It’s not IF your organization is going to get hit, but WHEN: A primer on data breach considerations for in-house lawyers

  • May 29, 2019
  • Jennifer Davidson, Deeth Williams Wall LLP

Each year, organizations collectively spend billions of dollars to secure their IT infrastructure, yet cybercriminals continue to find new and inventive ways to infiltrate seemingly secure networks. Data breaches make headlines daily, eroding public trust and causing major headaches for executives in the process. Interestingly, CEOs seem more likely to lose their jobs over data breaches than other security incidents. As Eliott Behar, former Security Counsel for Apple, puts it, “there’s no faster way to take down a CEO than a poorly managed breach.”

The distinction between a breach response that allows an organization to escape with its brand intact and one that ends with the CEO’s removal can be summed up in a single word: preparation. Every organization should be taking preparatory steps to manage cybersecurity incidents because the question is no longer if you’re going to get hit, but when.

Imagine this scenario: you are in-house counsel for a mid-size company. You’ve been in the role for about six months, just enough time to get to know the basics of operations and the key figures of the company. It’s a sunny Friday afternoon before a long weekend. Most of the C-Suite has already left for the weekend and you are just wrapping up your last bit of work. The phone rings and it’s the CIO, informing you that the organization has been hit by a ransomware attack.  A resourceful cybercriminal has bypassed access controls and taken a significant amount of critical confidential data from one of your network servers. The attackers are demanding a seven figure sum, payable in bitcoin within 24 hours. If you fail to pay, the attackers have threatened to release the data on the dark web. What do you do?

The next steps will vary based on a number of factors — but at each stage, the organization’s response will benefit from the old adage: “the best preparation for tomorrow is doing your best today.” Below are a few specific considerations all organizations, large and small, should contemplate before a breach occurs.