Dear Mary,

One of our employees recently fell victim to a phishing attack, allowing unauthorized access to their email account for a brief period. To be safe, we reset everyone’s passwords and terminated all active sessions. We’re now in the process of hiring a law firm to determine if we need to notify anyone about the incident. It’s taking a little longer to get them engaged, but I’m hoping to have this done soon. In the meantime, is there anything else we should be considering?

– Not Entirely Clueless in Connecticut

July 10, 2024

Dear Not Entirely Clueless,

It sounds like you’re on the right track with containment (i.e., securing your environment) and seeking legal counsel. The law firm will likely recommend hiring a forensic firm to assess the extent of the incident (e.g., whether any data was accessed or taken). One critical step is to ensure your team preserves any relevant logs or artifacts, as these will be critical for the forensic analysis. Different logs provide varied information and have different retention periods, so it’s important to halt any rollover or deletion processes. By maintaining comprehensive logs, you can better determine the scope of the compromise, potentially reducing the number of notifications required. Without such logs, you may face uncertainty and difficulty in deciding who to notify and on what basis.

— Mary

“Dear Mary,” an advice column from Troutman Pepper’s Incidents + Investigations team, will answer questions about anything and everything cyber-related — incident response, forensic investigations, responding to regulators, breach-related litigation, and much more. “Dear Mary” goes beyond the articles, podcasts, webinars, and other content we produce, as we are responding directly to our reader’s questions with concise, practical answers. Answers will be general in nature and will not contain legal advice. If you need legal advice or representation, please contact one of our attorneys directly. “Dear Mary” also can be found here on the firm’s website.