Dear Mary,

I work in the IT department of a mid-sized company that recently detected a security incident. Everyone is freaking out – minus me. My manager asked our IT team to investigate the incident. But the incident is already contained, and business is back to normal. Why do we need to investigate further? Like seriously, why? And if we do need to investigate further, should I be doing this? I’ve been in IT for a while, and I have never been in this situation before.

– Forensic Forgoer in Florida

June 3, 2024

Dear Forensic Forgoer,

I am happy to hear the incident has been contained. Containment is a critical step in the incident response process, but it is not the only one.

Do You Need to Investigate?

Your first question is do you need to investigate the incident? Y-E-S!

You most certainly do need to investigate. Here’s why. A forensic investigation goes beyond containment – you should figure out the nature, size, and scope of the incident because: (1) the business should know; and (2) there may be legal things that the business needs to be thinking about (e.g., notifying people that their data may have been impacted). And when I say “you” – I don’t mean you. I mean a third-party forensic investigator. I could recommend a few if you need suggestions but you may also want to consider reaching out to your insurance carrier (assuming the business has cyber insurance – more about that later).

So, why a forensic investigation? Forensic investigators try to answer questions like:

  1. Whether your network has been accessed by a bad guy (or girl) – let’s say bad girl.
  2. How the bad girl gained access to the network (commonly referred to as the “root cause”).
  3. What the bad girl did while in the network, e.g., did she move around (laterally) in your environment, and if so, where did she go?
  4. Did the bad girl access or exfiltrate (remove) data? And if so, what kind of data?
  5. And if the incident has really been contained. I know you said it has but there’s no harm in having a second pair of eyes confirm. To the contrary, there’s a lot of good reasons for doing so (e.g., it eliminates the appearance of bias and reduces privilege concerns if the forensic firm is engaged through the proper channels).

Why do these questions matter? There are legal reasons why they matter. The law requires businesses to notify individuals in the event of a “data breach” (a legally defined term which means there was unauthorized “access” or “acquisition” of certain types of protected information). And trust me, it’s not a good idea to ignore those obligations.

There are business reasons too. Some of your customers may have questions about the incident—like what steps you took to make sure it doesn’t happen again, and if their data what impacted. If you don’t know how the incident occurred and what data was impacted, it’s going to be tough to answer those questions with certainty.

Should You Do the Investigation Yourself?

Now, turning to your next question, should you be doing this investigation?

Earlier I mentioned the use of a forensic investigator. The truth is, it’s usually in a business’s best interest to bring in a third party. Businesses sometimes shy away from third-party forensic investigations for one simple reason – like everything else these days, they cost money. In my experience, this happens most often when a business honestly believes that its employees can perform the same investigation without spending any extra money.

It’s important to mention that sometimes there will be instances when a third-party forensic firm is not needed. BUT, before making that decision, businesses should really think about the legal and business ramifications of doing so. Usually, third-party forensic firms are engaged by outside counsel (lawyers at law firms) on behalf of the business that experienced the security incident. This allows businesses to claim privilege and work-product protection over the investigation and related communications. The law isn’t super clear in this area, but recent cases have made clear that establishing these legal protections involves a fact-sensitive inquiry.

So, if you do the investigation yourself, you might have a tough time arguing that the investigation is privileged. Why? Because courts may view it as something that was done for business reasons, as opposed to legal. Because privilege is meant to allow open communications without fear of them being used against the company, conducting a privileged forensic investigation that is intended to also stop a criminal from further harming the company is likely in every company’s best interest.

You may also want to bring in a third party for optics. Being able to tell regulators and people affected by the incident that a “specialized third-party forensic firm was engaged to determine the nature and scope of the incident” may give those parties comfort, and honestly, it might just be expected these days. I say this because when reporting a data security incident to regulators, several of them make businesses indicate whether a forensic investigation was performed. If you can’t answer yes to that question – there’s a good chance you may get additional questions about the investigation, including whether it was thorough and complete.

Engaging a third-party to perform the investigation could also remove the appearance of bias. While certain in-house security professionals may be in the best position to investigate the cause and scope of a cybersecurity incident given their familiarity with the network, this could create obstacles — like can a company’s own investigation of how an incident occurred be trusted — that could otherwise be avoided if a third party is used. Now do you see why optics are important.

Lastly, because you mentioned that you work in IT, I want to at least flag the difference between IT (short for “information technology”) and information security. Put simply, IT professionals make stuff happen. They ensure networks, systems, and devices are working and running smoothly. In contrast, information security professionals stop bad things from happening. They focus on protecting data and assets and monitor emerging risks and cyberattacks. Thus, while a majority of security work is handled by IT professionals, understanding the distinction between the two is important.

Ok, to wrap up here, I wanted to share the following takeaways. Keep these handy – they’ll come in handy now and for any other incidents that may come up.

  1. Don’t skip doing a forensic investigation just because you believe the incident has been contained. You need to figure out the nature, scope, and size of the incident for business and legal reasons.
  2. When investigating an incident, always consider hiring, through outside counsel, a third-party firm to do the investigation for you. You may not need to take this step for every incident, but it’s important to at least consider this step before doing the investigation yourself.
  3. Privilege is an important issue that businesses need to be thinking about in the context of responding to security incidents. For IT and security professionals not familiar with this concept – reach out to your legal team and start the discussion.
  4. Don’t have a legal team or know of any forensic vendors? If your business has cyber insurance, your broker or carrier likely has a preferred panel of vendors that are ready to help with your response. So, if you have insurance, contacting your broker or carrier in the event of an incident may be one of the first steps you take.

Good luck with the incident, Forensic Forgoer. Perhaps you’ve had a change of heart (and name).

— Mary

“Dear Mary,” an advice column from Troutman Pepper’s Incidents + Investigations team, will answer questions about anything and everything cyber-related — incident response, forensic investigations, responding to regulators, breach-related litigation, and much more. “Dear Mary” goes beyond the articles, podcasts, webinars, and other content we produce, as we are responding directly to our reader’s questions with concise, practical answers. Answers will be general in nature and will not contain legal advice. If you need legal advice or representation, please contact one of our attorneys directly. “Dear Mary” also can be found here on the firm’s website.