‘Dear Mary,’ is Troutman Pepper’s Incidents + Investigations team’s advice column. Here, you will find Mary’s answers to questions about anything and everything cyber-related – data breaches, forensic investigations, how to respond to regulators, and much more. ‘Dear Mary’ goes beyond our articles, podcasts, webinars, and other content we produce because here, we respond directly to your questions with concise, practical answers. We promise they will be interesting, informative, and hopefully a little fun.

Drop us a line with any cyber-related question you would like answered – whatever may keep you up at night – and we’ll do our very best to provide a practical, actionable answer. Of course, our answers will be somewhat general in nature and should not be considered legal advice – always consult with an attorney (preferably one of ours!) before acting on anything you read here.

Thank you for reading!

Dear Mary,

One of our critical service providers recently suffered a cyberattack. It’s all over the news, and our business operations are severely impacted. We’re losing money every day, and we have no idea how long this will last. Do you have any suggestions on what to do? The lack of information from our service provider is incredibly frustrating.

– Frustrated in Dallas

June 26, 2024

Dear Frustrated,

You are not alone in facing this challenge. Many businesses have encountered similar issues, and if they haven’t yet, they should brace themselves because they likely will in the future. Here are some steps to consider:

1. Ensure Your Environment is Secure: If there’s any chance the cyberattack could have spread from your service provider to your own systems, take immediate action to secure your environment. This might include hiring a forensic investigation firm to thoroughly check your systems, just to be safe.
2. Hire a Forensic Accountant: Consider bringing in a forensic accountant to help your team determine and document any potential business losses. This could be crucial if you plan to file an insurance claim to recover some of these losses. It’s better to address this now rather than scrambling to figure it out later.
3. Business Continuity Options: Consider whether there are any business continuity options to mitigate the potential disruption. This could include looking into alternate service providers (even if just temporary) to ensure continuous operations.
4. Review Legal Notification Obligations: If your service provider handles personal information on your behalf, you need to consider any legal notification requirements that may be triggered (e.g., your company may have a legal obligation to notify others about the incident). Consult with legal counsel to understand what obligations you may have if any of your data has been compromised. With that said, you may not even know at this point what data of yours, if any, is involved. This takes me to my next point.
5. Extend Some Grace to Your Service Provider: This might be difficult, but try to be patient with your service provider. Cyberattacks are increasingly common, and thorough investigations and recovery efforts take time. Ensure they are taking appropriate steps, but once confirmed, give them some space to manage the situation. Pressuring them for immediate information may result in inaccurate updates or a faulty timeline. Your legal counsel can help you determine how much time is reasonable and when it might be necessary to apply more pressure.

Good luck to your team. Seems like every day we hear about a new vendor incident. Breach notification laws need to catch up in this regard, but that’s a discussion for another day…