We bring with us a team with experts in all of the facets of breach response working as one:
IT discovery and IT Forensics often gets top billing, but it only accounts for 20% of the overall cost of a breach response. The IT discovery task is highly specialized. It’s the Sherlock Holmes of the team, and very few IT departments – even in the biggest of companies – have experts in this highly specialized skill. IT Forensics really has little to do with IT. It is the process of recording the actions that were taken and the decisions made – along with the evidence – for future use by law enforcement or your legal defense team. For maximum credibility, this person should not be one of your employees.
Compliance Counsel is a lawyer who constantly monitors the response, and often leads it. They are experts at the breach response requirements and their deadlines from all sources: state law, Attorneys General’s guidance and precedent, court decisions and legal precedents, federal requirements (FDA, FTC, HIPAA and HI TECH, and many other federal commissions who have asserted regulatory oversight and authority), as well as private organizations – primarily for PCI data – who have asserted regulatory authority such as the PCI Security Standards Counsel. This critical role is like the conductor of the orchestra. They make sure the response team knows exactly what they must do and by when.
Client’s Counsel is a very different lawyer with a very different function. It is your lawyer; you are his client. Their role is to be the conduit of information between you and the breach team. The purpose of this lawyer as an information intermediary is to protect some of the information from discovery in the case of a lawsuit. This role is very often misunderstood: Only 1 out of every 100 incidents will need a “Client’s Counsel”. Naming a client’s counsel should NOT happen until it is abundantly clear that there is a real risk of litigation resulting from this incident. For this decision to be made wisely, you, the client, need to have access to an incident risk assessment process.
PR Advisor. The minute a breach reaches the risk level to require a Client’s Counsel, a PR Advisor should join the team. At this point we, (Caerleon Security) are now working hard to reduce your reputational risk as well as reduce the probability – or eventual settlement – of litigation. People who have just been hacked are (almost always) not able to assess how best to explain what happened and how they are working hard to fix things. They are defensive and want desperately to make it all go away. They have no idea how the person who has been hurt might feel. This is the role of the PR Advisor: to understand how best to present the client to the public. A classic example of a huge breach that should have had a PR Advisor guide their communication is described in our blog. One of the members of Caerleon’s team was a victim in the Experian-caused breach of PII at T-Mobile. You can see the communications and how tin-eared (i.e. awful) it was.
Notification and a Call Center (if needed) is a very special skill. Massachusetts prohibits telling the victim of PHI what kind of information was compromised in a letter. Should you have the call center be overseas (it’s less expensive) or should it be in North American. How do you remove duplicates (see the blog)? How do you personalize 10,000 letters? 1 million letters? Doing it badly makes you look bad (see the blog).