Crisis Data Breach Response: Legal Counsel

A Q&A with Jon Neiditz, Partner at Nelson Mullins
As part of an ongoing series of posts, I’m talking to experts in the field about the true costs associated with “crisis” data breach response services. Today we’re looking at legal counsel, and I spoke with Jon Neiditz, partner at Nelson Mullins and the founder and coleader of its Information Management practice.

When and how do clients engage with your services?
In the best-case scenario, I’ve already been helping the organization develop their information security and incident response program. But I often get calls from an organization that I don’t have a prior relationship with. They’ve had a data breach and they’ve called their broker or insurer and the broker or insurer sends them to me. In general, I like to be involved from moment one.

What happens after the call?
First of all, you need to focus on identifying and containing the incident and harm. Second, you need to access regulatory requirements and legal exposure in all 50 states plus international laws. And then you need to think about every contractual relationship with your vendors. I basically act as a breach coach—I’m not setting up the call center or the credit monitoring or mailings, but I’m making sure all these things happen in a seamless way that enhances trust and communication. I generally advise people not to use a single vendor but to use whichever ones offer the best service, and most are generally good at one thing.

What problems or hurdles do you typically encounter?
In general, there really aren’t that many problems these days. People seem to be willing to do what they need to do. That being said, if there’s not an incident response program in place, decisions are not made in an efficient way. You have to have the right forensic resources with a plan. One thing that can be a problem is if there’s an outside PR firm that doesn’t understand breach-related risk. They need to be in sync with everyone else. The other problem is that companies need to be careful about contacting vendors because there are many ways that vendors can charge lots of money in these situations where they don’t need to. Vendors, not excluding lawyers, will try to take advantage, so negotiating things up front and creating caps on fees can be very important. One way to save money, for instance, is to pay for credit monitoring on an enrollment basis rather than a per-record basis—only 10 percent of people will actually enroll in the service, so that way you’re not paying for services people aren’t using.

What are the approximate costs for legal counsel for a data breach?
I’m astonished whenever I see the costs that are put out there. I have never, in the largest breaches I’ve dealt with, come close to US $100,000 in total legal costs. Small ones are $1,000 to $2,000 and medium sized ones are between $10,000 to $30,000. If you handle a lot of these cases as I have, you can make the services very cost-effective for clients and that’s what I try to do.

In conclusion…
Thanks, Jon, for sharing your experience. At NetDiligence®, we have found that a privacy lawyer (a.k.a. Breach Coach®) such as Mr. Neiditz can be a valuable first call for some clients in the initial crisis phase following a data breach event. Often, the client is panicking, and rightfully so—not many companies are pros at handling these types of emerging incidents and we know that they can turn catastrophic if they’re not dealt with properly. Moreover, some grounded/expert legal advice can often help the client calm down and review their response and legal compliance duties in conjunction with the actual breach facts at hand (and there’s a kneejerk response that’s costly and unnecessary for both the business and their victimized customers).

Crisis Data Breach Response: Computer Forensic Services

A Q&A with Chris Novak, Managing Principal at Verizon Business
As part of an ongoing series of posts, I’m talking to experts in the field about the true costs associated with “crisis” data breach response services. Today we’re looking at computer forensics, and I spoke with Chris Novak, managing principal at Verizon Business.

When and how do clients engage with your services?
Generally, we get the call from the IT security department or a CSO, and that usually depends on how mature the organization’s security practice is. They almost always find us through word of mouth unless the company already engages our services through our rapid response retainer. What we typically hear on that call is, “I believe we’ve had an incident but I need help understanding what happened exactly.”

What happens after the call?
That depends on whether this is a client using our services for the first time or whether they have us on rapid response retainer. If you think of an emergency room as an analogy, an organization calling us for the first time is treated as quickly as we can as we triage the situation along with our other clients’. The rapid response retainer means we already have an agreement and a plan in place and a good understanding of where and how to mobilize our resources, so that gets handled more quickly. Either way, the goal is to mobilize investigators to necessary locations. After that, the first step is getting the forensic acquisition—a duplicate copy of the relevant or suspect systems so that we can analyze them. Then we follow the timeline back from there. For a mom and pop type of business, the whole process might only take a week, but for, say, a major financial institution, we may be contracted out for six months or more with a dozen investigators on the case in London, Hong Kong, Singapore, Los Angeles and New York.

What problems or hurdles do you typically encounter?
One of the biggest hurdles we face is something that we call the “unknown unknowns”—essentially, these are the things people don’t realize that they don’t know, which makes it difficult to account for them. Think of it this way: If you don’t know where your sensitive data is, then where do you start the investigation? If you don’t know who has access to the data, but suspect insider involvement, how do you narrow down the investigative field? If your environment is purely designed for function and doesn’t easily accommodate forensic data collection, then even if we have the greatest hunches in the world as to what happened, we will have little to no evidence that can help prove the case. All of these have the potential to be non-starters for an investigation or otherwise dramatically increase the cost. Another issue is that sometimes organizations share resources without realizing it—their website or ecommerce site might be hosted in a data center with 19 other customers—so when we go to investigate the facility we run into roadblocks getting permission to access it. That can slow down the process.

What are the approximate costs for forensic services for a data breach?
We always shy away from giving dollar amounts because they can vary wildly. You might see a credit card company with millions of records but a very low per-record cost or an industrial company that has lost three or four records with intellectual property that could be worth a billion dollars of revenue. So not every record is the same and it is very hard to quantify the cost. I would say that your larger and more complicated breach investigations can easily range into the millions of dollars, while your smaller situations may run in the USD $20-50,000 range. I answer it this way not to be difficult, but rather to avoid giving anyone the misperception that all breach investigations are similar and/or similar costs. The only other thing I can say is that if you are prepared for the data breach event, things will move more fluidly and it will ultimately cost less.

In conclusion…
Thanks, Chris, for these insights from the field. Computer forensics is an important part of the overall roadmap to recovery from a data breach incident. This service is vital to ascertaining the digital facts (who, what, when, where and how) following a post-data breach analysis. Defense lawyers representing the breached company need to understand compliance duties and negligence factors, and insurance companies need to ascertain damages for insurance coverage payouts—all of which rely on forensic evidence. As Chris discussed, the cost can have a wide range (e.g., small incidents might amount to $20k-$50k; while large events could potentially cost several million dollars) based on various factors. However, when compiling the NetDiligence® 2011 Cyber Liability & Data Breach Insurance Claims study, we found the average cost for an insurance claim to be approximately $200,000 for the forensic expense component alone.

No more posts.