It is an otherwise normal day until you, the General Counsel, receive a call from the CIO: “We have a cyber-security breach. We’ve identified some unusual activity and it appears that data has been sent out through unknown IPO addresses. We don’t know all the details yet. At last month’s tabletop session on security you reminded us to bring you into the loop as soon as we suspected a problem.” She fills you in about the data that seems to have been hacked: 40,000 customer files and the entire IT system is sluggish and not responding in many locations.

Stage 1 -

You review the incident response plan that you put in place last month: (1) who to notify within the company, with their emergency contact information (CEO, CFO, CIO, all the other executives who will no doubt want to be part of the excitement); (2) who to notify outside the company, with their contact information – outside counsel, vendors, regulators, law enforcement, the press; (3) the state by-state analysis of requirements for notifying persons whose data has been hacked, in the various jurisdictions in which you operate (or is it better just to notify everyone, following the most demanding state’s requirements?); (4) your recently negotiated contract with a forensic investigation firm; (5) your recently negotiated contract with an outside call center and mail house to handle the calls and breach letters.

Originally published on InsideCounsel.com on January 12, 2016.