What Happens After the Click?

It starts with something small. An employee clicks a link they thought was safe. A pop-up flashes across their screen. Files begin to disappear. Systems lock up. The phones start ringing—and panic spreads.

Your company has just been hit by a cyber attack.

Customer data is frozen. Internal systems are inaccessible. And then comes the message:

"Your data has been encrypted. Pay now, or lose everything."

For many businesses, especially small to mid-sized ones, this is where chaos sets in. Not because the breach happened—but because no one knows what to do next. The firewalls and antivirus software weren’t enough. And now the real questions begin:

  • “Do we have to pay this?”
  • “Who do we call first—our IT provider? Legal? The FBI?”
  • “Are we completely at the mercy of the ransomware operators?”

In this episode of One Step Beyond Cyber, our host Scott Kreisberg talks with attorney Andrew Garbarino. Andrew is an expert in White-Collar Criminal Defense, Cybersecurity Law, and legal cases involving medical professionals under investigation or disciplinary review. They discuss what many companies miss: the legal issues after a cyber attack. This includes breach notifications, lawsuits, insurance problems, and ransomware negotiations.

Watch the full episode here:

 

Can Your Business Survive Without a Proactive Cybersecurity Strategy?

Cyber criminals are already sophisticated—and with the rise of artificial intelligence (AI), they're becoming even harder to detect. This makes it easier for them to target small and medium-sized businesses (SMBs). These businesses are often seen as easier targets because they have weaker cybersecurity defenses.

Cybersecurity and its approach are continually evolving, exposing businesses to risks from various actors:

Nation-State Attacks: Countries like Russia, China, and North Korea have been linked to sophisticated cyber operations targeting foreign enterprises.

Insider Threats: Employees with malicious intent or those who inadvertently compromise security pose significant risks. The weakest link

Financially Motivated Cyber Criminals: Organized crime groups and terrorist organizations often seek financial gain through cyber extortion methods like ransomware.

 

"Cyber criminals don’t rob Fort Knox—they go after thousands of small businesses with weaker defenses." — Andrew Garbarino

 

Notably, SMBs are increasingly targeted due to perceived weaker defenses. Cyber incidents such as ransomware attacks, data breaches, and IT disruptions are the top concerns for companies globally.

 

Step One After a Breach: Don’t Panic—Call Your Lawyer

You’ve just discovered your business has suffered a data breach. Whether it was a hacker, an insider threat, or an accidental exposure on your website, one question comes to mind: What now?

Your next steps are very important. Responding quickly and correctly can make the difference between a controlled incident and a costly disaster.

During the conversation, Andrew Garbarino outlined the critical first steps every business should take immediately after discovering a cyber incident. These include:

  1. Contact Legal Counsel: Engaging your attorney promptly ensures that communications and findings are protected under attorney-client privilege. Each breach is different, but the Federal Trade Commission (FTC) suggests a clear way for businesses to respond. This helps protect those affected. Data Breach Response: A Guide for Business Federal Trade Commission

  2. Notify Your Insurance Provider: It is important to tell your cyber insurance company about the breach. This starts the claims process and helps you understand your coverage.

  3. Assemble a Response Team: This team should include cybersecurity and IT professionals, legal advisors, and public relations experts to manage the crisis effectively. Read why an incident response plan matters

 

Legal vs. Tech: Why Collaboration Is Crucial After a Data Breach

When a data breach occurs, time is of the essence—and how your organization responds in the first 24–72 hours can make all the difference. A well-coordinated response between legal and technical teams is not only smart—it's legally and financially critical.

Here’s why these departments must work together during cybersecurity incident response:

A. Forensic Analysis and Legal Interpretation Go Hand in Hand

After a breach, technical experts conduct a forensic investigation. They discover how the breach happened, which data the breach affected, and how far the damage spread. But we must frame these findings through a legal lens.

Legal counsel helps determine:

  • Whether the incident meets the threshold for legal reporting
  • What contractual or regulatory obligations are triggered
  • What risks the business faces in terms of liability and potential lawsuits

Andrew’s Tip: Involve legal counsel early to ensure forensic findings are documented properly and align with compliance requirements.

 

B. Legal Teams Ensure Compliance with Data Breach Notification Laws

Regulatory requirements vary by industry and location. For example:

  • HIPAA requires breach notifications within 60 days for healthcare organizations.
  • The FTC and state laws often require notification to affected consumers and regulators—some within as little as 72 hours.
  • PCI DSS: Requires organizations handling cardholder data to notify affected payment brands (e.g., Visa, Mastercard) promptly after a breach, typically within 24-72 hours, and comply with forensic investigation requirements.

Legal teams are responsible for:

  • Interpreting which laws apply based on the data involved
  • Drafting compliant notification letters and disclosures
  • Coordinating with regulators to avoid fines or sanctions

The FTC offers a comprehensive guide on data breach response steps for businesses.

Too often, companies treat cybersecurity as a tech issue and compliance as a legal one. In reality, data breach response sits at the intersection of both. By bringing your legal and IT teams together—from day one—you increase your chances of a compliant, controlled, and less damaging outcome.

 

Ransomware Negotiators: Yes, They Exist—And You May Need One

 

 

As Andrew Garbarino noted, one of the biggest mistakes companies make is realizing too late that they don’t have a reliable backup or clear incident response plan. That’s when ransomware negotiators enter the picture.

 

What Is a Ransomware Negotiator?

A ransomware negotiator is a third-party expert—usually with cybersecurity, legal, and risk management expertise—who communicates directly with attackers to:

  • Reduce ransom demands
  • Evaluate threat credibility
  • Explore data recovery options
  • Navigate compliance issues if a payment is being considered

 

When Do You Need One?

  • A ransomware attack has occurred
  • You have no viable data backup
  • You're considering whether to negotiate or pay
  • You need to avoid regulatory violations

 

"Paying a ransom without first checking with OFAC—the Office of Foreign Assets Control—can lead to even more legal problems. If the attacker is tied to a sanctioned entity, making a payment could violate federal law."— Andrew Garbarino.

 

 

Key Takeaways: What You Should Do Today

  • Don’t just think about cybersecurity as an IT issue
  • Create or test your incident response plan
  • Review your cyber insurance policy with legal counsel;
  • Know when to call in legal, IT, and communications teams
  • Explore ransomware negotiation options—before you're forced to use them

Tune in to the One Step Beyond Cyber Podcast on:

BuzzSprouts | Spotify | Apple Podcast | Amazon Music | YouTube