In spite of best practices, it is likely your organization will experience a serious data breach at some point. Once the initial shock wears off you'll be faced with numerous decisions, the most significant of which is whether to seek help from outside professionals such as attorneys, computer forensics investigators, information security consultants, privacy consultants and law enforcement.
Making informed and expedient decisions about when and who to call for help is critical. Organizations that hesitate can suffer serious or long-term consequences, such as loss of valuable data, permanent damage to their reputation, or fines for regulatory non-compliance. Organizations that jump too quickly may needlessly drive up investigative costs. Finding a happy medium is easier when you have a sense of what situations will require outside help. Here are some guidelines:
* Scope: When a breach is too big or complex for internal staff to handle, it is time to seek outside help. Depending on the nature of the breach, notification to regulatory agencies and consumers may be required and these must be performed within a specified time period. Not all organizations maintain sufficient human resources to quickly and properly handle notification and perform damage control activities at the same time.
HAPPY NEW YEAR: 12 Security Resolutions for 2013
Bringing in outside consultants provides organizations the much needed resources to continue running the business while investigation and containment activities are being performed. Consider your organization's capability for identifying the breach types that would be too burdensome to handle in-house.
* Crossing boundaries: Not all breaches are neatly contained within an organization. With the increased use of outsourcing and cloud services, investigating a breach often requires the cooperation of multiple companies. While individuals within an organization might get caught up in the blame game, outside consultants are not susceptible to such politics and are able to make more objective assessments.
In order to track perpetrators of a breach, investigators might also need to coordinate with Internet service providers (ISPs), search engines or social network sites. When such information is crucial to the investigation, it is important to involve law enforcement agencies, as these sources will only release data to law enforcement.
* Publicity: In cases of high-profile breaches, having work performed by outside experts lends some needed credibility during a difficult time, thus helping restore a company's reputation even before any damage has occurred. Obtaining outside assistance communicates to shareholders, customers, and the public alike that an organization is serious about resolving a breach.
During publicized breaches, the public may have a hard time believing what an organization says; however, assurances that issues are being addressed and actions are being taken to avoid future incidents made by an outside company are invaluable. Computer forensics investigators and other specialists, including attorneys, can bring much-needed gravity when such assurances need to be made -- whether to internal or external parties -- and particularly when announcements are to be made publicly.
Attorneys and PR consultants can assist company executives in crafting responses to the press that accurately portray the weight of the situation without creating undue panic that could result in negative damage. [Case study: "Zappos data breach response a good idea or just panic mode?"]
* Skill set: Specific legal, technical or evidentiary situations may require the use of an outside consultant. These outside experts work with these types of situations on a daily basis and are familiar with response techniques. Attorneys, for example, offer critical expertise when an area of regulation is relevant to a breach. Many regulations, including the Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH) and Gramm-Leach-Bliley Act (GLBA) require some level of notification following a data breach.
Organizations may support applications on a regular basis and still lack the experience necessary to investigate breaches originating from such applications. For example, Microsoft SharePoint contains many intricacies and complexities that would frustrate employees trying to gather data if they are only familiar with SharePoint's day-to-day administrative tasks.
Evidence collection is another skill set that often requires the help of outside forensic investigators, since most companies do not have the resources to keep trained forensic investigators on staff and license the software necessary to do an investigation.
* Internal suspects: Outside experts should be considered when insiders are suspect. Recent data shows one-third of breaches are caused by insiders, such as unhappy employees, workers with alternate agendas, or those duped into committing a crime through social engineering.
When insiders are suspected, internal IT and the security staff may have a conflict of interest in providing an adequate breach response. Rather than preserving evidence, those complicit could remove it. Others may hide evidence out of sympathy or loyalty to those involved. In these cases, it is best to turn to outside help to avoid placing employees in an untenable position where they must choose between loyalty to company versus friends and colleagues.
* Attorney-client privilege: Internal communications following a breach are potentially damaging during litigation because it is a crisis situation and emotions may be running high. In the quest for answers, some will point fingers, and this may prove harmful to an organization in the discovery process. Even seemingly benign statements, taken out of context from the breach, can prove detrimental to an organization.
If litigation is anticipated, it might be prudent to engage a law firm known for conducting the breach investigation. Doing so protects communication under the sanctity of the attorney-client privilege so that it is not subject to discovery. This privilege also extends to any outside experts that have been hired, such as consultants, technical advisers or computer forensics experts, should they coordinate and communicate with the attorney rather than the organization.
* Objectivity: Applying a different methodology to the breach can be difficult for individuals who maintain systems. Although they may feel competent, their inclination can be to apply the same daily troubleshooting methods to the problem at hand, and that is not necessarily the best approach. Outside professionals bring a different -- and often more relevant -- perspective to the problem. They see problems that are not always readily apparent to those within an organization's walls. This ability to see things insiders either can't -- or don't want to -- see can make their opinions highly valued.
Outside professionals are also not inhibited by internal organizational structures. Their ability to speak directly to persons at all levels within an organization creates distinct advantages for working toward solutions. This is meaningful especially when the breach involves communication with multiple departments and organizational levels. Where internal employees would get bogged down in bureaucratic mire, outside experts can go directly to each party unencumbered.
* Politics: Organizational politics can bring division and undermine breach response activities. However, outside professionals are not generally involved in internal politicking. In some cases, jurisdiction is under dispute. Should IT or legal be responsible for the investigation? While internal departments squabble, the investigation trail may go cold and valuable evidence could be lost. Outside consultants do not have to prove anything, nor do they share the political goals or personal agendas of those within an organization. Such freedom allows them to work more effectively toward an orderly resolution.
Experiencing a data breach can be traumatic, but the trauma can be diminished with the confidence of knowing when it is time to bring in outside help. In order to be prepared, it is helpful to think through the issues outlined here before a breach occurs. It is equally helpful to have a set of consultants identified and vetted for when the time arises.
JurInnov is a provider of security, legal and forensic consulting services. The author holds over 25 certifications, including CISSP and HISP, in addition to an MBA, and is completing a doctorate in information assurance.