An appropriate breach coach will have a strong and demonstrated background in supporting different types of data breaches. He must have well-rounded knowledge of the breach life cycle from start to finish including the investigation process, breach laws and regulations, notification procedures, regulatory requirements and consumer expectations of the breached company. In addition, a good breach coach will have extensive experience and good working relationships with forensic and crisis management firms.
It is also highly recommended to seek out a breach coach who has established relationships with government stakeholders and regulators. A breach coach with a solid reputation for engaging cooperatively and collaboratively with state attorneys general and federal regulators right from the start is more likely to achieve favorable outcomes for the organization in the aftermath of a security incident.
Michael Bruemmer, vice president, Experian Data Breach Resolution, says that there are several important characteristics that must be considered when selecting a breach coach: "A good legal partner should have experience that goes beyond simply helping with formal legal notification. They should be able to serve as an overall breach coach with a strong understanding of what's needed from the technical investigations, as well as the potential implications of legal decisions on trust and reputation. One effective approach when vetting a legal partner is simply to inquire about their experience and approach working with forensic investigations and public relations firms. Counsel should also be able to provide insights about the latest developments in case law, which should inform all decision-making throughout the process."
Choosing the right forensics firm
Many breaches will require the assistance of a computer forensics firm to identify the cause, timing and scope of the data breach. They should be highly trained, technical professionals who have a demonstrated history of handling a wide range of sophisticated data security incidents. Problems may arise, however, if the forensic specialist is unable to communicate effectively with the organization.
Bruemmer recommends that they have the ability to clearly translate the enterprise risk implications of a data breach into language that the organization's decision-makers can understand. "Often critical information can be lost in translation between the technical team and executive teams, which can lead to confusion and less than ideal decision making. Organizations will be looking for candidates who have demonstrated that they understand that a breach is not just a security issue but also has a potential impact on reputation."
"To effectively contain and investigate a data breach requires a broad set of technical skills including the ability to collect evidence, reverse engineer malware and quickly remediate threats on existing systems," said Erin Nealy Cox, executive managing director of incident response firm Stroz Friedberg. "When identifying potential forensics partners, experience is key. Organizations need to consider the scope and breadth of a firm's incident response experience as well as whether they have industry-specific expertise. They should also ensure the firm has the scale and global reach necessary to act quickly in the event of a breach."
Sign up for Computerworld eNewsletters.