Data security incidents frequently involve sophisticated and complex questions of how the data loss occurred, especially if the company has suffered a cyber attack, and what data was affected. The difficulty of answering these questions is amplified as the scale of the breach becomes larger, but even small-scale security incidents frequently require expert forensic help in getting to these answers.

Practical Law asked Craig Hoffman, a partner on the data breach response team at Baker Hostetler LLP, to provide some insight on selecting a forensic vendor to assist in investigating and responding to a potential security breach incident. Craig has deep experience representing leading companies in investigating and responding to complex data breaches. He moderates the Baker Hostetler data privacy and information security blog, dataprivacymonitor.com.

Companies should choose a forensic firm that can assist in the event of a potential security incident before an incident ever occurs. If a company becomes aware of a potential incident that requires help from a computer security firm, the clock for notifying affected persons may have already started running. Companies that are unprepared for this scenario sometimes hit the panic button—they want a forensic firm on-site to help immediately. They turn to Google searches, calling peers for references, or maybe even an IT firm that helped them with a project once. Making such an important choice under these conditions is not ideal.

Once the company selects the forensic firm that it plans to use in the event of an incident, the parties should go ahead and negotiate a master services agreement (MSA) and statement of work (SOW). It is important to take this step in advance because once an incident occurs, the company really is experiencing a crisis situation. Operating in crisis mode means less negotiating leverage for the company and sometimes even less willingness on the part of stakeholders to try to seek favorable terms. In addition, many forensic firms will not deploy resources until they have a signed agreement, and it is not unusual for it to take three to five days for the parties to negotiate a final agreement. Companies facing the difficult task of attempting to complete a forensic investigation and provide notification within 30 days of first awareness of the potential incident would love to have back some of the upfront engagement time, especially if it turns out, as it frequently does, that the mailing vendor needs all mailing deliverables five days (names, letters, addresses, etc.) before they will start to mail letters.

Getting the MSA and SOW signed does not immediately result in clear sailing. These investigations do not play out like a CSI television show—companies do not get answers on the day the forensic firm arrives on-site. It is not unusual for it to take seven to ten days to get preliminary findings. Hopefully the security firm begins to learn about the company's environment and what forensic data are available while building the SOW. But complications can arise when the company cannot quickly and accurately describe its network, collect logs, make forensic images to ship to the firm, get cooperation from key third-party hosting vendors, or provide the firm with remote access to operational monitoring tools, like a security information event monitor (SIEM). Having a vendor in place that understands the company's systems and procedures can mitigate against some of these risks.

It varies depending on applicable law. Most state data breach laws provide that notification must be made in a "reasonable" time of discovering the breach or something similar, but some states require that notification be made in as little as 30 days. Even when the law provides for a 30-day response time, however, companies do not always get the "luxury" of having 30 days to investigate, determine who is potentially affected, and then mail letters. It is not uncommon for third parties to be aware of the incident before the company, which can result in public awareness before the company has even started to investigate. According to Mandiant’s 2015 M-Trends report, in 69% of the incidents it investigated, the company learned of the potential incident from a third party. Mandiant also reported that the median number of days from when the attacker first broke-in until detection was 205. Slow detection and early public awareness are two factors that often lead to companies making missteps in initial public statements.

When there is early public awareness, companies have fared better when they can at least make an initial statement that they have identified and stopped the issue from continuing. According to Trustwave’s 2015 Global Security Report, the median time from detection to containment was seven days. If it took several days to get the security firm engaged and then seven more days to learn enough about the attack to put in place an effective containment plan, that means it is ten days or more before the company is even prepared to provide a short holding statement in response to customer or media inquiries that the company has identified and stopped the attack. And reaching containment does not mean the investigation is complete—it usually takes several more weeks to determine the full nature and extent of the attack. Only after the security firm can identify what the attacker accessed is the company positioned to determine what notification obligations may exist.

Companies that are working to select a primary security firm as part of their incident response preparedness efforts should consider the following factors:

Protecting attorney-client privilege and work product privilege when it comes to forensic investigations is an important concern. Ideally, to assert that privilege and work product apply to the findings of the firm, the agreement with a forensic firm should be a three-party agreement between the company, outside counsel, and the forensic firm. The forensic firm should be conducting the investigation at the direction of counsel and for the purposes of allowing counsel to provide legal advice to the company in anticipation of litigation that may arise from the incident. In addition, companies should consider, and the terms of the agreement should reflect, how the forensic vendor will address:

After selecting the forensic firm and negotiating the MSA, companies can further improve their readiness by doing some onboarding with the security firm. One option is a meeting with the security firm and the incident response team to learn more about the company’s IT structure. A key discussion point for this meeting would include identifying logging practices. Experienced security firms have good insight into what data they need to help the company get more certainty about what occurred, especially if the attacker broke in more than six months ago. Other preparedness options include working to fine-tune the security department’s incident-specific "run books," which define procedures that apply in the event of a given incident fact pattern, and inviting the security firm to participate in the company's mock-breach tabletop exercises.