What Is A Breach Coach And Why Your Business Needs One

Cybersecurity incidents are no longer rare but ubiquitous in the business world. Most organizations today are familiar with cyber threat terms such as phishing, smishing, or ransomware and most employees will know it means to have multi-factor authentication or "MFA" implemented. These terms were once niche technical jargon, but are now boardroom-level topics. Despite this increasing awareness, many decision-makers remain unclear about one of the most crucial roles in a cyber crisis: the breach coach.

When the worst happens, this legal expert is a central figure in managing the response, preserving your organization's reputation, and limiting liability. So what exactly does a breach coach do, and why should every organization have one on speed dial?

What is a "breach coach"?

A breach coach (or incident response coach or breach counsel, as this role is sometimes referred to) is a key player in any cybersecurity incident response team, which is the group of internal and/or external individuals who aim to investigate and address the cyber incident. This professional, ideally a lawyer, serves as the external legal and strategic advisor who coordinates the organization's overall response to a breach. For example, breach counsel can give insight into future litigation risk or employment law issues, especially when dealing with internal bad actors assisting the adversary in the breach.

Think of the breach coach as the quarterback of the football team or the director of the symphony, who provides leadership and experience while coordinating the response and keeping the process legally sound. While internal IT or operations teams play critical roles, breach counsel brings essential legal and risk-management expertise to the table.

Why Legal Expertise Matters

Cyber incidents often raise complex legal questions:

• Does this breach trigger mandatory reporting obligations?
  
  
• What are the risks of civil litigation or regulatory investigation?
  
  
• How should internal investigations be handled when employee misconduct is suspected?
  
  
• Are there cross-border implications raising the need for local counsel?

Threats of legal action will be imminent as the incident unfolds, and breach counsel provides real-time legal advice on these issues, helping organizations avoid critical missteps. Their involvement creates solicitor-client privilege for sensitive communications, which could be subject to disclosure in potential litigation. In fact, many cyber insurance policies now require that breach counsel be retained early, sometimes even as a condition of coverage.

But in practice, what do breach coaches actually do?

• Bring calm to chaos: When a cyberattack occurs, it can be chaotic, causing fear and uncertainty. Competent breach counsel leading a good response team can establish a process and order, thereby facilitating informed decisions during a time when facts are uncertain.
  
  
• Guide the legal strategy: Breach counsel will determine the best strategy for the investigation and response to the incident, including preserving evidence as it arises.
  
  
• Engage trusted vendors: Assembling the right team is key, and breach counsel can do so while maintaining privilege and confidentiality over crucial information. This can be done by engaging other service providers to manage the incident and protect the organization, such as a forensic investigation provider, or sometimes PR/communication specialists, e-discovery teams, or credit monitoring and notification providers.
  
  
• Protect data: Breach counsel can advise and assist in strategies to prevent or mitigate data disclosure or publication in ransomware or other data extortion incidents.
  
  
• Manage regulatory disclosure: Receiving advice on when, if, and how to report to regulators, law enforcement, stakeholders, and the wider public will be paramount to navigating this volatile environment without inviting more legal scrutiny to the response.
  
  
• Manage cross-border incidents: Incidents that implicate different jurisdictions can be among the most complex and difficult to manage. Experienced breach counsel will be able to liaise with external, foreign legal advisors to manage the global response in the best way.
  
  
• Protect against future litigation: Breach counsel will often manage communications and liaise with regulators and other external parties, while always considering the wider legal issues and future litigation risk.
  
  
• Advise on contracts and customer obligations : Contract advising and managing customer concerns can be one of the most difficult aspects of a breach if a service provider handles information of many customers. Breach counsel will be experienced and equipped to facilitate a process to navigate through these types of issues.
  
  
• Liaise with insurers : Breach counsel will liaise with the insurer throughout the incident. Breaches must be managed carefully from a cost and risk perspective; breach counsel can ensure timely and accurate communication between the client and insurer.

Why should all organizations have a breach coach?

Cybersecurity incidents can have far-reaching impacts on a company:

• Disrupted operations, including requiring a complete shutdown for weeks.
• Reputational damage, including diminished brand value.
• Loss of customer trust.
• Exposure to regulatory fines and lawsuits.

Research has shown that data breaches and cyber incidents do not necessarily or automatically diminish brand value or erode the reputation of an organization; rather, it is the size or significance of the breach and the way that the organization responds to it.[1]

Breach counsel not only helps when an incident happens, but can also help prepare before the worst-case scenario arises.

Breach coaches can assist by:

• Drafting and testing incident response plans.
  
  
• Reviewing internal policies and cyber-readiness.
  
  
• Conducting tabletop exercises with leadership.
  
  
• Ensuring your insurance and vendor relationships are aligned with your risk profile.

What can organizations do?

In addition to maintaining right-sized physical and technical security measures, such as appropriate back-ups, physical security and access controls, multi-factor authentication and endpoint detection and response tools, to name the most prominent, organizations should consider as follows:

• Obtain appropriate cyber insurance.
  
  
• If you already have counsel, determine your incident response team and breach counsel in advance, contact your insurer, and have your desired team approved in advance.
  
  
• Think and prepare for cybersecurity issues in advance - consider internal policies, training, or cybersecurity practices to reduce future risk.
  
  
• Use tabletop exercises at the management and board levels to simulate various cyber incidents to establish how the organization would respond in practice, including your internal and external response teams.

In today's threat landscape, the question is not if your organization will face a cybersecurity incident - but when. Having breach counsel identified and involved early can make the difference between a managed response and a costly disaster. Speak with Miller Thomson's Technology team today about adding breach counsel to your incident response plan.

Footnote

1. Christos A Makridis, "Do data breaches damage reputation? Evidence from 45 companies between 2002 and 2018" (2021) 7:1 J Cybersecurity 1.

Originally published by T-Net.