A CEO Blueprint: What to Do if Your Company Is Cyberattacked

What other steps should you take to maximize the chances of catching the perpetrator?
Preserve the evidence – Gather the evidence of the intrusion or, at a minimum, stop any automated systems from overriding it. Instruct your information technology staff to preserve IP logs and records of system log-ins and log-outs. Records of access and swipe cards, and closed-circuit camera logs, in particular, often have short re-record times, so be sure to preserve this evidence. Also, if the perpetrator was a company insider, revoke his or her system credentials before taking any employment action, lest that person retaliate by seeking to destroy evidence.

Interview your staff – Interview your IT staff and others with knowledge of the systems through which the intrusion or data theft occurred. No one knows your company’s computer systems better than your staff does. Taking this step will help you identify the best witnesses to offer to the government to make your case effectively.

“Gather all evidence of the intrusion or, at a minimum, stop any automated systems from overriding it.”

Put a bow on it – Counsel can help you sort through the evidence of the breach and create a “prosecution memo” to share with law enforcement that is similar to what the prosecutor will ultimately have to create when seeking internal authorization for criminal charges. This document would lay out the evidence of the crime, connect that evidence to the suspect, and chart a pathway for successful prosecution, including by suggesting the particular statutes violated and anticipated punishments. Using outside counsel for your investigation also maximizes the protections of the attorney-client privilege, in the event that information is gathered as part of your internal investigation that you do not want disclosed to the government.

Create a single point of contact – Have one person, either within the company or at outside counsel, who law enforcement can call to provide an update on the investigation or from whom law enforcement can request information. Empower that point of contact to interview and gather documents in response to the government’s requests.

How should you plan for the next time?
Incorporate an analysis of if, when, and how to contact law enforcement into your company’s overall data breach response plan. In doing so, identify the person or department within the company that will have the authority to make the decision to contact law enforcement and what the basis for that decision should be.

And in the event that law enforcement contacts your company before you have decided whether to call them, identify in your company’s response plan who will have the authority to speak with them on such a call, along with what the initial steps will be to assist and respond to the inquiry.

Lastly, consider reaching out to law enforcement in non-crisis times. State, local, and federal agencies charged with preventing cybercrime often have industry liaisons whose jobs are to work with companies in a particular region or industry to educate employees on how to prevent and respond to cybercrime and to foster public-private cooperation. Corporate counsel, security staff, or experienced outside counsel may be able to arrange for such a meeting.

John E. Clabby
John E. Clabby
Joseph Swanson
Joseph Swanson

John E. Clabby and Joseph W. Swanson are of counsel in Carlton Fields Jorden Burt’s Tampa office, where they defend companies and officers in government investigations and securities and corporate governance litigation.  Both are former criminal Assistant U.S. Attorneys and Computer Hacking and Intellectual Property (“CHIP”) prosecutors, who specialized in gathering and assessing electronic evidence and investigating computer crimes.  Clabby can be reached at jclabby@cfjblaw.com.  Swanson can be reached a jswanson@cfjblaw.com.