Cyberattack Response Experience
Thompson Hine has a broad range of experience in helping organizations respond to cyberattacks and data breaches, including the following:
- Assisted a health care plan in responding to notification from business associate of potential compromise of employee health records and protected health information, and furnished counsel with respect to HIPAA’s data breach notification rule, low probability assessment and notification requirements as well as state law “risk of harm” analysis and breach reporting obligations.
- Assisted a client in the chemical critical infrastructure industry in responding to a spray attack on email system, conducted legal analysis to determine federal and state cyber incident reporting requirements and drafted the notification report to satisfy U.S. federal requirements.
- Helped a provider of platform technology used by educational institutions to manage attendance, grading and other academic functions to address vulnerabilities in its database management that potentially exposed client data to SQL attacks, and performed legal analysis related to potential notifications to satisfy domestic and international legal law and contractual requirements.
- Assisted a client in responding to the physical theft of payment information from a lockbox service through employee dishonesty, including assisting in rectifying the misdirection of customer payments.
- Assisted an international, Canada-based integrated chemical company with refinery operations in the United States in responding to a password spray attack that potentially exposed critical infrastructure systems, including the management of notification of the incident to the Department of Homeland Security and provided legal analysis related to potential notifications to satisfy domestic law and contractual requirements.
- Assisted a professional services firm in assessing the applicability of data breach notification law with respect to an employee who potentially exfiltrated and misused sensitive HR data, including employee tax records.
- Helped a manufacturing client with respect to disclosure of employee identification numbers and other HR data to a third-party service provider and non-applicability of data breach disclosure laws based on good faith exceptions and legitimate interests of parties.
- Assisted a client that maintains rewards and incentive programs for Fortune 500 companies in responding to an intrusion into its online platform based on Jira-related vulnerability, engaged IT consultant to undertake forensic assessment and security vulnerability scan, and conducted legal analysis related to potential notifications to satisfy domestic law and contractual requirements.
- Assisted a managed service provider in responding to Conti ransomware attack that targeted third-party client’s IT environment, including by issuing litigation hold, engaging Digital Forensics and Incident Response (DFIR) vendor, analyzing export control laws related to use of DFIR vendor’s proprietary software, and drafting litigation risk assessment.
- Assisted multiple clients, including a global manufacturing company and an energy sector organization, in responding to a security incident notification published by a third-party human capital and workforce management cloud service provider regarding a ransomware attack that compromised the availability of its services and the personal data processed therein.
- Assisted a consumer goods company in investigating and responding to data breach arising from unauthorized access to and exfiltration of customer data from the company’s third-party e-commerce platform due to compromise of an employee’s account credentials.
- Assisted global manufacturing company in responding to ransomware attack that compromised sensitive employee and customer data, and partnered with European Union (EU) counsel to facilitate notifications to supervisory authorities pursuant to the General Data Protection Regulation and EU Member State law.
- Advised a private sector company with respect to an incident involving the unauthorized disclosure of sensitive employee data, and counseled on the “good faith” exception within certain U.S. state data breach notification laws and on complying with internal investigation and records retention requirements.
- Counseled a health care business associate regarding technical anomaly within its online patient portal that resulted in unauthorized disclosure of medical records and protected health information, and drafted formal data breach notification communications and reports.
- Assisted an operator of SaaS platform technology service provider serving secondary and post-secondary educational institutions in responding to intrusion into operating systems potentially exposing personal and competitively sensitive information.
- Assisted a global manufacturing company with its response to the inadvertent disclosure of export-controlled data to foreign nationals, and drafted, prepared and submitted voluntary disclosures to federal government.
- Represented a defense contractor in joint investigation by the Department of Defense and Federal Bureau of Investigation arising from Maze ransomware attack that potentially exposed controlled unclassified information, which resulted in the closure of the federal investigation without adverse action to client.
- Assisted a supply chain defense contractor with response to ransomware attack that compromised the confidentiality of sensitive employee data and controlled unclassified information, including drafting and submitting formal data breach notices to impacted individuals and government agencies.
- Counseled a services industry business regarding Office 365 intrusion that resulted in malicious actor disseminating fraudulent invoices to customers from a spoofed internet domain.
- Assisted an employee health plan in investigating and responding to data breach that occurred within business associate’s information technology environment that resulted in unauthorized access to employees’ protected health information.
- Provided counsel to a health care consulting firm on responding to and remediating intrusion arising from a spoofing attack that exposed sensitive customer and patient information.
- Assisted a global manufacturer, wholesaler and retailer of OEM and aftermarket automotive and truck components in responding to and remediating service provider data breaches.
- Represented a publicly traded lighting manufacturer in data breach associated with accounts payable fraud scheme.
- Assisted multiple group health plans in reviewing, analyzing and assessing potential HIPAA breaches of their business associates, including undertaking risk analyses and advising on documentation requirements.
- Engaged with clients’ cyber insurance carriers to address claims related to ransomware and other cyberattacks.
- Assisted a clinical laboratory in responding to a significant data breach of its business associate that compromised the health information of many of its patients.
- Assisted hospitals in investigating and responding to HIPAA data breaches, including an investigation by the Department of Health and Human Services Office for Civil Rights.
- Assisted an investment advisory firm in investigating and remediating system intrusion that resulted in the exposure and exfiltration of highly sensitive personal and financial information of high net worth individuals without adverse claims or litigation.
- Assisted a non-bank financial services provider in responding to and remediating Office 365 intrusion that exposed sensitive financial and other personal information and that resulted in fraudulent government benefit claims.
- Assisted a faith-based nonprofit organization in investigating and remediating Office 365 intrusion resulting from a phishing attack, including forensic review of incident and affected data and management of breach notifications and agency filings.
- Assisted a leading automotive aftermarket parts and service mass retailer in responding to and remediating Office 365 intrusion that compromised employee and customer personal information, including management of breach notifications and regulatory filings.
- Provided assistance to a distributor of automotive aftermarket parts in recovering from and remediating ransomware intrusion without payment of ransom.
- Assisted a global manufacturing company with response to and resolution of ransomware attack that compromised employee HR data (e.g., 401(k) plan, benefits plan), including drafting breach notification letter to clients and assisting with development of post-breach written information security plan.
- Assisted a manufacturer in investigating and responding to unauthorized publication of sensitive personal data concerning its current and former employees on internal platforms, including implementing certain technical measures to assess potential impermissible access to, and use, of the personal information, and prepared legal memorandum addressing the applicability of certain data breach notification laws.
- Counseled a business associate on investigating erroneous configuration of client-facing patient record and billing platform that potentially enabled impermissible access to protected health information among third party health care providers, including providing legal guidance with respect to whether a “breach” within the meaning of federal health care law occurred as a result of the platform’s technical configuration.
- Assisted a provider of advertising and marketing services to major energy providers in responding to and mitigating a cyber breach that resulted in large fraudulent payments, including recovering all fraudulent payments and protecting sensitive information from further exploitation.
- Assisted a pre-commercial pharmaceutical business in remediating an Office 365 intrusion that potentially exposed employee and clinical data.
- Assisted a contract manufacturer recover from and remediate a ransomware attack that disabled the company’s systems, including aiding in the resumption of all business activities and the protection of sensitive data from exfiltration.
- Advised a chemical sector business on responding to a ransomware attack that compromised the security and confidentiality of its HR data regarding both current and former employees and their dependents and beneficiaries, and assisted with drafting formal data breach notification letters to affected data subjects, notifying consumer reporting agencies and state attorneys general, establishing credit monitoring services, and complying with multiple laws and regulations governing substitute notice via media and website postings.
Businesses must protect the privacy and security of the personal data and confidential information in their custody and control. However, in today’s dynamic threat environment, businesses are facing evolving risks to their information technology (IT) systems and networks. To mitigate these risks, a business should build a data protection program tailored to its unique concerns and threats. Central to developing a data protection program is creating, implementing, and maintaining a clear and concise data incident response plan (IRP) that outlines the measures and tools needed to prepare for and respond to an actual or reasonably suspected data breach.
This checklist provides an outline of the critical elements a business should address or consider when creating an IRP. Full access to the checklist is available here (pdf).
- Governance and responsibilities. The IRP must identify the key individuals who have roles in the security incident response process.
- Incident Response Coordinator. The business should delegate authority to one person, an Incident Response Coordinator, to oversee data breach response efforts.
- Incident Response Team (IRT). An IRT is a predetermined group of employees, contractors, and other resources responsible for responding to data security incidents.
- Incident response procedures. The IRP should include procedures and protocols that address detection and discovery; assessment and escalation; IRT investigation and analysis; and containment, remediation, and recovery.
- Evidence preservation. The IRT should direct appropriate internal or external resources to capture and preserve evidence during the investigation, analysis, and response activities.
- Communications and notifications. The IRT, in coordination and consultation with legal counsel, should consider developing a communication plan for both internal and external stakeholders.
- Post-incident response. Following a security incident or data breach, a business should, at least periodically, reconvene the IRT to assess the incident, the effectiveness of the response, and any remedial measures needed to mitigate risk.
The First 72 Hours:
Critical Steps Following a Data Breach
When it comes to a data breach, what you do in the first few hours and days can mean the difference between containing the risks and losses and losing control of events. As the minutes and hours tick by, the financial and reputational consequences you face may be quickly multiplying. According to the 2019 Cost of a Data Breach Report (Ponemon Institute/IBM Security), the average total cost of a data breach globally is $3.92 million (USD), and in the United States that number more than doubles to $8.19 million. And that doesn’t even begin to account for the potential harm to your public image. It is in the best interests of your company and its employees and customers that you quickly assess the situation, notify the proper parties, and begin the investigation and remediation process. In fact, if you conduct business in the European Union, its General Data Protection Regulation in most cases requires you to report a breach to the supervisory authority within 72 hours of its discovery.
Would you know where to begin? The good news is that you don’t have to. Our Privacy & Cybersecurity team has the experience and resources to help you quickly and effectively respond to a data breach. Our professionals have substantial experience in managing data incident response scenarios, and we can deliver an efficient, disciplined and effective response plan. And we provide our services for a fixed fee, so you know the cost up front.
Here’s how we can help:
- Create and convene (with general counsel/CISO) the incident response team
- Identify and interview knowledgeable personnel
- Investigate source, scope and nature of incident, including what was lost
(physical or data) and if breach was result of third-party service provider failure
- Investigate if data is accessible/usable (e.g., encrypted)
- Identify/counsel/verify initial remediation actions taken to immediately limit damage of incident and stop breach
- Analyze compromised data and determine type(s): PII, PHI, PCI; employee or
- Assess number and geographic distribution of potentially
- Identify and assess short-term reporting and regulatory
obligations (e.g., HIPAA breach)
- Counsel on timing of scope of notices
- Ensure necessary third-party providers are in place
- Counsel on preservation of evidence (e.g., capturing logs
that would ordinarily be deleted)
DELIVERABLE #1: Initial assessment of potential reporting/notification requirements (legal analysis)
Third-Party Provider Assessment
- Identify third-party service providers
- Identify relevant insurance coverage
- Review with internal risk management personnel
relevant insurance contracts/coverage
- Ensure appropriate insurance providers are involved
- Review relevant services/IT agreements and breach
provisions; provide initial advice on next steps/remedies
DELIVERABLE #2: Ensure necessary third-party providers are in place
DELIVERABLE #3: Prepare forms or provide notice templates specific to location/jurisdiction/regulatory requirements
Identification of External Resources/Service Providers
- Initiate retention of notice fulfillment services provider as appropriate
- Retain forensic resources as necessary
- Retain crisis communications consultant/coordinate with company PR and investor relations teams
If your organization has suffered a data breach or incident, please contact us at any time (24/7) here and a Thompson Hine cybersecurity attorney will respond to you as soon as possible.
For more information about the critical steps following a data breach, please contact:
Thomas F. Zych, Partner, Chair, Privacy & Cybersecurity
Steven G. Stransky*, Partner, Vice Chair, Privacy & Cybersecurity
202.263.4126 | 216.566.5646
*International Association of Privacy Professionals, Certified Information Privacy Professional/Government (CIPP/G), Certified Information Privacy Professional/United States (CIPP/US)