Cyberattacks against small- and medium-sized business are rising, according to a global survey that reports 76 percent of U.S. SMBs were attacked in 2019, up from 55 percent in 2016. Globally, 66 percent of respondents reported attacks in the same timeframe, according to the joint announcement by the Ponemon Institute and Keeper Security Inc. Most companies don’t question the need to secure against cybercriminals, but some aren’t sure how to deal with their image after their system’s been hacked.
Should a breached company keep quiet and hope nobody notices it, or come clean with either selected parties or a public mea culpa? Attorneys, public relations pros and others opened up about it to NJBIZ.
A company’s image is important, so “Every business should have a crisis communication plan, before an emergency such as a cybersecurity incident happens,” according to Jeffrey Barnhart, chief executive officer and founder of CMA, a communications, marketing and association management firm. “That includes a crisis communication strategy, in addition to an outline of procedures to prepare you for an emergency.”
Don’t sit on the leak
After assessing the situation with proper cybersecurity and other professionals, and trying to plug any security gaps, a victimized business should “obtain legal advice and work with public relations professionals,” he advised. “A quick response shows that you’re on top of your business and care. Craft an appropriate timeline and responses to your employees, customers, investors, partners and other stakeholders including the media. Devise top key points about what occurred, what you’re doing to fix the problem, actions to eliminate future breaches and what they need to do as next steps.”
It’s a good idea to clue in all your customers about the breach and subsequent recovery steps, he added. “However, some higher value customers might receive early notification in the form of an email, as opposed to a press release published on a third-party website and/or an announcement on your company’s website.”
A communications plan that’s in place, ahead of a hack, can be a big help, according to William Murray, executive vice president and national director of MWWPR. “But even with a plan, the communications surrounding these types of issues depend more on the specifics of the breach,” he said. “In most instances, particularly for companies involved in such industries as health care, finance, retail and consumer- facing interests, there are regulations that guide reporting requirements.”
Sometimes, of course, a company’s lawyer may say to keep quiet. “That lack of public comment or communications may unnecessarily create the impression that the company has something to hide,” cautioned Murray. “It’s a delicate balance that requires calm, strategic thinking. There is no single strategy that fits all scenarios and businesses need to recognize that fact, tailoring any communications program to the appropriate response.”
MWWPR recently handled a situation involving a health care entity, where “[n]otifications were directed immediately to all impacted accounts, followed by information on what steps they should take to protect themselves,” he said. “MWWPR and the client included traditional media and all social media platforms in communications strategies to ensure that all accounts were reached and understood that the breach had occurred. Through that more-public communication, we also sought to protect the brand — ensuring that future consumers and commercial accounts would trust that the client had their best interests at heart.”
If a business does suffer a cyberattack, it should work closely with law enforcement and other officials while straightening things out internally, said Roota Almeida, chief information security officer of Delta Dental of New Jersey and Delta Dental of Connecticut. At the same time, she added, the company has to come clean about what happened.
“While the main goal of any business after a hack is to get back up and running and help their customers, the business should continue to work with law enforcement to trace the perpetrators,” Almeida stressed. “The business should issue a general public statement giving a background of the incident, including sketching out what happened, and how the incident was discovered, the remediation steps and if any data was compromised. It’s not a good idea to hide a hack.”
The notification should contain “as much detail about the incident that the business can share,” she added. Talk about how and when the incident was discovered, whether the incident had been mitigated, whether data was compromised, then offer details on how much and what type of data was compromised and how customers may have been affected.
One important detail: “A public announcement should be issued before customers are notified,” Almeida advised. “Timely and accurate communication with the public and the customers is key to incident response. Customers have more faith in a business that keeps them updated on the incident in a timely manner.”
If a company does get hacked, keeping mum may not be an option, said John Wolak, a director at Gibbons PC who chairs the law firm’s Privacy & Data Security Team.
Talk to the lawyers
“In general, there are notification obligations that are dictated by the legal requirements of the state where the individual — whose personal information is the subject of the data breach — resides,” he said. “There may also be applicable industry-specific notice requirements. Depending on the type and scope of the information that may have been compromised in the incident, the business may have to meet the notice requirements of several states, as well as industry-specific requirements and the requirements of foreign jurisdictions if the personal information of non-U.S. residents is impacted.”
A lawyer with a dash of Sherlock Holmes
For more than 10 years, Gibbons Director John Wolak and his team have worked with clients to respond to malicious activities and personnel mistakes that resulted in a wide variety of data security incidents. “We recently served as data breach counsel leading the investigation and response activities for a regional healthcare provider,” he noted. “The incident resulted in the potential disclosure of extensive patient health information spanning multiple years and involving several hundred thousand patients residing in 50 different jurisdictions.”
Wolak and his legal gumshoes retained a forensics team to identify the nature and scope of the incident and confirm that the harm was properly contained.
“We also worked extensively with the client’s staff to ensure that the client could continue daily operations and properly treat patients, as well as to ensure that each patient’s privacy and individual rights were properly safeguarded,” he said. “Because of the nature of the security incident, we also interfaced with local law enforcement and federal authorities so that the client met all applicable regulatory obligations. After our response and remediation efforts were completed, we worked with the client to review, evaluate, and revise its privacy, security, and incident response practices going forward.”
When it comes to New Jersey residents, “the notice obligation is typically triggered if there has been unauthorized access to their personal information, or if the business reasonably believes that there has been access to personal information by an unauthorized person,” he added. “In that case, a business — even one that’s based outside of New Jersey — must first notify the New Jersey State Police for potential investigation, and must also advise the New Jersey resident of the breach.”
That may not be the end of the ordeal, however. “A business victimized by a cyberattack may have liability for a variety of costs, including its own incident response and remediation costs, notice costs, potential damages suffered by customers and third parties, third party remediation costs, regulatory fine and penalties and potential litigation,” according to Wolak. “The specific circumstances surrounding the security breach dictate whether there are any potential defenses to any one or more components of potential liability.”
Fortunately, forward-looking business owners can protect themselves. “Cyber-liability insurance is readily available from a variety of insurers and is an important component of a business’ risk mitigation program,” Wolak noted. “I am frequently asked by clients to assist in obtaining cyber coverage and to review and evaluate proposed or existing insurance coverage.”
Hacking, of course, affects a variety of parties, including the victimized business itself, which may have lost trade secrets and other confidential information; and sensitive information belonging to customers. “Therefore, businesses should be proactive with both their lawyers and their IT professionals,” advised John Stone, a partner in the DeCotiis, FitzPatrick, Cole & Giblin LLP law firm.
One hack, multiple headaches
He said reporting requirements depend on the state law that applies, which, in turn, is based on the state where an individual victim — whose information was hacked — resides. “So a single data breach can involve multiple notification requirements if victims reside in various states.”
New Jersey law requires any business that conducts business in the state to disclose “any breach of security of those computerized records following discovery or notification of the breach to any customer who is a resident of New Jersey whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person,” Stone said.
Among other requirements, The disclosures to customers must “be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.”
A business can also face civil suits “for negligently allowing the hacking and loss of information,” he warned, adding that it may also be sued under contract law “if the hacking and loss of information is governed by a contract between the business and customer. Issues regarding what damages may be recovered could be affected, in part, by whether suit is in tort or contract.”