What to do When the Hackers Come for Your Company
It’s 10:45pm. You’re reaching for your TV remote to remind Netflix that you’re still watching your favourite new show when suddenly your phone rings. It’s your CIO. Sheepishly, she tells you your firm has been hacked and there is the potential that your client’s confidential information may now be in the hands of a hacker. What do you do next?
Last week David Canton wrote about how common data breaches have become. So common, in fact, that every firm will experience a breach at some point in its existence. For this reason it is crucial that you are prepared with a written and rehearsed emergency plan. This week’s blog focuses on what that plan should include.
The first step is to identify your key players:
Ascertain who, among your senior leadership team and corporate board, need to be involved in approving communications and legal instructions so that there is no confusion over who will be responsible for carrying out your plan.
Create a list of your legal, corporate communication, IT forensic, and regulatory contacts with their contact information easily accessible. Make sure you understand the cost of retaining these experts.
Most importantly, if you have cyber insurance, ensure that you understand your obligation to notify your insurer and when/how that notice must be communicated.
Create three plans:
Your legal team will need a plan with the specific legal requirements under applicable privacy legislation
Create a second plan for the individuals doing the heavy lifting and who will be doing the work to ameliorate the issue
Finally, create a plan for the individuals supervising those who will work to fix the issue so that they know the triggering events that will necessitate escalation
Keep a written copy of all your plans. The hacker may lock access to your electronic systems which may include your plans.
Rehearse your plans:
At minimum, on an annual basis, work through your plans with your IT professionals to ensure they are workable. Call the numbers on your contact list and see how long it takes to receive a response.
Prepare 3-way agreements between you, your lawyer, and your outside professionals to ensure communications with your external vendors may be covered by solicitor-client privilege.
With news of data breaches occurring almost daily, clients and insurers expect you to be prepared. There is no replacement for a rehearsed emergency plan and when your CIO calls news of a data breach at 10:45pm, you need to be ready to act quickly and confidently.
David is an Associate Lawyer with our Business and Financial Services, Employment and Labour Law and our Technology and Privacy Law Groups. Connect with David on LinkedIn.