What To Do When You’ve Been Hacked

June 16, 2015 – In The News
Inside Counsel

Scott L. Vernick was featured in the Inside Counsel article, “What To Do When You’ve Been Hacked.” Full text can be found in the June 16, 2015, issue, but a synopsis is below.

You’re the general counsel at a large retailer that has just suffered a data breach. What do you do now?

That was the focus of the opening response workshop at the Mid-year Cybersecurity and Data Protection Legal Summit on June 16. Among those on hand to discuss what to do – and what not to do – was Scott Vernick, partner at Fox Rothschild.

“In the area of incident response, it’s all about preparation, preparation, preparation,” said Vernick, a noted privacy attorney.

Vernick noted that organizations must be disciplined and have all pieces in place. “How well your incident response plan works depends on how much you put into it,” he said, adding that companies should be concerned with strong data management, or they could find themselves playing “whack-a-mole.”

While Vernick said conducting “tabletop exercises” to test and update response plans is a good idea, he noted that the results of those exercises can be subject to discovery in the event of a future breach.

Vernick also said having an insurance plan is a good idea, though sometimes insurance carriers can take over the response to a breach, depending on how the policy is written.

Organizations and their counsel should also be aware of the Federal Trade Commission (FTC), which has become a major player in the data breach landscape.

“The jurisdiction of the FTC is confounding,” says Vernick, who noted that the commission has not exactly been clear in interactions with breached companies. “When you negotiate with them, you have to suspend reality.”

One resource for keeping pace with the varying laws and regulations is the government, Vernick says, which releases a weekly update on cybersecurity matters.

Vernick also noted that the federal government is looking to put in place a uniform law that would cover all states, but some attorneys general do not support the idea, as they feel it could lead to a weaker statute than their state already has.