Crisis Data Breach Response: Computer Forensic Services

Posted by Mark Greisiger

A Q&A with Chris Novak, Managing Principal at Verizon Business
As part of an ongoing series of posts, I’m talking to experts in the field about the true costs associated with “crisis” data breach response services. Today we’re looking at computer forensics, and I spoke with Chris Novak, managing principal at Verizon Business.

When and how do clients engage with your services?
Generally, we get the call from the IT security department or a CSO, and that usually depends on how mature the organization’s security practice is. They almost always find us through word of mouth unless the company already engages our services through our rapid response retainer. What we typically hear on that call is, “I believe we’ve had an incident but I need help understanding what happened exactly.”

What happens after the call?
That depends on whether this is a client using our services for the first time or whether they have us on rapid response retainer. If you think of an emergency room as an analogy, an organization calling us for the first time is treated as quickly as we can as we triage the situation along with our other clients’. The rapid response retainer means we already have an agreement and a plan in place and a good understanding of where and how to mobilize our resources, so that gets handled more quickly. Either way, the goal is to mobilize investigators to necessary locations. After that, the first step is getting the forensic acquisition—a duplicate copy of the relevant or suspect systems so that we can analyze them. Then we follow the timeline back from there. For a mom and pop type of business, the whole process might only take a week, but for, say, a major financial institution, we may be contracted out for six months or more with a dozen investigators on the case in London, Hong Kong, Singapore, Los Angeles and New York.

What problems or hurdles do you typically encounter?
One of the biggest hurdles we face is something that we call the “unknown unknowns”—essentially, these are the things people don’t realize that they don’t know, which makes it difficult to account for them. Think of it this way: If you don’t know where your sensitive data is, then where do you start the investigation? If you don’t know who has access to the data, but suspect insider involvement, how do you narrow down the investigative field? If your environment is purely designed for function and doesn’t easily accommodate forensic data collection, then even if we have the greatest hunches in the world as to what happened, we will have little to no evidence that can help prove the case. All of these have the potential to be non-starters for an investigation or otherwise dramatically increase the cost. Another issue is that sometimes organizations share resources without realizing it—their website or ecommerce site might be hosted in a data center with 19 other customers—so when we go to investigate the facility we run into roadblocks getting permission to access it. That can slow down the process.

What are the approximate costs for forensic services for a data breach?
We always shy away from giving dollar amounts because they can vary wildly. You might see a credit card company with millions of records but a very low per-record cost or an industrial company that has lost three or four records with intellectual property that could be worth a billion dollars of revenue. So not every record is the same and it is very hard to quantify the cost. I would say that your larger and more complicated breach investigations can easily range into the millions of dollars, while your smaller situations may run in the USD $20-50,000 range. I answer it this way not to be difficult, but rather to avoid giving anyone the misperception that all breach investigations are similar and/or similar costs. The only other thing I can say is that if you are prepared for the data breach event, things will move more fluidly and it will ultimately cost less.

In conclusion…
Thanks, Chris, for these insights from the field. Computer forensics is an important part of the overall roadmap to recovery from a data breach incident. This service is vital to ascertaining the digital facts (who, what, when, where and how) following a post-data breach analysis. Defense lawyers representing the breached company need to understand compliance duties and negligence factors, and insurance companies need to ascertain damages for insurance coverage payouts—all of which rely on forensic evidence. As Chris discussed, the cost can have a wide range (e.g., small incidents might amount to $20k-$50k; while large events could potentially cost several million dollars) based on various factors. However, when compiling the NetDiligence® 2011 Cyber Liability & Data Breach Insurance Claims study, we found the average cost for an insurance claim to be approximately $200,000 for the forensic expense component alone.