January 2023 Tech Tip - How to Know if You Should Consult a Breach Coach

by Kamran Salour and Sadia Mirza

Some companies consider investing in cybersecurity as an unnecessary business expense. Lawyers are often viewed as an unnecessary business expense, too. So, it is no surprise that when companies experience a “data breach” they often resist hiring a cybersecurity attorney to help.

Why should a company hire an attorney while experiencing a data breach? The answer is simple: a breach coach’s role is to solve problems and help navigate the company’s response. More often than not, by hiring a breach coach, an organization experiencing a data breach will minimize its legal and business costs.

Before discussing ways a breach coach helps, it is important to define it. At a high-level, a “breach coach” is a cybersecurity attorney who provides legal counsel to an organization experiencing a data incident. While the guidance provided will undoubtedly depend on the nature of the data incident, a breach coach assesses the data incident and devises a response strategy. The end goal is to minimize the data incident’s legal and business impact on the company.

Breach Notification Requirements
You may have noticed the nomenclature switch from “data breach” to “data incident.” That is intentional. Not all data incidents are data breaches; a breach coach determines if the company’s incident is just an incident or if it is a data breach. A data breach imposes statutory and potentially regulatory obligations on an organization. A data incident does not. If a breach coach determines a breach occurred, the breach coach will identify the company’s resulting legal and regulatory notification obligations and comply with them on the company’s behalf.

Legal concerns may not be limited to statutory and regulatory notification obligations, however. Some companies have contractual notification requirements that trigger when a data incident is suspected. A breach coach identifies the company’s contractual notification requirements and complies with them.

A company responding to data incidents without a breach coach tends to over-notify, telling everyone that the company experienced a breach, or under-notify, telling no one. Neither outcome is ideal. If a company over-notifies, it may have unnecessarily reported to consumers, increasing the likelihood of a data breach class action in the process. And, while a company that under-notifies may reduce the likelihood of a data breach class action, it may have run afoul of statutory and regulatory notification requirements, and consequently, exposed the company to regulatory fines.

Assigning Responsibility After a Fraudulent Wire Transfer
The legal ramifications following a data security incident are not always limited to assessing and complying with notification obligations. Sometimes a data security incident involves a scheme whereby an unknown threat actor imputes himself into an email exchange between a company and the company’s vendor and poses as the vendor. The threat actor then emails the company new payment instructions. As a result, the company pays the threat actor instead of the vendor, leaving an unpaid vendor demanding payment from a company that is already out the money it owes the vendor.

Resolving such a scenario can be problematic, especially if the company and vendor intend to continue their business relationship. Engaging a breach coach, however, can help a company reach a resolution. One way a breach coach can help is by engaging a third-party on the company’s behalf to conduct a privileged forensic investigation. The investigation’s goal is to determine if the threat actor entered the company’s email environment or the vendor’s. Knowing how the threat actor was able to intercept the email exchange carries significant import in resolving these types of disputes.

Business Concerns: Determining the Cause and Messaging Stakeholders
The importance of learning how (or if) a threat actor entered a company’s network extends beyond the fraudulent wire transfer context. When a company experiences a data security incident, the company is often more concerned about minimizing business interruption than identifying and satisfying statutory and regulatory notification requirements. A breach coach understands that a data incident impacts an organization from both a business and legal perspective.

One way to minimize business interruption is to restore the impacted business to normal operations as soon as possible. To expedite a return to normal, a company will often “wipe” all computers and servers the threat actor accessed—so that they are “clean”—and put them back on the network. But the threat actor may still be in the network, and simply putting “clean” devices back on a “dirty” network will render those devices dirty once again. Possibly worse, a well-intentioned IT provider may wipe the impacted devices before preserving a copy of them, destroying valuable forensic evidence.

Two common questions an impacted organization experiencing a data incident is asked, from both internal and external stakeholders, will cover: (i) how this happened and (ii) what the company is doing to prevent this from happening again.

A breach coach can help provide answers to these questions, usually by facilitating a privileged investigation. Privilege is especially critical in this context since sometimes the answers are not favorable (e.g., the incident occurred because the company did not have appropriate security protocols in place). A breach coach can help deliver that message in a way that limits regulatory scrutiny and potential legal liability. And, while a breach coach determines from a legal standpoint who must receive notification, a breach coach can also recommend whom you could and whom you should notify— from a business standpoint.

There are many ways a breach coach can help a company before an incident even occurs, but in the meantime, we will leave you with the following thoughts.

Situations in Which You Might Need a Breach Coach

  1. You suspect a security incident.
  2. You don’t know the difference between a “data incident” and a “data breach.”
  3. You don’t know that “breach” is a legally defined term and that its definition varies depending on the law of the applicable jurisdiction.
  4. You don’t have an incident response plan.
  5. You’ve never experienced (or at least believe you’ve never experienced) a security incident.
  6. You don’t know what a forensic investigation is or why it may be needed.
  7. You don’t know if your company should conduct a forensic investigation following an incident.
  8. You don’t know how to contact law enforcement to report an incident.
  9. You don’t know any forensic vendors.
  10. You don’t know if you must notify anyone following an incident.
  11. You don’t know if you should notify anyone following an incident.
  12. You don’t know what to say in your breach notification.
  13. You don’t know what your company would do if hit with a ransomware attack.
  14. You don’t know where to obtain bitcoin.
  15. You don’t know how to conduct an OFAC check.
  16. You want to take steps to reduce the chances of experiencing a data incident.

Let’s face it, cybersecurity and the cybersecurity legal landscape can be complicated to the uninitiated. If your company experiences, or believes it has experienced, a data incident, contact a breach coach. The breach coach can recommend what to do in response based on prior experience.

Kamran Salour and Sadia Mirza are data privacy and cybersecurity attorneys at Troutman Pepper. Sadia can be reached at sadia.mirza@troutman.com. Kamran can be reached at kamran.salour@troutman.com.