Data Breaches: Why Prevention Isn't Enough

Cyberattacks and data breaches are an all-too-common fact of modern business. The news is full of stories about major U.S. banks and retailers being hacked, and the perpetrators are stealing the financial and personal information of clients, customers and others. While the masterminds and motives behind such attacks are not always immediately apparent, one thing is clear: Counsel must understand that traditional network security approaches are no longer enough. Firewalls and intrusion-prevention systems have become mere nuisances for determined hackers. In many instances, the malware and method of attack are more sophisticated than normal preventative measures can account for. This means that companies must accept the fact that data breaches could happen to them, regardless of the strength of their protective approaches.

That's why it is more important than ever that organizations be prepared to respond to a data breach. When asymmetric attacks occur, companies and institutions need to respond effectively, and the legal department must be closely involved. It should be proactively planning and thinking about many different issues. What kind of incident response plan should be in place following a breach? What should be included in the plan? Who should execute the plan? What is the proper blend of legal and IT responsibilities? How will the company respond to the inevitable lawsuits and investigations that follow?

Counsel needs to take proactive measures to ensure that they ' and their clients ' will be ready in the event that a data breach occurs.

First the Breach, Then the Lawsuit

In today's litigious environment, counsel should expect lawsuits to quickly follow any data breach. The type of claims will depend on the size of the breach and the type of data that was, or may have been, compromised. While some cases may only involve a handful of potential victims, others could encompass tens of millions of customers whose information has been affected. Regardless of the number of people who may claim injury, lawsuits will be expensive and time-consuming to manage. Credit card companies and other financial institutions also may decide to join the lawsuit fray.

Along with lawsuits, government investigations may not be far behind. Many federal laws strictly govern the control of data, and almost every state has laws in place regarding the duty to disclose during data breaches. When a data breach occurs, companies should brace for many agencies to come knocking on their door. Public companies also may have a duty to disclose information to shareholders, and the failure to do so could lead to more lawsuits.

Preparing for a Breach

While those in other departments may focus on preventing attacks, counsel are often in the best position to raise the issues of proactive planning and to serve as an integral part of the post-breach team. Proactive planning should include multiple steps, outlined below.

Develop an Incident Response Plan

In the immediate aftermath of a suspected data breach, those at the company may struggle to understand the full scope of the situation and maintain order. That's why a plan, approved ahead of time, can provide an invaluable road map.

The incident response plan not only should designate who will serve on the team, but also clearly delineate roles and responsibilities. While each company should consider its own unique structure and culture when choosing team members, the team should include legal, IT and members of the C-suite.

The plan also should identify trusted, vetted vendors that the team can call in quickly, including security vendors and crisis management agencies. Many companies wait too long to call in experts after they learn of a security breach. Understandably, companies want to try to keep the breach quiet, until they know the full scope. They also may not want to spend money in order to deal with what may prove to be a minor issue.

However, even the savviest, largest companies may be out of their depth when a data breach occurs. Finding the cause of the breach, managing publicity and preparing for litigation often is more than most organizations can thoroughly manage as they scramble to control and stay on top of the breach itself. This is where outside experts can play a critical role.

The plan should also include contingencies to expand the budget, since expenses could ramp up quickly once a data breach is discovered.

Outline How to Work with IT and Other Departments

The occurrence of a data breach is the time when companies need to overcome existing silos, not make them worse. IT and others on the incident response team need to stay in constant contact with the legal department to minimize confusion and encourage communication. Representatives from both functions should maintain open lines and schedule regular, if informal, meetings to discuss how each team approaches litigation resource management.

IT and legal often can labor under competing interests; where IT is focused on near 100% uptime and managing storage and hardware/software costs, legal seeks to contain information and ensure that only those records with a compelling business function or under legal hold are made available to the company ' while purging the rest. During a breach event, legal will ask IT to shift its mindset to preservation even when the costs to preserve, say, millions of transactional and point-of-sale logs begin to rapidly escalate. And conversely, IT will want legal to understand the operational burden of doing so, while at the same time keeping all the usual trains running on time.

Get Ready for the Lawsuits, Part 1: Prepare the Businesspeople

Counsel will have many roles to play after a data breach, but their key duties involve serving as counselors to the business, meaning that they need to think of every action the company takes in terms of how it could affect potential lawsuits and regulatory investigations. Counsel should regularly remind employees of their duty to preserve information. They should also inform colleagues what communications may be discoverable, post-breach.

Get Ready for the Lawsuits, Part 2: Prepare for e-Discovery

Counsel may think that they understand litigation and e-discovery today ' issuing litigation holds, identifying potential custodians and the whole EDRM spectrum. Yet, when it comes to data breaches, even veteran teams may have no idea what is really involved. Because of the abstract nature of data breaches, it can be difficult to decide to whom to issue litigation holds.

Rather than being generated by or residing with employees, responsive information in a data breach probably will exist in systems that few in the company truly understand. These systems also are generally kept on separate retention schedules than other sources of information.

These systems could hold noncustodial data sources (NCDS), such as firewall alerts, logon access, network monitoring devices and database repositories. These may be the only places where the trail of a data breach can be tracked. Since NCDSs often are enormous and are very different from other systems at the organization, preservation immediately becomes an issue. Data deletion policies may not be obvious, or even documented. If legal teams don't move fast, they could lose vital, potentially responsive information. Companies also may have an extremely difficult time deciphering the information contained in the NCDSs. These systems can contain enormous amounts of data, even by the standards of companies that measure storage in the petabytes.

Outside experts may be the best hope the legal team has to track the source of a breach, call a halt to overwrite policies and sort through the dizzying amount of information. Calling in experts sooner, rather than later, will help counsel keep the information they need, and allow them to proceed with the investigation and discovery in a defensible way. Experts also can help the organization avoid service interruptions when they must change the retention policies for the affected devices or systems.

In order to respond quickly to e-discovery issues, legal departments should identify experts before the breach and include them in the incident response plan. The thought of data breaches can, and probably should, keep counsel up at night. Attempting to avoid data breaches is not enough, though. With the increase in highly sophisticated hackers, even the best defenses can fail. That's why counsel must make sure that their organizations have a thorough, workable incident response plan in place that anticipates litigation. With a proactive plan, the company can begin to manage all aspects of the data breach immediately, including the litigation risks.

Michael Purcell has more than 20 years of experience in legal technology. As vice president of strategic solutions at Inventus, he is responsible for electronic discovery management and complex litigation consulting with global corporations and law firms. He is based in San Francisco.

Cyberattacks and data breaches are an all-too-common fact of modern business. The news is full of stories about major U.S. banks and retailers being hacked, and the perpetrators are stealing the financial and personal information of clients, customers and others. While the masterminds and motives behind such attacks are not always immediately apparent, one thing is clear: Counsel must understand that traditional network security approaches are no longer enough. Firewalls and intrusion-prevention systems have become mere nuisances for determined hackers. In many instances, the malware and method of attack are more sophisticated than normal preventative measures can account for. This means that companies must accept the fact that data breaches could happen to them, regardless of the strength of their protective approaches.

That's why it is more important than ever that organizations be prepared to respond to a data breach. When asymmetric attacks occur, companies and institutions need to respond effectively, and the legal department must be closely involved. It should be proactively planning and thinking about many different issues. What kind of incident response plan should be in place following a breach? What should be included in the plan? Who should execute the plan? What is the proper blend of legal and IT responsibilities? How will the company respond to the inevitable lawsuits and investigations that follow?

Counsel needs to take proactive measures to ensure that they ' and their clients ' will be ready in the event that a data breach occurs.

First the Breach, Then the Lawsuit

In today's litigious environment, counsel should expect lawsuits to quickly follow any data breach. The type of claims will depend on the size of the breach and the type of data that was, or may have been, compromised. While some cases may only involve a handful of potential victims, others could encompass tens of millions of customers whose information has been affected. Regardless of the number of people who may claim injury, lawsuits will be expensive and time-consuming to manage. Credit card companies and other financial institutions also may decide to join the lawsuit fray.

Along with lawsuits, government investigations may not be far behind. Many federal laws strictly govern the control of data, and almost every state has laws in place regarding the duty to disclose during data breaches. When a data breach occurs, companies should brace for many agencies to come knocking on their door. Public companies also may have a duty to disclose information to shareholders, and the failure to do so could lead to more lawsuits.

Preparing for a Breach

While those in other departments may focus on preventing attacks, counsel are often in the best position to raise the issues of proactive planning and to serve as an integral part of the post-breach team. Proactive planning should include multiple steps, outlined below.

Develop an Incident Response Plan

In the immediate aftermath of a suspected data breach, those at the company may struggle to understand the full scope of the situation and maintain order. That's why a plan, approved ahead of time, can provide an invaluable road map.

The incident response plan not only should designate who will serve on the team, but also clearly delineate roles and responsibilities. While each company should consider its own unique structure and culture when choosing team members, the team should include legal, IT and members of the C-suite.

The plan also should identify trusted, vetted vendors that the team can call in quickly, including security vendors and crisis management agencies. Many companies wait too long to call in experts after they learn of a security breach. Understandably, companies want to try to keep the breach quiet, until they know the full scope. They also may not want to spend money in order to deal with what may prove to be a minor issue.

However, even the savviest, largest companies may be out of their depth when a data breach occurs. Finding the cause of the breach, managing publicity and preparing for litigation often is more than most organizations can thoroughly manage as they scramble to control and stay on top of the breach itself. This is where outside experts can play a critical role.

The plan should also include contingencies to expand the budget, since expenses could ramp up quickly once a data breach is discovered.

Outline How to Work with IT and Other Departments

The occurrence of a data breach is the time when companies need to overcome existing silos, not make them worse. IT and others on the incident response team need to stay in constant contact with the legal department to minimize confusion and encourage communication. Representatives from both functions should maintain open lines and schedule regular, if informal, meetings to discuss how each team approaches litigation resource management.

IT and legal often can labor under competing interests; where IT is focused on near 100% uptime and managing storage and hardware/software costs, legal seeks to contain information and ensure that only those records with a compelling business function or under legal hold are made available to the company ' while purging the rest. During a breach event, legal will ask IT to shift its mindset to preservation even when the costs to preserve, say, millions of transactional and point-of-sale logs begin to rapidly escalate. And conversely, IT will want legal to understand the operational burden of doing so, while at the same time keeping all the usual trains running on time.

Get Ready for the Lawsuits, Part 1: Prepare the Businesspeople

Counsel will have many roles to play after a data breach, but their key duties involve serving as counselors to the business, meaning that they need to think of every action the company takes in terms of how it could affect potential lawsuits and regulatory investigations. Counsel should regularly remind employees of their duty to preserve information. They should also inform colleagues what communications may be discoverable, post-breach.

Get Ready for the Lawsuits, Part 2: Prepare for e-Discovery

Counsel may think that they understand litigation and e-discovery today ' issuing litigation holds, identifying potential custodians and the whole EDRM spectrum. Yet, when it comes to data breaches, even veteran teams may have no idea what is really involved. Because of the abstract nature of data breaches, it can be difficult to decide to whom to issue litigation holds.

Rather than being generated by or residing with employees, responsive information in a data breach probably will exist in systems that few in the company truly understand. These systems also are generally kept on separate retention schedules than other sources of information.

These systems could hold noncustodial data sources (NCDS), such as firewall alerts, logon access, network monitoring devices and database repositories. These may be the only places where the trail of a data breach can be tracked. Since NCDSs often are enormous and are very different from other systems at the organization, preservation immediately becomes an issue. Data deletion policies may not be obvious, or even documented. If legal teams don't move fast, they could lose vital, potentially responsive information. Companies also may have an extremely difficult time deciphering the information contained in the NCDSs. These systems can contain enormous amounts of data, even by the standards of companies that measure storage in the petabytes.

Outside experts may be the best hope the legal team has to track the source of a breach, call a halt to overwrite policies and sort through the dizzying amount of information. Calling in experts sooner, rather than later, will help counsel keep the information they need, and allow them to proceed with the investigation and discovery in a defensible way. Experts also can help the organization avoid service interruptions when they must change the retention policies for the affected devices or systems.

In order to respond quickly to e-discovery issues, legal departments should identify experts before the breach and include them in the incident response plan. The thought of data breaches can, and probably should, keep counsel up at night. Attempting to avoid data breaches is not enough, though. With the increase in highly sophisticated hackers, even the best defenses can fail. That's why counsel must make sure that their organizations have a thorough, workable incident response plan in place that anticipates litigation. With a proactive plan, the company can begin to manage all aspects of the data breach immediately, including the litigation risks.

Michael Purcell has more than 20 years of experience in legal technology. As vice president of strategic solutions at Inventus, he is responsible for electronic discovery management and complex litigation consulting with global corporations and law firms. He is based in San Francisco.