“Don’t open that Google Doc ‘I’ sent you!” How many texts like this did we see this week?
Another national phishing scam, this one involving Google Docs, reminds us to be vigilante regarding our cyber data. Mass media outlets and specialty trade journals agree that this attack was particularly sneaky. Although Google claims the attack affected 0.1 percent of Gmail users, this amounts to 1 million accounts.
Cyber attacks and phishing scams are annoying to individuals. But they can cripple you business. If personally identifying information (“PII”) or other statutorily protected data in your company’s care is compromised, individual employees and companies alike can be sued, fined, and in some cases, criminally prosecuted.
Increasingly, companies store their information utilizing remote networks of servers (often referred to as “The Cloud”). This increases the risk of cyber attacks. As I previously noted in an earlier post phishing scammers seem to be moving “down the food chain” by attacking smaller companies with less sophisticated defense networks.
Now more than ever, small to mid-size businesses should consider drafting, implementing, and testing data breach incident response plans. No one can avoid a cyber attack. But a data breach incident response plan is a cost-effective measure to reduce the adverse impact a cyber attack may have on your business.
Typical elements of an effective data breach incident response plan include the following:
Before the Cyber Attack
· Establish an Incident Response Team;
· Include at least one manager or officer on the Team;
· Include a member of the company’s IT group on the Team;
· Identify legal counsel to assist your Team with its response;
· Identify a third-party IT vendor to assist with breach analysis;
· Identify an identity-theft and credit monitoring vendor to assist;
· Print and circulate written copies of the Plan to all employees.
Within the First 24 Hours of the Cyber Attack
· Notify all members of the Team;
· Record the date, time, and place of the attack – document everything;
· Secure the premises;
· Identify scope of breach;
· Determine (with counsel) whether to notify law enforcement;
· Identify (with counsel) which state laws apply.
Within the First 72 Hours of the Breach
· Different states have different notice requirements. Accordingly, some affected persons must be notified right away;
· Most states require potentially affected persons to be notified, too;
· Notify government agencies as required by each jurisdiction implicated;
· Supply government agencies with the “notices of cyber attack or data breach” already provided to those affected;
· Notify and engage identity-theft and credit monitoring vendor.
Within the First Nine Months
· Follow-up with credit monitoring vendor on status;
· Maintain toll free number to field inquiries from affected person;
· Review IT protocols to reduce risk of recurring breaches.
Although no one “template” fits all data breach notification scenarios, a typical notification letter will include:
· An opening paragraph stating plainly what happened;
· A brief statement expressing regret and demonstrating empathy;
· A brief description of your action plan, including phone numbers for affected persons to use in order to get more information;
· NOTE: Draft these letters mindful of your potential duty to provide them to government agencies and/or the authorities.
Although cyber attacks and data breaches are common, they are highly fact-dependent. No two breaches are exactly alike. It is critical to consult with legal counsel experienced in this area, ideally before, but certainly after, a cyber security or other similar data breach.