Experts Weigh In On Data Breach Response, Part 2: What to Do, Who to Call, & How to Proactively Mitigate Risk
Canopy recently moderated an intriguing discussion on LinkedIn Live featuring four experts: Allison Bender, Partner at Dentons; Brandy Griffin, Director of Cybersecurity Operations at Avalon Cyber; Jen Olmsted, Chief Business Officer & Co-Founder at CyTrex Cyber; and Mike Borgia, Partner & Information Security Practice Lead at Davis Wright Tremaine.
This webinar features a great mix of perspectives on data breach response, from digital forensics & incident response (DFIR) and PII review to legal counsel. Read below for part two of our two-part recap, with expert recommendations on the first steps to take amid a breach, who to involve, and how to mitigate risk before an incident occurs. (Click here to read part one.)
What’s the range of reactions you see in clients who have suffered a breach?
Allison: It’s pretty varied: from shock, denial, and all the stages of grief to “well, we knew this would happen eventually — just fix it.” Consistently though, breached companies are grateful to be working with a firm that has handled lots of cyber incident cases. We’re able to help coordinate the response and manage the symphony of vendors, while keeping legal risk top of mind.
Mike: These reactions present different challenges, but one of the best things that legal counsel can do is give clients a roadmap: what’s happening, why, and what’s coming next. It helps to set expectations upfront regarding timelines so that they can prepare themselves and communicate effectively with other stakeholders.
What do you recommend for clients who have just been breached?
Brandy: Most of our clients are small- to medium-sized businesses (SMBs). Our first question to them always is: Do you have legal counsel? If not, we immediately connect them with a firm that specializes in cyber law and can meet SMBs’ unique needs. A very small percentage of our clients choose not to hire counsel from the outset, or they go with a generalist attorney that they already have a relationship with for other things — and we almost always have to correct that decision later on. This is a very niche space, and you need counsel with specialized knowledge.
Allison: I like to compare picking your legal counsel to the healthcare field. Your general practitioner is not who you want to see in the ER. Your dentist and your proctologist are not the same. Just like with doctors, not all lawyers have the same knowledge or specialty — and the same goes for forensics teams and managed services providers. If you already have counsel on retainer that specializes in another area of law, your breach counsel can still collaborate with them to get important background on your business. Putting in the work upfront to find that specialized counsel will pay off down the road.
Jen: Bring in all of your service providers together from the start, before an incident takes place. Involve legal counsel, a crisis communication firm, and a forensic firm in the development of your IR plan. Otherwise, some of these companies will be playing catch-up if-and-when an incident occurs, which wastes valuable response time.
Mike: There’s a lot at risk for companies in choosing legal counsel for these projects. At a glance, data privacy laws don’t appear complicated: it’s not that hard to go look at a data breach statute and understand reporting requirements. But the problem comes in taking complex technical evidence and trying to evaluate whether it meets the standards or determine how a regulator would view it — these are tough questions that require expertise with forensic reports and data. You should choose counsel that is capable of deciphering that and explaining how to proceed in a way that mitigates risk. At the same time, don’t kick out your existing counsel — allow them to work together with your breach counsel for optimal outcomes.
What does a legal team look for in an IR vendor?
Mike: The number one thing I look for is thinking and strategy, and this is a challenge as the industry becomes more commoditized. Where are the client’s biggest risks in terms of systems and data? If I could change one thing about the industry, it would be to not have breach response firms sitting so far downstream, but to move them up to the beginning so they can ask questions and help counsel and the client process the incident. What typically happens now is IR firms take the compromised data, run some search terms and regex, and have reviewers churn through that for a few months. But is that the right solution? Well, that depends on what data is stored in this location, can we predict certain things about the data, can we organize the data in a certain way? So you want a breach coach that can ask these questions and then determine a path forward that makes the most sense for each individual client.
What proactive and reactive steps are companies taking now?
Brandy: The attacks we’re seeing now are targeting low-hanging fruit — the most basic precautions that companies should be taking, but aren’t. Although ransomware makes the headlines most often, the majority of successful cyber attacks come from phishing emails, remote desktop protocol (RDP) vulnerabilities, and software flaws. According to the FBI’s Internet Crime Center, business email compromises (BECs) went up from 1.8 billion in 2020 to 2.4 billion in 2021 — ransomware came in at just 49.2 million.
Start building your defenses with these basics. Then, focus on deepening your defense by:
- Putting together a security program,
- Initiating regular pen testing,
- Monitoring your network-connected devices & cloud applications, and
- Making sure you have the right people on your cybersecurity team.
You need to make sure that you have a strong triad of people, process, and technology. There’s no “silver bullet” in cybersecurity: It feels great to purchase the latest cybersecurity software, but without the right team (both internal & external), layered security, and processes, you can still be breached or fail to conduct a compliant breach investigation, leading to fines.
To learn more, watch the full LinkedIn Live webinar (originally aired on May 11, 2022).