Dear Mary,
One of our critical service providers recently suffered a cyberattack. It’s all over the news, and our business operations are severely impacted. We’re losing money every day, and we have no idea how long this will last. Do you have any suggestions on what to do? The lack of information from our service provider is incredibly frustrating.
– Frustrated in Dallas
June 26, 2024
Dear Frustrated,
You are not alone in facing this challenge. Many businesses have encountered similar issues, and if they haven’t yet, they should brace themselves because they likely will in the future. Here are some steps to consider:
- Ensure Your Environment is Secure: If there’s any chance the cyberattack could have spread from your service provider to your own systems, take immediate action to secure your environment. This might include hiring a forensic investigation firm to thoroughly check your systems, just to be safe.
- Hire a Forensic Accountant: Consider bringing in a forensic accountant to help your team determine and document any potential business losses. This could be crucial if you plan to file an insurance claim to recover some of these losses. It’s better to address this now rather than scrambling to figure it out later.
- Business Continuity Options: Consider whether there are any business continuity options to mitigate the potential disruption. This could include looking into alternate service providers (even if just temporary) to ensure continuous operations.
- Review Legal Notification Obligations: If your service provider handles personal information on your behalf, you need to consider any legal notification requirements that may be triggered (e.g., your company may have a legal obligation to notify others about the incident). Consult with legal counsel to understand what obligations you may have if any of your data has been compromised. With that said, you may not even know at this point what data of yours, if any, is involved. This takes me to my next point.
- Extend Some Grace to Your Service Provider: This might be difficult, but try to be patient with your service provider. Cyberattacks are increasingly common, and thorough investigations and recovery efforts take time. Ensure they are taking appropriate steps, but once confirmed, give them some space to manage the situation. Pressuring them for immediate information may result in inaccurate updates or a faulty timeline. Your legal counsel can help you determine how much time is reasonable and when it might be necessary to apply more pressure.
Good luck to your team. Seems like every day we hear about a new vendor incident. Breach notification laws need to catch up in this regard, but that’s a discussion for another day…
— Mary
“Dear Mary,” an advice column from Troutman Pepper’s Incidents + Investigations team, will answer questions about anything and everything cyber-related — incident response, forensic investigations, responding to regulators, breach-related litigation, and much more. “Dear Mary” goes beyond the articles, podcasts, webinars, and other content we produce, as we are responding directly to our reader’s questions with concise, practical answers. Answers will be general in nature and will not contain legal advice. If you need legal advice or representation, please contact one of our attorneys directly. “Dear Mary” also can be found here on the firm’s website.