Prior to California SB 13861, California’s breach notification law, and the resulting flood of states’ laws and regulatory interest, the investigation of data breaches was mainly an exercise in identifying and patching a vulnerability, plus trying (often in vain) to identify the perpetrator. When reviewing accounts of network breaches in the 1980s and 90s, the impression is often of a highbrow game of chess2.
California SB 1386, and subsequent breach notification legislation, has radically changed the nature and tenor of responding to data breaches by introducing mandatory notification requirements and opening the door to significant regulatory fines and civil damages. This has affected the way evidence in data breaches must be collected and treated.
The gathering of evidence has always been a significant step in analyzing the cause and extent of data breaches. However, the use of forensic evidence and methodologies (i.e. preserving data so that findings can be verified and authenticated in litigation3) has grown in importance in the last couple of years. Factors driving this trend have included:
- A realization that many network breaches do not automatically lead to unauthorized access of PII or PHI, and that forensic analysis can obviate the need for expensive notification and detrimental publicity
- A growing trend for regulators to question the procedures used by organizations in determining the scope of a breach and the numbers of persons to be notified
- A surge in civil claims following data breaches, with plaintiffs’ attorneys being ready to argue that inadvertent
- loss of data during the initial breach response is spoliation of relevant evidence leading to sanctions and negative presumptions against the breached organization.
The role of evidence in data breach cases poses unique challenges, both technically and legally. Technically, the gathering of evidence is a crucial first step in analyzing the cause and extent of data breaches. Such evidence often consists of automatically generated logs and audits and is easily lost or overwritten if not collected immediately. In addition, the very configuration and file structure of infected machines can be crucial in determining the source and extent of an intrusion. This is exactly the type of evidence that is often lost as in-house IT teams struggle to get an organization safely back online. Finally, attackers have been known to specifically target and erase the evidence of their intrusion that was left on the compromised networks. This has all lead to IT teams adopting more advanced tools and methodologies to preserve evidence and analyze the data immediately following a data breach in a way that findings can be later verified and authenticated.