The face of data breach investigations is changing as companies weigh business factors outside of the traditional office of information security.
Following a breach, for example, companies are no longer likely to make their first call to an incident response firm but rather to an outside attorney, a trend that legally protects businesses but could make the technical response more difficult, according to ongoing research by a trio of academic researchers. Nearly half of all companies call in lawyers to lead the investigation, relying on their expertise to navigate regulatory requirements, hire outside consultants, and write final reports, the academic experts found.
Insurance firms are also seeing thousands of cyber breaches handled by outside attorneys, rather than an outside technical consultant, says Josephine Wolff, an assistant professor for cybersecurity policy at Tufts University's Fletcher School of Law and Diplomacy. Wolff is working with two other academic researchers to collect data on how companies respond to data breaches.
"The idea is that a lot of incidents were breaches of personal information, and those resulted in class-action lawsuits ... and how do we protect as much of our investigation as possible using attorney-client privilege," she says. "I don't know if [companies are] trying to get around rules so much as it is about anticipating litigation and being in as strong a position as possible if there is a lawsuit."
The research shows just one way that companies have to adapt to the changing landscape of cybersecurity breaches. Another shift in the landscape is the increasing difficulty in finding ways to offset the risk of a cyber intrusion through insurance.
While cyber insurance continues to be a lucrative industry, every claims category has increased in the past year. Cases of malicious breaches and unintentional disclosure, which account for tens of thousands of claims, each increased by 18% year over year, according to data from insurance-market analysis firm Advisen. By far, the greatest change has occurred in cyber extortion — ransomware — which jumped by nearly 150% in a year.
'Blood in the Streets'
Faced with large claims from ransomware incidents, cyber insurers have raised rates while adding more limits to new and renewed policies, says Jim Blinn, executive vice president of client solutions at Advisen.
"As you look at the impact from the insurers' perspective, there is a lot of blood in the streets," he says. "They have been hammered by the costs of these breaches, and ransomware has caused premiums to go up a ton, so insurers are looking to figure out how to reduce their exposure."
Overall, the two related trends mean that companies are more worried about the impact of compromises. Cybersecurity-services firm CrowdStrike found that almost half of incident-response engagements (49%) are now requested by outside attorneys, according to the firm's annual cybersecurity services report.
While the strategy may protect companies in the case of a lawsuit, since much of a legal firm's research would be considered privileged information, the legal layers also make the collection of breach data more difficult, says Tufts' Wolff. Wolff is collaborating with law professor Daniel Schwarcz at the University of Minnesota Law School and postdoctoral fellow in computer science Daniel Woods at the University of Innsbruck in Austria to determine whether the shift to using attorneys — and the protection that attorney-client privilege grants companies — is undermining organizations' cybersecurity response.
When an outside law firm conducts the investigation, work product can be argued to be protected and thus not discoverable in a lawsuit, the researchers stated in a legal analysis.
"My interest in this comes from how do we collect better data about cybersecurity incidents and what we need to be doing to better defend against them," Wolff says. "And I do think there are ways that it is possible that privilege and the involvement of lawyers makes that more difficult."
Yet the legal counsel for one incident response firm argued that, given the increasing complexity of breach-reporting and privacy regulations, the trend toward using attorneys as the lead in incident response is natural. Companies with European customers have to worry about the General Data Protection Regulation (GDPR), while those businesses with California customers need to abide by the California Consumer Privacy Act (CCPA). And those are only two examples — Colorado and Virginia both have laws similar to California, and at least six more states have active bills under consideration.
"One of the reasons why we see our clients and the industry as a whole using outside counsel to lead investigations is because incident response itself is increasingly regulated," the attorney stated. "Different legal regimes and regulations often apply, and companies want an expert who deals with the issues every day helping them to navigate the terrain."
As the bills are signed into law, the fear of being sued is not without cause, says Advisen's Blinn. Any company suffering a major breach usually has to defend against a lawsuit, he says.
"The plaintiff bar — at first, it was going a little slow for them, but they have been moderately successful at getting companies to pay up," he says. "Plaintiff attorneys are economic beasts, and they go where they can to make a living."
Whether the trend will hinder firms' response to cyberattacks remains a question — one that the academic researchers hope to answer.