The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask us to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult.

This is part 6 of an eight-part guide to handling data breaches. This eight-part series explores these difficult decision points. For each there are no “right” or “wrong” answers. Like all strategic decisions management must examine the specific facts facing their company and their organization’s culture, their industry, and business realities. Click for Part 1, Part 2, Part 3, Part 4, and Part 5.

Part 6: Internal v. External Forensic Resources.

Situation. If a breach is relatively minor in size and scope internal IT resources may be able to handle its investigation. If, however, a breach is large in size and scope many companies prefer to retain external forensic investigators that specialize in breach investigations. The difficulty, of course, is that it is near impossible to tell ex ante the size and scope of a breach.

Strategic considerations: Management typically considers the following when determining whether to engage external resources:

  1. Operational Impact. All forensic investigations divert IT resources from normal business needs. That said the degree of operational impact is typically far less if an external forensic investigator leads the investigation.
  2. Chain of Custody. If litigation or an investigation arises from a security incident questions may arise concerning what evidence was preserved and whether the evidence was preserved correctly. If internal resources were used the individuals that collected evidence may be called upon to testify as to their evidentiary methods and to establish a chain of custody.
  3. Management Confidence. Most IT departments do not receive significant training on forensic investigations and lack the internal resources to perform complex investigatory tasks (g., to reverse engineer malware; to break encryption; to perform complex log correlations). If management relies upon internal resources to investigate a security incident, management should consider the level of confidence that they will feel in the ultimate findings of the investigation.
  4. Cost. Companies that specialize in forensic investigation are not cheap. The average cost of a forensic investigation by a third party is approximately $250,000 (although the median is ~$40,000). That said, complex forensic investigations that require examination of numerous hosts and servers can reach seven figures.
  5. Speed. If an investigator is able to deploy large quantities of external resources they may be able to complete an investigation faster which may, in turn, allow a company to identify and remediate a breach (and thus limit exposure) in a shorter time frame. For example, if ten machines need to be imaged and a company maintains in-house capability to forensically image one machine per day the preservation component of an internal investigation may take 10 days as compared to an external investigator that has the capacity to deploy ten simultaneous teams and accomplish the same preservation in 1 day.

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask us to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult.

This is part 2 of an eight-part guide to handling data breaches. This eight-part series explores these difficult decision points. For each there are no “right” or “wrong” answers. Like all strategic decisions management must examine the specific facts facing their company and their organization’s culture, their industry, and business realities. Part 1 can be found here.

Part 2: Should You Disclose A Breach If You Are Not Required To Do So By Law.

Situation. State data breach notification statutes only require that an organization disclose a data breach if the breach involves specific types of data. In most states that includes only Social Security Numbers, Driver’s License Numbers, or financial account numbers that permit access to accounts. Many data breaches, however, involve the loss of other types of information (e.g., salary, date of birth, demographic information, email address, mailing address, etc.). In situations in which a breach involves data types that do not trigger a breach notification requirement, management often struggles with whether to (1) voluntarily notify impacted individuals, and/or (2) voluntarily notify regulators.

Some Strategic considerations: Management typically considers the following factors when determining whether to disclose a security incident that does not involve data fields that legally require disclosure:

Pros of voluntary disclosure.

  1. Disclosing a data breach can avoid allegations that the company intentionally withheld information about the breach from the public.
  2. Although state data breach notification statutes may not require disclosure, most lawsuits involving data breaches are based negligence or breach of contract. As a result, the fact that the company was not required to disclose the breach does not necessarily mean that a plaintiff may not initiate litigation under a different legal theory relating to the company’s decision not to disclose.

Cons of voluntary disclosure.

  1. Notifying individuals about a data breach that does not involve the type of information that could be used to perpetrate identity theft can be confusing and unnecessarily alarming to the individual notified. For example individuals that have been notified about breaches involving relatively innocuous data (e.g., their address), but have experienced ID theft in the past, often misattribute the breach to the ID theft.
  2. Voluntary notification imposes an immediate and direct cost on an organization. In addition, companies often offer ID protection services to impacted individuals even if the breach does not raise the prospect of ID theft to assuage individual’s misunderstanding concerning the impact of the breach. That too can drive direct costs. Many cyber-insurance policies will not reimburse companies for the cost of voluntary notifications or offers of ID theft related services.
  3. Voluntary notification may draw attention to a breach that might otherwise not become public. The attention may negatively impact the reputation or brand of the company.