Data Breach Response After the Fact

Your email has been frozen and your company website is down. Your IT department has confirmed a data breach. What do you do next? Incident Expert Lee Neubecker and legal expert Kari Rollins offer easy instructions about your next important steps.

It’s a fact! Your IT team confirmed a Data Breach or incident has occurred. What do you do after the fact? Forensic Expert Lee Neubecker and Legal Expert Kari Rollins say don’t panic! First, convene with your incident response team, start to investigate under privilege, and contact a 3rd Party forensic expert to help preserve vital information. Watch the rest of this video for further recommendations about data breach response after the fact!

View Part 3 of our 3-Part Series on Data Breach

Part 3 of our 3-Part Series on Data Breach

The Video Transcripts of Part 3 of our 3-Part Series on Data Breach follows

Lee Neubecker: Hi I’m back again with Kari Rollins, and she’s here talking with me today about data breach incident response. The Sedona Conference recommends, how an organization should respond to such incidents. And we’re talking in this third part segment about what to do after an incident has been reported. So Kari, please tell me what the initial issues are that come to mind when you get that phone call from a client that says something happened.

Kari Rollins: Sure, so usually, as we were talking about in a prior segment, you may not know whether you’ve had a breach as defined by law. You are just told by your information’s security team, or an employee or a manager that you’ve had, there’s been an attack. Or there’s been, “I can’t get access to my email,” Or, “My account’s frozen.” So you immediately start to investigate. You want your.. according to your incident response plan which we’ll hopefully have in place, you’ll convene your incident response team; you’ll start to investigate under privilege. You’ll call if you need your outside forensic investigator to help you access it. Help you access what’s happened, right? That the facts in an incident are really, really important because they drive the legal conclusions. Have you had a breach, or have you had an incident that has resulted in the acquisition with just the access to personally protected information? Or are you.. did you have an incident where maybe the systems that house the personal information were accessed, but there’s no evidence that the malware ever made it into the room where the family jewels are hidden and they were taken out. And that’s an important part of understanding whether you actually have a legal obligation to notify regulatory authorities or consumers. So the first step is always convening the team, putting it under privilege, calling your experts, and starting to investigate the important facts. Was this an outside threat, was it an insider threat? I know you’ve had experience a lot with investigating internal threats, which are on the rise these days as I would expect.

LN: And a lot of these incidents, it may be reported as a data breach, and the question is well, how did it happen? And sometimes, it’s not too uncommon that IT staff don’t receive the resources they request, and that data incidents happen as a result of being under-resourced. And in circumstances like that, there’s still a lot of pressure on the people managing IT, to not only run the organization ongoing but to deal with this whole new layer of troubles. So having that team in place beforehand where those relationships are there really helps.

KR: Yes

LN: And the other thing too is, you know, if there is a failure internally, it’s more difficult and less likely that you’re going to get the facts quickly if you’re using the team responsible in some way for the breach to report on what happened. I always recommend that after that initial meeting that preservation of key data occurs, and is offloaded outside the organization. You know, log files, certain key computers, email systems to the extent that they were modified so that there’s the ability to do that analysis. Because when an organization has an incident, it’s quite possible that all the data disappears, and the effort to cover the tracks.

KR: Or it’s not even, it may not be as nefarious as that. It could be that the teams are working so quickly a lot of the remediation plans are to thwart the malware and to remove it. But, in a lot of instances, you need to safely remove it and keep a copy of it, because you need to reverse engineer it. And understand how it got there, understand other signatures it might have; so being thoughtful, and we talk about this being thoughtful about evidence preservation is really critical, especially if you get to the point at which you do have a breach that requires notification. And litigation regulatory inquiry ensues, you will have been expected to preserve that evidence and show the chain of custody. Otherwise, you could have allegations of spoliation leveled against your company.

LN: And I’ve seen circumstances too where a legitimate data incident happens and we’re able to get it quickly and identify the impacted individuals. And sometimes it’s just been a few people; in a circumstance like that, it’s much easier to reach out to those individuals, make things right, and resolve the issue. And be able to report to them what happened. It’s much better than having to publish on your website and report to the attorney general that you had some massive data breach. So, not all data incidences are massive data breaches.

KR: That’s true, some of ’em impact you know, one or two individuals, and you may still have an obligation to notify them under the relevant law. But they don’t have to be the big massive breaches. And again, I think the great thing about the Sedona Conference Guide is that it’s, you know, it helps companies navigate small to big breaches. You know, it’s not intended to be the ultimate authority on the law in this area, because the law is ever-changing. But what it does is it helps companies issue spot from a practical perspective so that they know what laws they need to consult, and why and what issues they need to address, like for example, notifying your insurance carrier. One of the big questions we always get is, Well, we’re the victims, here; the company X is a victim of this cyber attack. Who’s going to pay for it?

LN: Yes.

KR: And so, insurance coverage for cyber incidents has is a really hot button issue these days. And so it’s important for companies to know in advance what their policies say, what the notification requirements are. Even if they just have a sniff of an incident – maybe it’s not a breach. So that the third party and first-party costs are covered, and that you’re working with your insurance carrier, and you’re working with your insurance council to ensure that coverage. And to make sure that you’re getting the right information to your insurance carrier about your forensic teams. Are they approved? What rate are they going to be reimbursed? What type of reporting do you have to do from a cost an expense perspective to your insurance carrier? So.

LN: And, it true that if companies use their own internal IT resources to do the investigation, that the insurance carriers usually won’t pay out their own internal resources?

KR: It really depends. It depends on the policy.

KR: It really depends on the policy. There are, in some instances, some policies would cover the first party staffing costs, so for example, if you had to pay staff overtime to work 24 hours a day to try and investigate, you may be able to claim that. But it really depends on your policy. There’s certain.. there’s certainly reimbursement line items for business disruption and business interruption. Or, you know the loss of business, loss profits line items, as a result of ransomware tax. But again, knowing your policy is a critical step in preparing.

LN: Where do you see the benefits of using an outside forensic investigator as opposed to internal IT to investigate when an incident happens?

KR: You know I think it’s two-fold, one, a lot of internal IT teams are taxed as it is with their day to day obligations. And if an incident is one that is medium-high critical, you want to be able to dedicate the resources to the incident to investigate swiftly, and to ensure that there’s no delay. And so pulling in a third-party forensic expert alleviates some of that burden and stress on the IT teams. And then separately and secondly, it also creates a level of objectivity that is.. that benefits the company in the event. Or in the unfortunate event, someone in the IT group may have made a mistake that caused the vulnerability. There’s less likely that that mistake would be covered up. Or there’s going to be more candor from the third party expert, the to management team say like, “Hey, this issue should have been addressed”. And it wasn’t, and now you know what thwarts may be in the event. You have some litigation down the road and you need to defend. But so I would say really sort of time and devotion of resources where needed, and objectivity.

LN: Great, well thanks a bunch for being on this show; this was great.

KR: Absolutely, thank you.

Part 1 of our 3-Part Series on Data Breach

Part 1 of our 3-Part Series

Part 2 0f our 3-Part Series on Data Breach

Part 2 of our 3-Part Series
Data Breach Incident

To Learn More About Sheppard Mullin / Kari Rollins

https://www.sheppardmullin.com/krollins

Debt Forgiveness with Jacob Meister

“Wipe out court debt!” says Jacob Meister, candidate for the Cook County Clerk of Circuit Court. He has a plan to ease the crushing burden of fines, fees, and forfeitures. Check out this video to learn more about his solutions.

Debt forgiveness is now one of the most popular presidential campaign promises but what does it mean on the local level. What does debt forgiveness mean for the City of Chicago taxpayers?

Enigma Forensics President & CEO Lee Neubecker interviews Jacob Meister, who is running for the office of Cook County Clerk of the Circuit Court. Lee is interested to learn more about what are Jacob’s plans regarding debt forgiveness.

Part 3 of our 4-Part Series on the Cook County Clerk of the Circuit Court, Jacob Meister

Part 3 of our 4-Part Series

Part 3 of our 4-Part Series on Jacob Meister

Lee Neubecker: Hi, I have Jacob Meister back to my show, Jacob thanks for coming.

Jacob Meister: Well, thank you for having me Lee.

LN: Jacob’s running for Cook County Clerk of the court. And we’re going to talk today a little bit about some things that have been trending in the news related to debt forgiveness. From the federal student loan debt, there have been talks about wiping out the debt owned, lots of people are concerned over medical-related debt. But now there’s been some, some calls by one of the candidates running, requesting that we just wipe away the Quartet. And I wanted to get your feedback on what the problem is there, and what do you think the solution is?

JM: Well, for years, I have been an advocate for easing the burden with court fees that are charged to litigants, fines, and forfeitures that go through the clerk’s office. The clerk is required to collect fines, fees, and forfeitures that are implemented usually by statute, or by sometimes by the court rules themselves. But what we see is a tremendous economic cost and social injustice that’s done. So just imagine you’re a single mother who’s been evicted from your apartment or your home. And you in order, you get a summons from the sheriff saying you must appear or you’re going to get a default judgment entered against you. But first, you have to file an appearance and pay a fee. It’s going to be $250 to defend yourself. And if you don’t, you’re going to get defaulted. And this is a crushing burden, you know, single mother, and it can affect that anybody who’s battling an addiction, be it child custody, it could be dealing with a divorce, it could be dealing with any number of things. We need to stop placing a crushing burden on the users of the court systems and make up a system that’s available to everyone.

LN: But who decides what that fee is?

JM: that with that state legislator, and that’s the Supreme Court, and the county board. some of those fees go there too. We have to stop squeezing court users to pay these fees and start paying for it in other ways. But in any event, I have been a supporter of for instance, when people get fines if you have a fine, you know, you would support and post fine and some people can’t pay it and it becomes this burden and you get trapped and sometimes you get imprisoned. Because you can’t pay these fines that you’ve been ordered to by the court. One of the things that we that I worked on in Springfield and we need to expand is allowing people to get credit for community service so that they have if they can’t afford to pay the fines, they have a way that they can provide community service and reduce that fine over time. We have to come up we have to be better about how we handle these things. We know, we have to stop taking away people’s drivers licenses, because they can’t pay their fines because that puts them in a cycle of debt that they can never get out of, because all of a sudden, they can’t drive themselves to work, they lose their jobs.

LN: They can’t get a new job,

JM: they can’t get a new job. Exactly. So we need to ease the burden there. I will continue to work with the folks in Springfield, with the folks in Cook County government, and with the courts. I’ve got very good relations there, And I will work to make sure that social justice is being achieved, and that we’re not putting people in a vicious downward spiral of debt.

LN: So some of the efficiencies you talked about earlier about making the court more efficient. Some of those efficiencies might help to pay for some of this relief on some of the oppressed people that are really being trapped in a cycle.

JM: Absolutely. Absolutely. Absolutely. And that’s the goal is to make sure that our courts are accessible to everyone, that we’re doing justice, and that we’re achieving social justice. We’re not just trapping People in a court system and in burdensome debt.

LN: Well, thanks for being on the show again.

JM: Well, thank you for having me, Lee.

Part 1 of our 4-Part Series on Jacob Meister

Part 2 of our 4-Part Series on Jacob Meister

Part 2 of our 4-Part Series on Jacob Meister, Cook County Clerk of the Circuit Court Candidate

View Jacob Meister’s website

htttp://jacobforclerk.com

To View Internal Related Articles

View Government Debt Forgiveness Programs

https://www.chicago.gov/city/en/depts/fin/supp_info/debt_relief_faqs.html