What Litigation Teaches Us About Security Operations

These are the highlights from an episode of Tern Stories. You can watch the full conversation with Mike Jervis on YouTube, Spotify, Apple, or wherever you get your podcasts.

“If I could wipe out one technology? TCP/IP.”

That was Mike Jervis’ answer. He was half-joking. Sort of.

Mike’s a cybersecurity and privacy lawyer at Mullen Coughlin. He works with companies after the worst has happened—when ransomware locks down production, customer data is exfiltrated, and legal deadlines start ticking. His job is to figure out what broke, what the law demands, and how to respond.

This episode of Tern Stories is about the aftermath of a breach. What’s surprising isn’t just the chaos—it’s how much of the outcome hinges on infrastructure, habits, and technical decisions made months or years before the incident.

Here are three lessons from Mike about where technology really matters—because when things go wrong, it’s the system you’ve already built that determines how painful it gets.

1. Ransomware is a business. Structured, repeatable, and increasingly built around data theft.

Today’s ransomware groups operate less like hackers and more like vendors. They have negotiation playbooks, support desks, and internal tooling. And more often now, they skip encryption entirely—stealing data instead, then threatening to leak it.

This shift happened as companies got better at recovery. Backups made encryption less effective, so attackers adapted. Exfiltration creates new leverage: the pressure of exposure.

Surprisingly, reputation matters. Even though most companies never face the same group twice, word travels—among responders, law firms, and researchers. If a group breaks its promises (like posting data after payment), it stops getting paid. So many follow through—not out of goodwill, but to stay in business.

As Mike put it, “They operate like a buttoned-up organization.” Some even offer troubleshooting if your decryption key fails.

Understanding the structure doesn’t make it less risky—but it does make it more predictable.

2. What you do every day is what shows up in court.

When litigation follows a breach, the case isn’t built on your best day—it’s built on your normal ones.

Mike explained that in discovery, what matters isn’t just how the breach happened. It’s whether your team was patching regularly. Whether you ran phishing tests. Whether you knew where sensitive data lived. The mundane parts of security become exhibits.

Class actions used to be mostly reserved for large breaches—tens of thousands of people impacted. That’s changed. Plaintiffs’ firms now bring cases for incidents affecting as few as 500 or 1,000 people. Many of these cases settle early, but that doesn’t mean they’re low risk. If they reach discovery, every log, training record, and remediation plan is on the table.

What plaintiffs look for is a pattern. If you missed a zero-day, that’s one thing. But if you failed to patch known vulnerabilities or didn’t enforce retention policies, that story lands differently.

As Mike put it: “The best litigation prep is just trying hard.” Not perfection—just evidence that you were doing the work.

3. Security incidents follow trends—and attackers read the news too.

One of the most useful insights Mike shared is that threat actors move with the headlines. When a new vulnerability is disclosed—like the CrushFTP or SolarWinds exploits—attackers act fast. They scan for exposed systems, looking to exploit the lag between disclosure and patching.

These patterns aren’t subtle. They’re recurring. And they mean your biggest risks often come from being slow to react to known issues—not from unknown zero-days.

Mike also pointed out how much damage comes not from the breach itself, but from blind spots in your infrastructure. Teams miss where their sensitive data actually lives. They forget about legacy servers, unpatched appliances, or stray files with years of historical information.

His advice? Know where your data is. Stay current on known vulnerabilities. Prioritize what’s high-risk and widely targeted. Attackers aren’t hunting unicorns—they’re looking for the lowest-hanging fruit. And you don’t need perfect security. You just need to avoid being the easiest target.

What stood out in this conversation with Mike is how much of a breach’s impact is shaped long before anything goes wrong. The tools you use, the systems you maintain, the decisions you make around patching, training, and retention—they all set the stage.

Preparation isn’t about predicting the exact threat. It’s about reducing uncertainty when one appears. Having answers. Knowing what’s in your infrastructure, and what’s at stake.

These aren’t reactive moves. They’re operational ones. And when a breach does happen—as it inevitably will—those choices determine whether the outcome is manageable or something much harder.

You can’t control everything. But you can control how ready you are.