Many competent IT departments lack the expertise, hardware, or software to preserve evidence in a forensically sound manner and to thoroughly investigate a security incident. In-house counsel needs to be able to recognize such a deficiency quickly – and before evidence is lost or inadvertently destroyed – and retain external resources to help collect and preserve electronic evidence and investigate the incident.

Although in the midst of an emergency you may feel that you have relatively little leverage to negotiate preferable terms in a service agreement with a forensic investigator, given the sensitivity of the information to which the investigator will have access it is essential to make sure that your service agreement protects your organization. The following provides a snapshot of information regarding forensic investigation costs:

Please click here to view the table. 

What to consider when retaining a forensic investigator:

  1. Does the forensic investigator have sufficient expertise to conduct the investigation?
  2. Does the forensic investigator have sufficient capacity to immediately deploy resources to timely investigate the incident?
  3. Is there a master service agreement already in place?
  4. Does the agreement contain data security provisions that are appropriate for a contractor that is likely to gain access to sensitive personal information?
  5. Does the agreement contain data privacy provisions that are appropriate for a contractor that is likely to gain access to sensitive personal information?
  6. Is the agreement structured to protect attorney-client privilege?
  7. Does the forensic investigator understand what you expect of them to maintain attorney-client privilege?
  8. Does the agreement include sufficient protections in the event that the forensic investigator is itself breached?
  9. If the organization has cyber-insurance, is the forensic investigator a preferred provider and/or approved by the insurer?
  10. Does the forensic investigator represent a business partner that may have an interest in the incident? If so, is there a potential conflict of interest?