Breach Coach® 101

Posted by Mark Greisiger

A Q&A with Chris DiIenno, Esq. of Lewis Brisbois

Breach Coach® (es) are first responders on the scene of a data loss event and companies are increasingly hiring these cyber security experts to help manage their incident response. We asked Chris DiIenno about his work in this area and his advice to companies facing a data breach.

What are the primary duties of a Breach Coach?
Breach coaches are attorneys who help organizations that have experienced a data security incident. As attorneys, our first role is to protect the response process under privilege. We will obtain forensics providers as necessary to uncover the cause and scope of the breach. We analyze those facts to identify what legal duties are triggered and then work with the client to satisfy those duties, which can include providing notice of the breach to affected individuals, regulators and the media. We will retain related service providers on behalf of the client, including printing, mailing, call center and credit monitoring. We essentially coordinate all the moving parts and ensure that they are working in an integrated manner. In the aftermath of a response, we might also represent the client during regulatory investigation and/or litigation. While most clients retain our services after an incident, we do work with some clients proactively to develop incident response plans, perform tabletop exercises, and review training materials, policies and procedures for managing data in their system. For those clients we then operate as a personal breach hotline in the case of an incident.

During a data breach, clients need to make decisions fast. There is always a time element at work because for every minute the breach goes unchecked, more damage can be wreaked on the network.

What are the most important action steps that a client must follow after a breach incident has been revealed?
During a data breach, clients need to make decisions fast. There is always a time element at work because for every minute the breach goes unchecked, more damage can be wreaked on the network. There is also the time element of notification. As part of their data breach incident response plan—and hopefully, they have one— the clients need to bring in an authority to manage the incident, engage expert forensics, assess next steps and prepare for notification with services such as a call center. Clients also need to be prepared to provide access to IT and HR departments or anywhere the exposed data exists.

Some clients we work with prefer to let us do everything while others want to do things themselves and remain heavily involved. However, we recommend not trying to undertake forensics internally—expert knowledge about data security is crucial. The bottom line is that you need to know the facts of the case before you can go forward knowing what has to happen next. Once the nature of the case is revealed, the client can undertake the specific legally required steps to respond to it.

Are there any “typical” breach events?
The lost laptop occurs often and the breach event unfolds in a familiar way. We’ve seen a few phishing cases with email spoofing the CEO requesting W2s. Ransomware is also fairly similar across companies.

That being said, when there’s an event and PII is exposed, there are going to be nuances that are specific to that organization and the nature of the data. While the moving parts are the same, the personalities, internal politics, size of the company or network, the question of third party or vendor involvement, and even when we are brought in are all factors that can vary widely, so each case ends up being unique to the client.

Which breach response mistakes do you see most frequently?

  • Moving too fast before understanding all the facts and going public with the breach.
  • Not having, or not following, an actionable data breach plan (or not being able to find/access their plan).
  • Not bringing in outside forensics and using internal IT staff.
  • Setting up too many work streams across departments such as IT and marketing to respond to the incident without coordinating the response.
  • Following a preconceived incident response plan (IRP) that isn’t broad enough to adapt to the specific incident.

Is a data breach response plan crucial to risk management? What are the hallmarks of an effective data breach response plan?
Response plans have one great purpose and that is educating staff about all the aspects of an incident well before they’re in the throes of one. Preparation is key. Creating the plan helps identify the risks and address and minimize them, so yes, they are very important for risk management. It’s also good to have a plan to show regulators down the line, but only if you’ve followed it.
An effective plan is short—two pages is much better than 80 pages—and it’s created with a broad perspective that encompasses various types of incidents. It should provide guidance without being too rigid or complex. Having a concise view and checklist of action steps can also be very helpful. It is also important that the plan is accessible when the crisis unfolds. One of my concerns is that an IRP doesn’t expose privileged information (for instance, if the plan tells you to call law enforcement before calling counsel) because then you can lose control of the situation before you even know what the facts are. An IRP should empower people to respond but should always be used in coordination with Breach Coaches and the client’s cyber liability insurer to maintain its efficacy.

In summary…
We want to thank Chris and his law partner John Mullen for their expertise and insight into the role of a Breach Coach and how that role interacts with and supports a client when responding to an incident. And because Chris and John assist clients with data breach events on a daily basis, they are uniquely qualified to address what constitutes a good Incident Response Plan.