Dear Mary,

I work for a public company that recently experienced a ransomware attack. Fortunately, we were able to restore our business operations quickly by obtaining a decryption key from the threat actor. Given that we managed to get back up and running so swiftly, do we still need to determine whether the incident is material and report it?

Sincerely,

– Concerned ExecutiveContinue Reading SEC Cybersecurity Incidents Disclosures: Materiality, Decryptors, and Ransom Payments

Dear Mary,

I recently experienced a security incident at my company and am considering whether to report it to law enforcement. While I want to cooperate and help catch the cybercriminals responsible, I am worried that law enforcement might come after my company for… I am not exactly sure what.

What should I do?

– Not GuiltyContinue Reading Notifying Law Enforcement of Security Incidents

Dear Mary,

I’m the general counsel of an organization and have recently started getting involved in the cybersecurity side of things. As I’m getting my bearings, I’ve noticed that our security team doesn’t always involve the legal department when an incident is suspected. While I understand that not every incident requires our involvement, I’m concerned that we’re being left out of matters that do need legal oversight, and when we are involved, it’s often too late. What can I do to help address this?

– Living in FOMOContinue Reading Ensuring Proper Legal Involvement in the Incident Response Process

Dear Mary,

Each of the 50 states has its own definition of what constitutes a reportable data breach. For some, it requires “unauthorized access” to personal information. For others, it requires “unauthorized acquisition.” And then, some states have further qualifications to their definition, such as whether that unauthorized access or acquisition “compromises” or “materially compromises” the integrity, security, or confidentiality of the data. No states (apart from New York) define access or acquisition, and no state defines compromise vs. material compromise. How would you suggest analyzing all these varying terms?

– PatchworkContinue Reading Understanding Access vs. Acquisition

Dear Mary,

I am the privacy compliance officer at a cloud-based software company. We recently experienced an incident where, although none of our client’s data was compromised, it appears that our employees’ information may have been copied and removed from our environment. This information includes employees’ full names, salaries, and salary schedules. All of our employees reside in California, and given the CCPA’s broad definition of personal information, I am assuming notification will be required?

– Frowning in FresnoContinue Reading Understanding Breach Notification Obligations Under California Law: What Does the CCPA Require?

Dear Mary,

One of our employees recently fell victim to a phishing attack, allowing unauthorized access to their email account for a brief period. To be safe, we reset everyone’s passwords and terminated all active sessions. We’re now in the process of hiring a law firm to determine if we need to notify anyone about the incident. It’s taking a little longer to get them engaged, but I’m hoping to have this done soon. In the meantime, is there anything else we should be considering?

– Not Entirely Clueless in ConnecticutContinue Reading Preserving Forensic Artifacts Following Incident Detection

Dear Mary,

We were recently impacted by a vendor incident, and the vendor is offering to provide notice to the impacted individuals on our behalf. That sounds like great news to us, but is this something we can and should consider?

– Potentially Optimistic in MiamiContinue Reading Can Vendors Notify Affected Individuals on Behalf of Businesses After a Data Breach?

Dear Mary,

One of our critical service providers recently suffered a cyberattack. It’s all over the news, and our business operations are severely impacted. We’re losing money every day, and we have no idea how long this will last. Do you have any suggestions on what to do? The lack of information from our service provider is incredibly frustrating.

– Frustrated in DallasContinue Reading How to Respond When Your Service Provider Suffers a Cyberattack

Dear Mary,

We received a data request from Health and Human Services, Office for Civil Rights, today. It was in connection with a data security incident that happened almost a year ago. Is this normal? Should this impact how we respond?

– Not Forgotten in New Orleans

Continue Reading Understanding Regulatory Response Times Following a Cybersecurity Incident