Turning Lemons Into Lemonade, Breach Response-Style

There’s nothing worse than a data breach of your firm’s intellectual property (IP). Unless, of course, it’s a breach of your client’s IP. It’s a bad situation, and one which we’ve seen many times over the years as we’ve been engaged to help companies deal with the forensic fallout of major breach events.

In many of these situations, the way the incident is handled can make the difference between an organization shutting its doors due to litigation costs or continuing to build the business. Rarely, though, is an incident ever going to be handled well enough to actually keep the client whose IP was stolen. Such a traumatic event will typically cause that client to take its ball and go home.

But that’s not always the case.

Recently, our forensics team at Rook was brought in for a case that looked pretty bad for our client, a tech firm worth about $150 million. The company was worried it could be decimated by a lawsuit, not to mention face irreversible damage to its reputation. A big vendor in the pharmaceutical industry, the client had subcontracted some work out to a less-than-secure third-party that had disclosed sensitive data from a huge pharma customer. Rook was brought in to handle the forensics to find out how much data was disclosed, close the vulnerability that had led to the disclosure, and ensure no further data was breached.

Often times in these types of cases, the instinct is to close the clamshell and communicate the bare minimum until more is known about the breach. The idea is not to give the other party’s lawyers more fodder for the lawsuit down the line.

However, a steady line of communication can actually foster a huge sense of goodwill and can potentially salvage a relationship. This is exactly what happened for our tech client. Our incident handlers helped the firm set expectations from the outset of how long and laborious the incident response process would be. Rook then helped the company develop a full disclosure process that was meant to reinstill trust after such a catastrophic event. Over the course of three months, Rook and the technology company offered daily updates on exactly what was being done to analyze the breach. The pharmaceutical company knew exactly what had been done, what was coming up, what questions had been answered, and which questions still needed to be answered.

By the time we wrapped up the engagement, not only did our client avoid a lawsuit, it managed to keep its customer. The pharmaceutical company’s executive team sent an email to the client’s executives thanking them for how thorough they were. These customers explained that despite such an unfortunate situation, they looked forward to continuing their partnership with the tech firm because they were inspired by how seriously they took security through that incident response.

It’s a good lesson for organizations who’ve been recently stung by a breach — while the instinct may be to find the cheapest and quickest way to handle the incident, a more thorough and transparent approach may be best for the business.