A call is placed at 5:15 p.m. Friday by a dealership’s chief information officer, who says she thinks the company has been hacked. The allegedly hacked customer records have not been posted, yet the tip appears legitimate. The CIO asks, "What do we do?"
 
Scenarios like this are increasingly common, and the reputational, regulatory and operational effects can be devastating. The response should be swift and focused, and it should include:

 

MOBILIZATION: Responding to a data breach will involve resources from across the company’s functional groups — IT, HR, legal, risk, accounting, marketing — and from the C-suite to the affected line of business, as well as external resources such as breach counsel, forensic investigators, crisis management and PR teams, and notification mail processors. The dealership should have a response plan in place before the incident, and the team should be mobilized immediately.
 
Many of the issues faced next will have civil and regulatory implications, and discussions should have the benefit of legal privilege. Consider engaging breach counsel first.
 
STABILIZATION: The first step in getting control of the data post-incident is to patch whatever leak exists. The technical team should lock down any stolen or misused credentials, devices or system vulnerabilities and preserve evidence.
 
INVESTIGATION: Once the technical vulnerabilities have been addressed, identify the scope and duration of the incident; use outside forensic examiners, if necessary. At the same time, review contracts with any implicated third-party service providers, and identify applicable responsive insurance.
 
ANALYSIS: Data breaches are addressed primarily as a matter of state law, with every state defining and prescribing responses to a breach differently. The dealership also may have obligations related to data breaches under contracts with commercial vendors or suppliers. Understanding the responsibilities — to customers, regulators, counterparties and investors — turns heavily on the language of the data breach statutes in each implicated state, and the language of any contracts.
 
Which states are implicated largely is determined by the location of customers and business operations. Whether counterparties must be involved is determined by the language of agreements. This is a highly fact-specific, largely "legal" analysis.
 
NOTIFICATION: After identifying the "what," "how" and "who," it’s time to notify any external stakeholders. This may involve notifying customers, contractual counterparties and investors, and most-assuredly will involve notifying state attorneys general. Notification requirements differ by state, both as to timing and substance. The timing for most statutes runs from knowledge of the breach, and may be as short as 24 hours.
 
EVOLUTION: To the extent there is a benefit to a data breach, it lies in identifying the facts and circumstances that led to the breach and using them to anticipate future threats and improve company systems and practices.