Your Company Has Been Cyber Hacked! Strategies For Dealing With The Fallout

Jim Halpert, Partner, 
DLA Piper

• Hacking is a growing problem (perpetrated not only by “recreational hackers” but also by overseas competitors and sophisticated governmental actors) that companies need to take very seriously. If you find out that you are hacked, you need to conduct a thorough investigation to understand what has occurred and to ensure that you have restored the integrity of your system with no malware or vulnerabilities remaining in your system.
• It is critical that before they are hacked organizations implement both strong information security programs and sound incident response plans. The incident response plan needs to draw on and involve key resources within your organization — IT, legal, law enforcement liaison, corporate communications and, if client data are involved, the relationship team for those client.
• For most organizations, it is a very good idea to engage a skilled computer forensics consultant to determine exactly what happened, to clean your IT infrastructure of vulnerabilities and detect and purge all malware. A key element of data security legal requirements is to adjust your system in light of actual and potential security threats. Failure to respond and learn from actual hacks will likely be considered as negligence. Furthermore, businesses have obligations under SOX to have business continuity plans and protections in place so as not to be crippled by cyber threats. Businesses in heavily targeted sectors (e.g. financial services and defense) should seriously consider going further and helping to raise the security of devices that interact with their servers.
• It is very important to assess as quickly as possible whether the hack likely involves: (1) sensitive personal information triggering a security breach notice obligation to individuals and to government authorities, (2) PCI-DSS data, which triggers requirements to notify the payment card brands and potentially to indemnify them, pay for a special PCI audit and pay fines, (3) sensitive trade secret information serious enough to trigger an SEC requirement to notify shareholders, or (4) a compromise of the security of critical infrastructure, which can give rise to significant harm. The presentation will explain each of these four categories and the steps to take in each case.
• It is also sometimes advisable with appropriate confidentiality assurances and obtaining trade secret protection, to share information about hacking incidents with law enforcement, particularly if you want to attempt to pursue the hacker. Adopting more aggressive counter-measures (for example to retrieve stolen data that is stored on an intermediary server) can sometimes be desirable, but it is important to review these measures for compliance with the law. In addition, organizations in targeted sectors often benefit from sharing information on potential and actual threats with colleagues in other organizations and potentially with government cyber-security authorities. Given the dynamic nature of cyber security threats, information sharing is very important to stay up to speed with evolving threats and to help protect the infrastructure.

C. Kelly Bissell, Global Incident Response and U.S. IT Risk Management Leader,
Deloitte & Touche LLP

breaches, fraud, and disruption of services

• Organizations are experiencing more frequent cyber incidents than ever before
• Discuss costs and impacts to organizations
• Discuss number and types of breaches
• Discuss how to plan for and respond to cyber incidents including loss of data, security

Daimon E. Geopfert, National Leader, Security and Privacy Consulting, 
McGladrey LLP

Paula Vuksic, CPA, MST , Partner , 
Citrin Cooperman

• Many organizations still rely almost exclusively on preventative controls (patching, anti-virus, IDS,
  etc) while neglecting their detective (monitoring) and corrective (incident response) controls
• The issue with this is that modern threats are purpose built to bypass preventative controls (zero-
  days, rapidly mutating malware, IDS evasion, etc)
• While the odds are low that any single organization will be targeted by an APT level threat, we are
  seeing a “bleed-over” affect where APT-ish capabilities are being built into hacking toolkits
  which are then wielded by the masses of malicious but un-skilled attackers
• The focus on preventative controls contributes not only to the large number of breaches we’ve been
  seeing, but also their duration. Some organizations are breached for years at a time
  without knowing it.
• Organizations should use the information in the public domain that describes how other companies
  were breached, and they should run mock exercises to see if they would be capable of handling a
  similar attack. They should as themselves, where would we have done better monitoring in order to
  catch this attack?
• Organizations need to plan to fail as all security solutions can eventually be breached. Their goal
  should be to fail gracefully, by which I mean that they can quickly identify the breach and respond
  before significant damage is done.

Jonathan Fowler, EnCE, ACE , Director of Forensics, 
First Advantage Litigation Consulting

• Internal Fallout
  • The company needs to determine how the hack was carried out so that appropriate measures can be put in place to (a) prevent the hack from being carried out again and (b) ensure that corporate IT systems are no longer infected. Additionally, proactive measures should be taken to educate employees on potential dangers of hacking (including social engineering concepts).
• External Fallout
  • Depending on the type of data hacked, does the company have an obligation to report the incident, either to governmental regulators or to investors (or both). Outside counsel may need to be involved to assist the company in navigating through the various state and Federal regulations/requirements in reporting these incidents.
• Proactive Steps
  • Aside from corporate IT departments using proactive tools and techniques to monitor for attacks, corporations should form data breach incident teams that include personnel from IT, Risk Management, Legal, as well as business-group leaders to put together a set of standard procedures for the company to follow should an incident occur in the future. This may also involve outside vendors as well, such as computer forensic or cybersecurity specialists.