Dear Mary – Incidents + Investigations Cybersecurity Advice Column
'Dear Mary,' is Troutman Pepper's Incidents + Investigations team's advice column. Here, you will find Mary's answers to questions about anything and everything cyber-related – data breaches, forensic investigations, how to respond to regulators, and much more. 'Dear Mary' goes beyond our articles, podcasts, webinars, and other content we produce because here, we respond directly to your questions with concise, practical answers. We promise they will be interesting, informative, and hopefully a little fun.
Drop us a line with any cyber-related question you would like answered – whatever may keep you up at night – and we'll do our very best to provide a practical, actionable answer. Of course, our answers will be somewhat general in nature and should not be considered legal advice – always consult with an attorney (preferably one of ours!) before acting on anything you read here.
Thank you for reading!
How to Respond When Your Service Provider Suffers a Cyberattack
Dear Mary,
One of our critical service providers recently suffered a cyberattack. It's all over the news, and our business operations are severely impacted. We're losing money every day, and we have no idea how long this will last. Do you have any suggestions on what to do? The lack of information from our service provider is incredibly frustrating.
– Frustrated in Dallas
June 26, 2024
Dear Frustrated,
You are not alone in facing this challenge. Many businesses have encountered similar issues, and if they haven't yet, they should brace themselves because they likely will in the future. Here are some steps to consider:
- Ensure Your Environment is Secure: If there's any chance the cyberattack could have spread from your service provider to your own systems, take immediate action to secure your environment. This might include hiring a forensic investigation firm to thoroughly check your systems, just to be safe.
- Hire a Forensic Accountant: Consider bringing in a forensic accountant to help your team determine and document any potential business losses. This could be crucial if you plan to file an insurance claim to recover some of these losses. It's better to address this now rather than scrambling to figure it out later.
- Business Continuity Options: Consider whether there are any business continuity options to mitigate the potential disruption. This could include looking into alternate service providers (even if just temporary) to ensure continuous operations.
- Review Legal Notification Obligations: If your service provider handles personal information on your behalf, you need to consider any legal notification requirements that may be triggered (e.g., your company may have a legal obligation to notify others about the incident). Consult with legal counsel to understand what obligations you may have if any of your data has been compromised. With that said, you may not even know at this point what data of yours, if any, is involved. This takes me to my next point.
- Extend Some Grace to Your Service Provider: This might be difficult, but try to be patient with your service provider. Cyberattacks are increasingly common, and thorough investigations and recovery efforts take time. Ensure they are taking appropriate steps, but once confirmed, give them some space to manage the situation. Pressuring them for immediate information may result in inaccurate updates or a faulty timeline. Your legal counsel can help you determine how much time is reasonable and when it might be necessary to apply more pressure.
Good luck to your team. Seems like every day we hear about a new vendor incident. Breach notification laws need to catch up in this regard, but that's a discussion for another day…
Understanding Regulatory Response Times Following a Cybersecurity Incident
Dear Mary,
We received a data request from Health and Human Services, Office for Civil Rights, today. It was in connection with a data security incident that happened almost a year ago. Is this normal? Should this impact how we respond?
– Not Forgotten in New Orleans
June 20, 2024
Dear Not Forgotten,
Don't let the one-year delay throw you off; it's not completely out of the ordinary. There are many factors beyond the incident itself that can influence how regulators approach a potential investigation. This includes things like the staffing levels at the regulators' offices. I've heard whispers of a backlog at OCR, so this delay might just be a result of that.
My advice? Have your counsel reach out immediately and figure out where the potential investigation is heading. Maintaining an open line of communication and determining regulators' goals early is important. If done right, you may be able to defuse the situation before it snowballs into something more.
My friends at Troutman Pepper wrote a whole series on regulatory investigations following cybersecurity incidents. Probably worth a read. It can be accessed here.
Does Every Incident Require a Forensic Report?
Dear Mary,
We had a security incident a few weeks backs that luckily turned out to be nothing. I'll tell you, tension was high around here while the investigation was ongoing because there was a possibility that it was going to be bad. The forensic firm (hired by our outside counsel) figured out that the incident resulted from a misconfiguration in our MFA. We fixed that and now I'm wondering whether we really need a forensic report given the limited impact. I am not sure I understand the need.
– Uncertain in Atlanta
June 12, 2024
Dear Uncertain,
This is certainly one of those topics that gets people chatting. But if you ask me (which you did), I'd say seriously consider getting the forensic report, especially if it may be covered by attorney-client privilege. However, you need to remember two things: (i) even if you believe the report is privileged, assume that it will be part of litigation later; and (ii) the report needs to purely factual. The fact that there was a hiccup with the MFA configuration isn't something that is privileged. So, documenting it in a forensic report doesn't necessarily worsen your position (again, depends on how it is documented). You just need to make sure the forensic report is limited to the facts. There is no room for imagination, opinions, or speculations. Think nonfiction. Like this letter.
It's also worth noting that the forensic report could come in handy later if any issues related to the incident pop up. It demonstrates the company was diligent in investigating the incident and took the right steps from an incident response perspective.
Glad to hear the incident turned out to be small. I guess the saying is true—MFA isn't bulletproof.
Should Companies Conduct Their Own Forensic Investigations?
Dear Mary,
I work in the IT department of a mid-sized company that recently detected a security incident. Everyone is freaking out – minus me. My manager asked our IT team to investigate the incident. But the incident is already contained, and business is back to normal. Why do we need to investigate further? Like seriously, why? And if we do need to investigate further, should I be doing this? I've been in IT for a while, and I have never been in this situation before.
– Forensic Forgoer in Florida
June 3, 2024
Dear Forensic Forgoer,
I am happy to hear the incident has been contained. Containment is a critical step in the incident response process, but it is not the only one.
Do You Need to Investigate?
Your first question is do you need to investigate the incident? Y-E-S!
You most certainly do need to investigate. Here's why. A forensic investigation goes beyond containment – you should figure out the nature, size, and scope of the incident because: (1) the business should know; and (2) there may be legal things that the business needs to be thinking about (e.g., notifying people that their data may have been impacted). And when I say "you" – I don't mean you. I mean a third-party forensic investigator. I could recommend a few if you need suggestions but you may also want to consider reaching out to your insurance carrier (assuming the business has cyber insurance – more about that later).
So, why a forensic investigation? Forensic investigators try to answer questions like:
- Whether your network has been accessed by a bad guy (or girl) - let's say bad girl.
- How the bad girl gained access to the network (commonly referred to as the "root cause").
- What the bad girl did while in the network, e.g., did she move around (laterally) in your environment, and if so, where did she go?
- Did the bad girl access or exfiltrate (remove) data? And if so, what kind of data?
- And if the incident has really been contained. I know you said it has but there's no harm in having a second pair of eyes confirm. To the contrary, there's a lot of good reasons for doing so (e.g., it eliminates the appearance of bias and reduces privilege concerns if the forensic firm is engaged through the proper channels).
Why do these questions matter? There are legal reasons why they matter. The law requires businesses to notify individuals in the event of a "data breach" (a legally defined term which means there was unauthorized "access" or "acquisition" of certain types of protected information). And trust me, it's not a good idea to ignore those obligations.
There are business reasons too. Some of your customers may have questions about the incident—like what steps you took to make sure it doesn't happen again, and if their data what impacted. If you don't know how the incident occurred and what data was impacted, it's going to be tough to answer those questions with certainty.
Should You Do the Investigation Yourself?
Now, turning to your next question, should you be doing this investigation?
Earlier I mentioned the use of a forensic investigator. The truth is, it's usually in a business's best interest to bring in a third party. Businesses sometimes shy away from third-party forensic investigations for one simple reason – like everything else these days, they cost money. In my experience, this happens most often when a business honestly believes that its employees can perform the same investigation without spending any extra money.
It's important to mention that sometimes there will be instances when a third-party forensic firm is not needed. BUT, before making that decision, businesses should really think about the legal and business ramifications of doing so. Usually, third-party forensic firms are engaged by outside counsel (lawyers at law firms) on behalf of the business that experienced the security incident. This allows businesses to claim privilege and work-product protection over the investigation and related communications. The law isn't super clear in this area, but recent cases have made clear that establishing these legal protections involves a fact-sensitive inquiry.
So, if you do the investigation yourself, you might have a tough time arguing that the investigation is privileged. Why? Because courts may view it as something that was done for business reasons, as opposed to legal. Because privilege is meant to allow open communications without fear of them being used against the company, conducting a privileged forensic investigation that is intended to also stop a criminal from further harming the company is likely in every company's best interest.
You may also want to bring in a third party for optics. Being able to tell regulators and people affected by the incident that a "specialized third-party forensic firm was engaged to determine the nature and scope of the incident" may give those parties comfort, and honestly, it might just be expected these days. I say this because when reporting a data security incident to regulators, several of them make businesses indicate whether a forensic investigation was performed. If you can't answer yes to that question – there's a good chance you may get additional questions about the investigation, including whether it was thorough and complete.
Engaging a third-party to perform the investigation could also remove the appearance of bias. While certain in-house security professionals may be in the best position to investigate the cause and scope of a cybersecurity incident given their familiarity with the network, this could create obstacles — like can a company's own investigation of how an incident occurred be trusted — that could otherwise be avoided if a third party is used. Now do you see why optics are important.
Lastly, because you mentioned that you work in IT, I want to at least flag the difference between IT (short for "information technology") and information security. Put simply, IT professionals make stuff happen. They ensure networks, systems, and devices are working and running smoothly. In contrast, information security professionals stop bad things from happening. They focus on protecting data and assets and monitor emerging risks and cyberattacks. Thus, while a majority of security work is handled by IT professionals, understanding the distinction between the two is important.
Ok, to wrap up here, I wanted to share the following takeaways. Keep these handy – they'll come in handy now and for any other incidents that may come up.
- Don't skip doing a forensic investigation just because you believe the incident has been contained. You need to figure out the nature, scope, and size of the incident for business and legal reasons.
- When investigating an incident, always consider hiring, through outside counsel, a third-party firm to do the investigation for you. You may not need to take this step for every incident, but it's important to at least consider this step before doing the investigation yourself.
- Privilege is an important issue that businesses need to be thinking about in the context of responding to security incidents. For IT and security professionals not familiar with this concept – reach out to your legal team and start the discussion.
- Don't have a legal team or know of any forensic vendors? If your business has cyber insurance, your broker or carrier likely has a preferred panel of vendors that are ready to help with your response. So, if you have insurance, contacting your broker or carrier in the event of an incident may be one of the first steps you take.
Good luck with the incident, Forensic Forgoer. Perhaps you've had a change of heart (and name).