How To Fix A Data Breach: Fast And For Good

The Australian Federal Government this week launched the annual Stay Smart Online Week. In conjunction they have released the Stay Smart Online Small Business Guide. Business owners can use this guide to ensure they are following safe online practices, and have sufficient security in place to protect sensitive data from a potential breach.

This comes at a time when businesses, organisations and government departments are increasingly being subject to data breaches on a regular basis. Yet in what is a growing concern, there appears to be little consensus about what entities should do once a breach is discovered.

Defining a data breach is an exercise in itself. At its core, it refers to an unauthorised access of information on a computer or network. Hacking is the most common example, however the guidelines below apply not just to data breaches but to instances of online bullying, defamation, threats and similar problems in the digital space.

So who should you call when you want to investigate a data breach? The straight answer is that it all depends on what you want to achieve.

The first point of call is often the IT team

Management or HR usually call on an internal (or external) IT department to uncover information about the breach so appropriate steps can be taken.

The IT team will have some level of knowledge about what to look for; they may even be able to clarify exactly what happened and/ or identify a suspect. And that’s precisely why specialised training and communications are so important. Melissa Misuraca, Education Principal at RMSEC, information security services provider, says, “We are finding a greater demand for training and awareness programs as companies are recognising information security as an enterprise-wide risk that can have significant impacts on revenue and reputation. By appropriately training staff, a company can increase awareness about threats like hacking and malware and, consequently, reduce risk to their systems and data.”

What are the downsides of calling on IT first?

Surely the end goal of any data breach investigation is to punish the culprit or receive restitution to compensate for the loss. In the instance that the IT team is required to give evidence against a current or former employee, or an external hacker in a civil action or criminal trial, there are some likely problems that will arise.

Firstly, the IT team are not forensic experts. RMSEC Director Russell Clarke says, “Forensic analysis is a highly technical, specialist area. It is paramount to ensure that the end-to-end process is legally admissible. An unbiased, third-party specialist will discover exactly what has been accessed and compromised and identify what caused the data breach. They’ll also suggest remediation activities to prevent the issue from occurring again.”

If the party responsible for the hacking calls a forensic IT technician as a witness, he will be able to show that forensic protocols weren’t adhered to by the IT team, proving as a result that the evidence can’t be considered watertight. Secondly, any element of independence in the evidence is now gone. While an expert witness understands his duty to the court first and foremost, an employee owes a different obligation. A court will consider this when making a determination. In a worst case scenario, an IT team may actually contaminate evidence and make it inadmissible.

Are the police your best option in the event of a data breach?

Police are equipped with the best resources and experience to deal with a crime. If they are called in to investigate the matter themselves, it might not end up costing you much, if anything.

That is – if you don’t mind waiting long periods of time for a result.

Police will only investigate criminal cases; they won’t assist with civil matters. What’s more, they’ll only take on cases they deem serious enough – we are talking blood on the keyboard type of stuff. 18 days is a long time in digital investigations, let alone 18 months, which is what it may take for the boys in blue to act. Time is of the essence when endeavouring to identify persons associated with certain IP addresses or to honeypot a suspected perpetrator.

In order to protect your confidential information or trade secrets, or to identify a weak link in your company, you will need another strategy.

Police will typically err on the side of wrongly categorising a matter as civil over criminal.

They do this in order to prioritise their workload and focus on more serious cases.

Keep in mind that in any criminal case there’s generally very little to gain for the victim. If you are looking for compensation or a specific outcome in a digital matter, you will most likely need to commence a civil action – and for that you are going to need legal advice.

Note: In some cases you are obligated to report suspicion of a criminal offence to the police. Always seek advice from your lawyer in this regard. Keep in mind, just because you have reported something to the police, it doesn’t mean you have to encourage them to take your computers and investigate it themselves.

Do you need to engage a lawyer?

A lawyer is an absolute must in a data breach scenario. Especially if you want to restrain another party from using your protected information, or when seeking some kind of restitution against an untoward internal or external element.

It’s important to find a lawyer with IT expertise, as many don’t deal directly in this area. An IT-savvy lawyer will advise on any contractual, equitable or tortious action available to you against a hacker, bully, blackmailer or employee intent on stealing your intellectual property.

Such a claim may be available to you regardless of whether there’s criminal activity involved. However, as any lawyer knows, your case ultimately depends on one thing: evidence.

Lawyers are good at acting in circumstances where evidence is already laid out, whether it be in a will, a contract, a witness statement or a doctor’s report. Evidence in IT matters is usually contained in binary code on a hard drive or server that isn’t readily accessible.

So how do you go about getting that evidence? The answer’s simple; start investigating.

Step one: Hire a private investigator.

More to the point, hire an investigator with computer forensics capability. Some private investigators have a saying about lawyers: “Investigators know more about the law than lawyers know about investigating.” The sole job of an investigator is to uncover independent evidence that can be used, if needed, for legal purposes. So before you expend legal fees, know what evidence you can put before your lawyer. When you know what evidence is available, your strategy will fall into place.

Check to ensure your investigator has computer forensics expertise. Your witness is the person submitting affidavits or providing testimony for your matter, so an expert will minimise the risk of your evidence being questioned.

Digital investigations are often a moving feast; and an investigator alone will realise often the best evidence is yet to become available. For this reason, a computer forensics technician works best when partnered with a private investigator who has traditional, creative investigation expertise.

But why investigate first?

Your internal IT team may take steps to shut down a vulnerability in your network that the hacker has exploited. An investigator, on the flip-side, recognises that in some cases, it’s best to encourage a hacker to do something illegal if it can be safely documented. (Alternatively, penetration testing can save you from having to deal with a data breach in the first place. We suggest you take the time to read our article about whether or not penetration testing is right for your business.)  Your lawyer might draft a letter demanding that a defamatory Facebook account be taken down – but an investigator will realise that once the account is gone, the best chance of identifying the user goes with it. The police may consider a case closed when Google fails to comply with a request they make for information. Rather than worrying about court orders overseas, investigators understand that sometimes all you need is a little ingenuity.

Sometimes evidence needs to be gathered contemporaneously.

If a competent investigator recognises a client doesn’t have the evidence needed, he or she will ensure you have the best chance of gathering that evidence and achieving your objective. The investigator will be able to team you up with a good lawyer at the appropriate time, will ensure you are aware of what needs to be reported to police, and will report the final recommendations that should be taken into account by your IT team.

Rather than hindering your chances at the desired outcome, hire an investigator from the start.


Lachlan Jarvis is the MD of Lyonswood Investigations and Forensic Group. With over 32 years experience in the industry, Lyonswood is one of Australia’s most trusted private investigation firms, and has investigators located all around Australia and internationally.