Consult with your IT team on taking the proper steps in the context of how you have been hacked. Generally, you want to isolate infected computers, networks, or systems and avoid taking steps that wipe out forensic data and jeopardize actions to determine the identity of the attacker, the type of attack and the route into your systems and networks the attackers exploited.

 

  1. Separate operational issues from legal issues. To minimize legal exposure, It is important to make as many things possible subject to the attorney-client privilege to minimize legal exposure. This need should be managed and balanced with the reality of operational necessities.

 

  1. Document your response actions. Regulators want to know whether companies they examine have exercised due diligence (reasonable and adequate steps) to protect data and information. You need to show them that you understood the problem from the outset, including anticipating the possibility of a breach, and had put procedures and processes in place to manage the problem and mitigate the risk and damage. Regulators will not take your word for it. Show them what you did.

 

  1. Stay on top of notice requirements. You may have to notify persons in all 50 states. Each state has its own breach notification rules. Consult ahead of time with counsel to understand who you have to notify of a breach and the timing and content of the notice, including disclosures on the means and manner of the breach. Make certain you comply with notice provisions in contracts with third parties. Sometimes third party vendors promise to handle notification, which can be risky. You need to stay ahead of the curve and ensure that notification is properly dealt with.

 

Taking these steps can save you not only millions of dollars, but also lost time, damage to reputation, interruption of business operations and unwanted legal exposure to fines, penalties, attorney fees and other avoidable headaches.

Bagneris

Bagneris

The key is to work with management, relevant company officials and counsel on the front end so that if a breach occurs (and recognize that a breach is likely to occur), you can manage the problem and minimize the legal exposure and damage.

James Farwell and Geoff Elkins are attorneys with Elkins PLC of New Orleans and have expertise in cybersecurity law. They have co-authored a new book with Virginia Roddy and Yvonne Chalker, “The Architecture of Cybersecurity.” Michael Bagneris, former chief judge for the Orleans Civil District Court, is Of Counsel to Elkins PLC for cybersecurity.


Source link

Check Also

Using Tokenomics to Next Level Your Investing – Hacked

The IoTeX project aims to create a decentralized platform capable of combining “Internet Things” (IoT) …

Leave a Reply

Your email address will not be published. Required fields are marked *