Even the best-prepared organization is vulnerable to cybercriminals seeking to hold data and systems hostage in exchange for payment. Ransomware attacks, as they’re known, impact every industry. Since 2016, the U.S. has experienced around 4,000 ransomware attacks daily.
No organization is immune. Among your priorities after a cyberattack is finding the root cause and preventing further harm. Most organizations don’t have the resources or expertise to diagnose a cybersecurity threat alone. That’s where a third-party cyber forensics firm comes in. Forensics firms specialize in collecting digital and physical evidence to uncover what happened during a cybersecurity breach. After a suspected breach, a forensics firm’s primary objectives are to:
- investigate the source of the breach and contain potential threats;
- identify the extent of sensitive data accessed by cybercriminals; and
- fix vulnerabilities to prevent a similar breach from happening again.
Time is of the essence after a cybersecurity breach. Having a firm on retainer allows the investigation and remediation to begin earlier.
If you wait too long to engage a forensics firm after a potential breach is identified, the evidence could be gone already, and your organization (and its data) will remain at risk.
Every state has a law requiring notification of security breaches involving personally identifiable information (PII), such as Social Security numbers. Refer to your state-specific breach notification law for details.
A forensics firm will attempt to determine if cybercriminals accessed any PII, and if so, whom the organization may need to notify based on state regulations.
Keeping a forensics firm on retainer can also alleviate concerns from internal IT staff that a breach investigation by a third party will be slower than one conducted by in-house teams. Having a relationship with a forensics firm before an incident allows the firm to build trust and familiarity. This familiarity can help streamline the investigation process.
The firm also serves as an independent investigator, giving all parties involved confidence in an objective review of the breach.
What does a forensics retainer typically cover?
A retainer can cover different aspects and time frames depending on whether you’re dealing with the forensics firm directly or engaging a firm through external legal counsel (the next section covers why external legal counsel is recommended).
The typical retainer should cover at least 48 hours of investigation time, Moore said.
The scope of the investigation generally includes determining the source and severity of the breach, identifying what information was accessed, preserving evidence, and containing threats.
Depending on your organization’s needs, the retainer can cover a lengthier investigation with training, exercises, and other benefits, Moore noted. Consult with your internal legal counsel before entering into any agreement with an external service.
Selecting and managing your cyber forensics firm (with legal privilege in mind)
When selecting a forensics firm, Moore suggests managing the process through external legal counsel for three reasons:
- External counsel usually has experience hiring and working with qualified forensics firms.
- Managing the process through external legal counsel helps maintain legal privilege.
- External counsel can prepare and maintain the investigation timeline to help answer detailed questions with consistency and accuracy.
In the event of a cybersecurity breach, your organization may face various legal risks. If a lawsuit is filed, plaintiffs may request that your organization turn over all written materials related to a forensics investigation as part of the discovery process.
Written communications between internal counsel and a forensics firm are considered part of the ordinary course of business and typically can’t be withheld. Precedent has established internal legal counsel as part of the organization, negating attorney-client privilege.
Meanwhile, any written communications with external legal counsel (and the consultants they refer, such as forensics experts) enjoy attorney-client privilege because the law firm was retained for legal advice or in anticipation of litigation.
“Having external counsel helps protect the organization from litigation and ensures that privileged and confidential emails remain that way,” Moore said.
A detailed timeline of events and communications, including crucial forensics details, should preferably be maintained and managed by external legal counsel.
“Just like any litigation activity, computer forensics activity must follow the same evidentiary handling process,” Moore said.
Contact our Risk Control and Consulting team for more resources and answers to your housing organization’s risk-related questions.
Interested in Working With HAI Group? Our Account Services team is ready to assist you.
Includes copyrighted material from a company under the HAI Group family, with its permission. This post is for informational purposes only and is not intended to provide legal advice, and shall not be relied on as such. We strongly recommend consulting with legal counsel or an appropriate subject matter expert.
