Sometimes one must look past the headlines (Target’s $18.5 million deal with the states) to see what’s truly important in effective data breach response.
Last week, in the Experian data breach litigation, the District Court denied plaintiffs’ motion to compel production of the forensic analysis report on the breach, prepared by Mandiant. Why? Because it was Experian’s law firm that retained Mandiant to perform the forensic analysis and prepare its report, in anticipation of litigation. According to the court:
- Jones Day hired Mandiant to assist the law firm in providing legal advice to the client Experian;
- Mandiant’s report was based on server images that are independently discoverable, without the report;
- only a summary, not the full report, was shared with Experian’s internal Incident Response Team; and
- though Mandiant had in the past worked directly for Experian on other matters, this engagement was separate.
On this basis the court held that the report was protected work product, without even reaching the additional point of attorney/client privilege.
So what’s the big deal? It’s this – in the heat of an unfolding security incident (in Experian’s case, impacting 15 million people), things move fast. Really fast. Victim companies scramble to understand what happened, when it happened, what must now be done, and by when. The what and when are of course important, but so too are the who and how of effective breach response. For example, a natural move under the gun is to have the infosec folks immediately bring in an outside security/forensics firm and turn them loose. Sounds great … until litigation ensues, and all of the forensic firm’s analysis is fair game in discovery – the good, the bad, and the ugly.
This is a no-win situation, for both the unprepared and the semi-prepared:
A company with an IT incident response plan but without a breach response readiness plan will toss the keys to its Infosec team, which will contact its IT security provider for incident forensics, either hiring them on the spot or deploying them under an existing service agreement. This makes perfect sense to the Infosec team, which is driving the immediate response and is single-mindedly focused on the vitally important response actions of detect-evaluate-contain-eradicate-restore. Problem is, these Security and Forensic activities comprise only two of the up to ten activity channels at play in effective breach response. What are the other eight?
- Legal: conduct fact-finding, analyze breach response and notification requirements and exceptions, contract with response service providers, and determine whether and when to issue a legal hold;
- Law Enforcement: determine whether, when, and how to notify which branch of law enforcement, and coordinate access, information-sharing, and the overall investigation;
- Regulators: determine whether, when, and how to notify which regulators, and coordinate ensuing inquiries, information-sharing, and repercussions;
- Insurance Coverage: evaluate existing coverage under traditional and cyber policies, determine when and how to notify insurers, ensure use of approved response service providers, coordinate information-sharing, and document response costs and activities as required for coverage;
- Public Relations: determine the communications plan, execute the plan, and anticipate and handle the unexpected;
- Stakeholders: timely brief, escalate, and update internal management and Board stakeholders, and coordinate appropriate communications with business partners and other key stakeholders;
- Notifications: as appropriate, engage a notification service provider, identify whom and how to notify, determine the need for call center support, decide whether and what credit monitoring and fraud resolution services to provide, and stage, test, and deploy breach notifications.
- Personnel Management: determine employee involvement and any policy violations, act on appropriate employee counseling or discipline, and communicate as appropriate with the workforce.
Each of these ten activity channels entwine with the others. The company’s Security and Forensic actions must be coordinated with the other activity channels in managing the overall breach response. Otherwise, what seems like a great move – like the Infosec team bringing in the forensics firm – can be disastrous in the long run.
The semi-prepared have a breach response “plan” but haven’t taken the time to make it actionable. When a critical security incident arises, and forensics is needed on the ground, pronto, the semi-prepared lose precious time. If there’s cyber insurance, the semi-prepared wait for a cyber insurer to connect them with a panel law firm, which then must run conflicts. Regardless of cyber insurance, through in-house counsel or outside retained counsel, a forensic firm must still be found, which takes additional time. And that forensics firm will (1) be unfamiliar with the company’s IT system configurations and logging practices, and (2) will have all the bargaining power in negotiating its engagement.
A well-prepared company will not only have an IT Infosec response plan – it will have a breach response readiness plan to coordinate the ten critical response channels of activity. It will also have made its breach response plan actionable, by having both its law firm and forensics firm vetted, selected, and good to go.
So yes, in the crucible of breach response, what and when are indeed important. But as the Experian case reminds us, never forget the importance of who and how.