We reached out to the F.B.I. numerous times to ask them if users of Kaspersky Lab software should report they were breached. The Bureau had been advising companies not to use the software and reports surfaced that the software may have been used to hack into government systems. Kaspersky vehemently denies the claim.

This is potentially a major issue and for whatever reason, there is no other entity discussing it. At least not any we’ve come across. Here are the questions we sent to the F.B.I. and we believe need to be answered by many organizations:

• Do they need to report usage of Kaspersky products as a possible breach – there are numerous compliance organizations such as HIPAA, PCI, etc. which have procedures for breaches – where does use of this software fall?
• The NCSL has a list of security breach notification laws which vary by state. Do companies have to scour state by state to see if use of this software could be considered a violation?
• FINRA requires companies to have a response when assets have been compromised, what should they do if they were a Kaspersky user?
• Should companies who are concerned utilize dark web scanning tools to cross-reference their customer databases to see if their information could have leaked out?
• Are you aware of any instances where information was taken off a computer via Kaspersky software?
• What other warning signs should organizations look for which may signify their information has been compromised?

Even though the FBI didn’t answer, perhaps they don’t need to as recent reports have surfaced that the company’s software was used to hack an NSA contractor working on files at home. The reports say Russian-backed hackers used Kaspersky software to identify files on the contractor’s computer which were then stolen. The breach happened in 2015.

The bottom line is if this story is true, every user of this software needs to report a potential breach to all applicable authorities.

One imagines it has to be based on the following incidents:

• Elaine C. Duke, the acting secretary of Homeland Security, ordered federal agencies to develop plans to remove Kaspersky software from government systems.
• At a Senate hearing in May, a number of senior American security officials, including the chiefs of the F.B.I. and the C.I.A., responded when asked if they would be comfortable with Kaspersky software running on their agencies’ systems: “No,” they said.

There seems to be no doubt, this incident has implications for HIPAA, PCI, FINRA and numerous other compliance organizations.

It’s not just companies but their contractors and home workers. There are 400 million Kaspersky users. Companies using Kaspersky are in the crosshairs but so are ones where just one person works from home with Kaspersky on their computer.

We expect this to be the next shoe to drop in the Kaspersky story. Stay tuned