When your organization experiences a cyber-attack, you are not alone. The digital age presents more opportunities for hackers to breach information than ever before. According to the Identity Theft Resource Center, as of September 30, 2021, the number of publicly reported incidents of compromised data is 17 percent more than the total number of reported breaches during the 2020 fiscal year. In a 2021 report, IBM noted that data breach costs have risen over 10 percent in the last year alone. This applied to all phases of a breach, including detection and escalation, lost business, notification, and post-breach response. The report also estimated the average cost of a ransomware breach at about $4.62 million.

Anticipated Costs After a Cyber Attack

With the number of breaches steadily rising, costs will continue to pile up and organizations should factor this into their cyber incident response planning efforts so they can determine areas to mitigate anticipated costs ahead of time. Here are some insights into where hidden costs may appear during each stage of breach response.

Phase 1: Investigating the Data

After a breach occurs, there will need to be a forensic investigation to identify which files the threat actor accessed. Then, the response team will need to perform an investigatory analysis and identify documents likely to contain personal information (PI). The costs associated with this phase are typically straightforward and oftentimes itemized. The key to controlling these costs is effectively culling the data set to reduce the number of documents for review. The team should cull the information using proven and innovative technology and methods tailored to the specific data set.

Ultimately, the goal is to minimize the reviewable population while including all potentially sensitive information. Poorly executed culling can result in an overly inclusive review population or an inadequate data set. The former increases review costs and the latter does not completely capture exposed PI, subjecting the organization to potential fines or invoking the need for a second review. A focused and consultative approach specific to the data set avoids these hidden costs and increases efficiency, while also allowing the incident response team to focus more efforts on the subsequent phases.

Phase 2: Extracting the Data

Information about the makeup of the documents garnered during investigation helps the team identify the most efficient review methods and workflows. After culling, there are several ways to extract data from the review population. Costs vary between extraction methods but are usually broken down per hour or document. It is important to note that large, complex, or foreign language documents are typically priced separately.

Most uncontrollable data breach costs are incurred during this labor-intensive extraction phase. Uninformed decisions or miscalculations can greatly increase labor costs. For instance, while some think that deploying technology for extraction is a magic bullet, an automated review or one driven by artificial intelligence (AI) may not be the best strategy for many document types. Teams can often extract data from standardized forms programmatically, but it can be more difficult to identify PI in informal communications. Take a person’s name for example. While a machine might use capitalization to identify a name, people often fail to capitalize names when sending text messages on a mobile device or may use nicknames. As such, while deploying advanced technologies seems like the ultimate time-saving tool, this will not be universal. Since PI is so varied and appears in many unexpected places, training the system can be time-consuming, eliminating potential savings. This will lead to incomplete PI capture resulting in unanticipated costs. Incident response teams should proactively outline when AI technology could help a review and limit usage accordingly when costs would outweigh the benefits. Keep in mind that with larger data sets and quick deadlines, this technology would likely be worth the investment – at least to some degree. Deploying technology in conjunction with manual efforts or other tools could lead to cost-saving opportunities.

Phase 3: Compiling Data into a Notification List

The names and related PI that a response team extracts during review are finally compiled into notification lists. The initial notification lists typically contain duplicate entries – sometimes thousands of them. As such, entity deduplication efforts are critical to control costs during the notification and monitoring phases. Information shared between entries is used to tie multiple entries for a specific individual together and merge them. Since notifications must reach the correct person, address verification will be another step in the list creation. For effective notification, the team must identify the most recent address for each affected person.

Hidden costs also appear when the team does not accurately identify notification list requirements before data extraction. Some key things to consider are whether to include the final four digits of an individual’s financial account numbers in the notification letters or to use date of birth for deduplication purposes. If the review team does not fully extract this data the first time, second review and extraction costs can blow a budget.

Minimizing the Costs of Cyber Incident Response Review

These hidden costs are preventable or at least minimizable if a team understands the applicable rules, critical information about the breached company, compromised data, and ultimate project goals. Remember that quality control is imperative for a successful project during every phase. Having proper supervision over deployed workflows will catch errors earlier and allow for quick fixes. This reduces the costs associated with improper or unnecessary notifications, such as the risk of one notification going out where there should have been multiple notifications or delivering a letter containing PI to the wrong individual.

Incident response teams also need a clear understanding of the applicable jurisdictional laws and how they define PI, as this can vary. Have a firm grasp on how the organization identifies people, which will most likely be through an employee identification number or social security number. Analyzing document types with predetermined workflows and thoroughly defining notification list parameters will also help the team deliver the best possible results and lessen the risk of error resulting in extra costs.

Lastly, some important questions to ask to strengthen cyber attack response include the following:

• What is the investigatory process like?
• What unique data reduction processes does the service provider have?
• How do they customize workflows for individual projects?
• What methods are used to review the data?
• What does the notification list look like?
• Can the notification list be customized?
• How is the list deduplicated?
• Can the team provide the most recent addresses for affected individuals?

Knowing where the hidden costs lie can help a team proactively mitigate costly mistakes commonly made during the cyber incident response review. Communication is key - everyone needs to be aware of defined project needs and deadlines. Ensuring the lines of communication stay open between the internal review team, service provider, and organization will promote collaboration and advance successful project completion.

For more information on how to leverage technology in a cyber incidence response review, click here.

By Rebecca D. C. Eng, Esq. is an Associate Director for Epiq’s Cyber Incident Response team, focusing on creative and innovative solutions for the International Cyber Review case teams. Rebecca has six years of eDiscovery experience, managing and overseeing hundreds of Cyber Incident Response reviews.