Your client has experienced a data breach of customer records, including names, addresses, phone numbers and saved credit/debit card information. The best estimate you have been given -- which for this assignment you are to assume is correct -- suggest that approximately 120,000 records were transmitted out of the company. The security vendor engaged after the breach says that they can d attribution of "who did it" - perhaps to a specific hacking group. They also suggested they may be able to find the stolen data and destroy it. Management also wants to know who did it because in their estimation, if they can destroy the data, they can act as if the breach never happened.

You (as either a lawyer or a risk manager -- state in your response which role you're taking on) have been asked to advise the CEO. You have also been told that the cyber-insurance carrier says that they don't care who did it beyond knowing it wasn't an "inside job." The security vendor has provided an estimate of US$ 50,000 to US$ 100,000 to carry out both the attribution and remote data destruction.

In your major post, review the pros and cons of management's desire to strike back and destroy the stolen data. What would you advise management to do (or not do)?