An employee of a midsize CPA firm opened an unsolicited email attachment that immediately downloaded ransomware onto the firm’s computer system. The employee noticed that the file names were rapidly being changed to “Needs Decrypting.”
The employee turned off and rebooted his computer, but the virus had already spread to all the firm’s servers, and all the files became encrypted. The employee reported the incident to the firm’s managing partner, who emailed all firm employees, notifying them of a “data breach.”
The partner then emailed and called the firm’s IT staff, who deleted all of the encrypted files and restored the files from a backup.
The partner also emailed a local attorney who knew the firm and specialized in data breach laws and notice obligations. The attorney asked an IT forensics expert to investigate the incident and to help determine whether the firm’s clients should be notified. The forensics expert arrived at the firm and conferred with the attorney and the firm’s IT staff.
After reading the following questions, select the one answer that is the best response.
1. What was the conclusion reached by the IT forensics expert and the attorney?
A.
Since all of the encrypted files had been deleted, and the files restored from a backup, there were no concerns about personal information in the files being accessed.
B.
Because the files had been deleted, the forensics expert was unable to determine whether the hacker had accessed the personal information in them, and therefore the firm was required to notify all of its clients of the incident.
2. Which of the following responses to this incident was not a mistake:A.
Opening an unsolicited attachment
B.
Turning off and rebooting the computer
C.
Reporting the incident to the managing partner
3. Which of the following actions taken by the managing partner was a mistake:A.
Notifying all firm employees of the incident
B.
Referring to the incident as a “breach”
C.
Emailing the attorney
D.
A and B
E.
All the above
4. Which step should the firm take first in response to a cyber incident?A.
Call an IT forensics expert to determine whether a breach has occurred.
B.
Report the incident to the firm’s attorney or cyber insurance carrier.
C.
Report the potential breach to law enforcement.
Answers
1. Answer A: Incorrect.
Because the files had been deleted, the forensics expert was unable to determine whether personal information had been accessed. Federal regulation therefore required client notifications. Evidence should be preserved to resolve an incident or conduct an investigation. Actions on affected systems should be restricted to forensics experts.
Answer B:
Correct. Since the forensics expert was unable to determine whether personal information had been accessed, federal regulation required client notifications. Evidence should be preserved to resolve an incident or conduct an investigation. Actions on affected systems should be restricted to forensics experts.
2. Answer A: Incorrect.
Opening an unsolicited attachment is a mistake that can be avoided. If the email was not solicited or expected, the recipient should delete it or check with the sender before opening the attachment or clicking a link. Such actions can download viruses and malware to the computer network.
Answer B:
Not incorrect, but not the best response. Removing the affected device from the internet or the insured’s system to isolate the virus spread is usually the first thing suggested by IT forensics experts or counsel. Leaving it on could allow the virus to spread. The computer user should take notes recording the date, time, systems/data affected, who discovered the incident, and report the incident to the person responsible for incident responses.
Answer C:
Correct, and the best response. The managing partner of the firm functioned much like a Chief Information Officer in a larger organization and as such had ultimate authority and responsibility for managing information security.
3. Answer A: Correct, but there’s a better answer.
Only members of an Incident Response Team should be notified, not all employees. Handle incident communications on a need-to-know basis.
Answer B:
Correct, but there’s a better answer. Do not use the term “breach,” which may imply a legal conclusion. Instead, call it a “security incident” or simply what it is (e.g., a “lost laptop”).
Answer C:
Correct, but there’s a better answer. Email should be avoided when communicating about an incident in the event that email and electronic systems have been compromised; use the telephone instead.
Answer D:
Correct, but there’s a better answer.
Answer E:
Correct and the best answer.
4. Answer A: Incorrect.
If a forensics expert conducts an investigation outside of the firm’s relationship with an insurance carrier or attorney, the communications produced by the investigation may not be protected by attorney-client privilege.
Answer B: Correct.
The firm should first report the breach and obtain the advice of the firm’s attorney or insurance advisers. The subsequent communications produced by an investigation may then be protected by attorney-client privilege. If a breach has occurred, as defined by the state and federal laws that apply, the next steps would include complying with those laws, which may require reporting to law enforcement.
Answer C: Incorrect.
A potential breach should not be reported to law enforcement. If it has been determined that a breach has occurred, as defined by the state and federal laws that apply, the next steps would be to comply with the laws, which may require reporting to law enforcement.