Experts Weigh In On Data Breach Response, Part 1: Process, Technology, & the Influence of Cyber Insurance

Canopy recently moderated an intriguing discussion on LinkedIn Live featuring four experts: Allison Bender, Partner at Dentons; Brandy Griffin, Director of Cybersecurity Operations at Avalon Cyber; Jen Olmsted, Chief Business Officer & Co-Founder at CyTrex Cyber; and Mike Borgia, Partner & Information Security Practice Lead at Davis Wright Tremaine.

This webinar features a great mix of perspectives on data breach response, from digital forensics / incident response (DFIR) and PII review to legal counsel. Read below for part one of our two-part recap, laying the groundwork for what data breach response is, how it has evolved over its short lifetime, and the influence that cyber insurance has over it. (Click here to read part two.)

What is data breach response, and how has it changed over the years?

Allison: Many breach notification regulations across the globe come from the cybersecurity space, stemming from a much longer legacy related to privacy and protecting sensitive data. This can include everything from individuals’ personally identifiable information (PII) to financial and confidential business data. In the United States, all states & territories have a breach notification requirement; in Europe, we have GDPR; and similar requirements are rapidly increasing across the globe. The push for more transparency around data compromises is caused by us having reached a tipping point on ransomware and severe hacks, forcing agencies into action. 

Some examples from the U.S. include:

• The federal Cyber Incident Reporting for Critical Infrastructure Act mandating reports within 72 hours of a breach or within 24 hours of a ransomware payment
• The Department of Transportation (DOT) cracking down on oil & natural gas breach reporting following the Colonial Pipeline ransomware incident
• The Securities and Exchange Commission (SEC)’s proposed cybersecurity disclosure mandate for all public companies
• The Federal Trade Commission (FTC)’s revitalized focus on its Health Breach Notification Rule

Mike: This area is so new that it didn’t exist when I was in law school. And the complexity is rapidly increasing — there are many different regulations related to data breach & incident response that businesses must abide by. As is often the case, some companies are taking longer than others to catch up. But in general, we’re seeing companies show an appreciation for this complexity by consulting legal experts as they prepare their incident response plans.

How did ediscovery & data breach response become intertwined, and what impact does that have?

Jen: The data breach response market is so new and technology is just now catching up. In the beginning, ediscovery providers were well-positioned to step in and treat data breaches the same way, using tools and workflows that were built for litigation — but we’ve found over time that it's not working. Ediscovery tools aren’t built to find documents containing PII or protected health information (PHI), so they aren’t able to effectively cull data before bringing in the review team. And, they aren’t built to handle structured data, like spreadsheets with hundreds of thousands of rows.

In my experience with ediscovery cases, we would do everything possible — utilizing search terms, writing scripts — to reduce data before sending it to review. But I’m just not seeing that in the data breach response space; on the contrary, I’m seeing companies send entire data sets off for review without culling them at all, which is really inefficient and gets costly fast. 

What processes & technology are necessary for efficient data breach response?

Brandy: We’ve seen huge advancements in the speed and accuracy of both digital forensics investigation tools and PII review tools. As soon as a client tells us they’ve had an incident, we ask them a slew of questions about their data, including:

• Where do you keep your sensitive data?
• Was that data location impacted?
• Is that data encrypted at rest and in transit?

The answers to these questions help guide our investigation and make decisions about what needs to go to PII review.

Jen: Being able to use breach-specific technology not only helps you reduce the volume of data being reviewed, it also allows you to identify the PII upfront. This allows reviewers to mostly QC the software’s findings, and then focus their manual efforts on documents they know to be PII-rich. Rethinking the workflows and implementing new, purpose-built data breach response tech is more difficult upfront, but the investment leads to better, faster, more cost-effective results than can be achieved by repurposing ediscovery tools.

What role does cyber insurance play in data breach response?

Allison: Cyber insurers have a whole panel of experts for their policyholders to use, usually at negotiated rates — from forensics providers and legal counsel to breach coaches to crisis communications firms. While insurance companies can drive the selection of providers to some extent, legal strategy, direction of the investigation, and timing are worked out by clients and their legal counsel.

Mike: Approximately 50% or more of the clients that DWT works with have some form of cyber insurance. To some extent, whether or not a client has cyber insurance influences their approach to incident response. Clients that aren’t insured are typically more worried about costs, since they are paying out-of-pocket. On the other hand, I don’t really see clients intentionally splurging because they have insurance — they’re still aware of costs, as insurance coverage isn’t completely guaranteed. I do see more willingness among insured clients to hire “extras” like PR firms, because they are on the insurer’s panel. Insurance companies can also shape the process because they prefer both cost and workflow predictability, making them a bit averse to change. So communication with the insurer upfront, before an incident occurs, is extremely important in order to implement change.

Jen: Cyber insurers are also cracking down on companies that don’t do enough proactively to protect their environment. So we’ve recently seen some companies choose not to leverage their policies for incident response, because they’re afraid of losing their coverage. Then there’s an additional group of companies that will do everything in their power to get through an incident as quickly as possible to get back up and running immediately.

Brandy: The value of cyber insurance extends past simply coverage of costs. Companies often don’t realize how many different service providers are involved in breach response until they experience an incident. Cyber insurance has a panel ready to go, engages on your behalf, and provides guidance throughout. 

Jen: And it’s paramount that these service providers keep an open line of communication and collaborate to deliver the most accurate, fast results.

To learn more, watch the full LinkedIn Live webinar (originally aired on May 11, 2022).