Lessons Learned from the Trenches: A Roadmap for Successfully Navigating a Large-Scale Data Breach
by Heather Egan Sussman and Sabrina E. Dunlap
Data breaches dominate world news, with retailers reporting incidents affecting millions of customers. Representing a company facing a massive breach is not for the inexperienced or faint of heart. While each incident brings a new set of facts and challenges, this roadmap can help guide any business to successfully navigate a large-scale breach in way that meets legal requirements and mitigates the risk of harm.
Prepare in advance by developing an effective incident response plan.
When the report of a breach first comes in, time is of the essence. Some breach notification laws have surprisingly short reporting deadlines. E.g., Conn. Ins. Dept. Bulletin IC-25 (August 18, 2010) (notice within five days); 9 V.S.A. § 2435(3)(B)(i) (2012) (notice within 14 days); M.G.L. c. 93H § 3(b) (2007) (notice “as soon as practicable and without unreasonable delay”). Companies can contract with business partners for even shorter notice periods. By preparing and testing an effective response plan in advance, companies can best position themselves to respond quickly when faced with a breach to meet required reporting deadlines, including under applicable insurance policies.
Evaluate notification obligations as early as possible.
Once the response team is in place, it is critical to determine the type of information involved and any notification obligations. Forty-six states and the District of Columbia have breach notification laws and an increasing number of countries around the world are following suit. Such laws require a company to notify affected residents – and, in some cases, particular regulators – in the event a resident’s “personal information” has been compromised. In the U.S., these laws typically define “personal information” to include a natural person’s name plus some other data element that can be used to commit identity theft or financial harm (the elements vary by state). Elsewhere, the definition of “personal information” can be much broader.
Breach notification laws also often dictate notice content, such as a description of what occurred and the type of personal information involved. Massachusetts is the only U.S. state to expressly prohibit including details of the breach in the consumer notice letter. See M.G.L. c. 93H § 3(b).
Conduct the investigation under privilege.
Upon receiving the initial report of a suspected breach, the company must investigate and remediate the incident. Companies should conduct the investigation under privilege to protect process and findings. Companies also should consider retaining outside counsel experienced in managing the moving parts of a complex breach scenario, while protecting the company in any resulting litigation or government enforcement action.
Cooperate with law enforcement, but require subpoenas for information.
In some cases, the company will learn of an incident from law enforcement (such as the FBI). There are benefits to working cooperatively with these agencies, including receiving government assistance and law enforcement back-up. Before turning over information to law enforcement, however, companies should insist on a subpoena. This can shield against claims that the company further breached the privacy of affected individuals by turning over information without authorization. Keep in mind, however, that informal discussions between the company’s forensics teams and law enforcement can circumvent established protocols and waive privilege protections.
Control the information flow.
Upon receiving a report of an incident, the company must mobilize the incident response team and get to the root of the problem before sharing information with outsiders. Because facts are still unfolding, however, releasing information too early can result in confusion, reputational harm, and compromise litigation strategy.
As a result, it is important to control information flow from the outset by coordinating all communications through one lead person responsible for tracking incoming requests and outgoing responses. That lead should work with legal counsel to protect confidentiality and privilege.
In some cases, it may be preferable to get in front of a story so the business can shape the narrative. Depending on the jurisdiction involved, it may be best to notify regulators before addressing the media. Most companies will need to rely on internal communications teams to manage this strategy. Public relations firms usually are reserved for the largest incidents expected to receive substantial scrutiny.
Spend wisely on digital forensic firms.
Not every incident requires hiring a digital forensic firm. These firms are most appropriate in specific cases, such as when the incident presents a high litigation risk, when the incident has an unknown cause or effect, or when the incident involves the company’s network and the IT department is not able or appropriate to respond.
Forensic firms also can help to determine at a granular level what systems were accessed during the incident and thus help define the scope of the breach. (For example, the forensic investigator might establish that the hacker infiltrated the network perimeter, but not the database containing sensitive information.) They also know how to remediate incidents and secure the network perimeter against further intrusion. This can be critical in cybersecurity incidents where hackers create “back doors” through which they can later return to steal more data.
Payment card breaches present special issues.
Where the breach involves payment card information, merchants also must address reporting requirements under the Payment Card Industry (PCI) rules. When an incident occurs, the merchant generally is required to notify the card brands, who notify the issuing banks, who notify affected consumers. PCI rules also may require that the business hire a “preferred forensic investigator” (PFI) to determine whether the merchant violated the Payment Card Industry Data Security Standards and related rules. Because the PFI’s findings can lead to substantial fines, a merchant should consider retaining under privilege an independent forensics firm to monitor the PFI’s investigation and preserve the merchant’s ability to challenge the PFI’s findings and resulting fines.
Balance speed with precision.
Not every breach will involve a tidy, sortable spreadsheet containing the names and mailing addresses of affected individuals. When it is not possible to determine quickly who is affected and where they live, a company must balance the need to promptly notify against the concern for avoiding customer confusion and resulting harm. Companies caught in this Catch-22 should consider invoking the “substitute notification” option available under some breach notification laws that permits a company in certain circumstances to post notice of the incident on a website or other permitted location in lieu of sending individual notices. This option carries risks, however, including unnecessarily alarming customers not affected by the breach and may be most appropriate when paired with some other limiting data point, for example, that the incident impacts shoppers at a particular store during a particular period of time, rather than all customers everywhere at any time.
If law enforcement instructs the company to delay notifications pending the investigation, memorialize the directive to defend against any claims of needless reporting delay.
Engage regulators proactively, but stand firm where legal merits warrant.
After receiving notice of a breach, regulators likely will contact the company to request more information. In the U.S., state Attorneys General Offices (AGO) often will work together in one consolidated review of the breach. The multi-state process has clear benefits to the AGOs because it streamlines costs and can achieve efficiencies. Companies are wise to consider how best to capitalize on the efficiencies of this process, while still advancing legal arguments and defenses available in each state. Companies should not hesitate to stand firm, however, when authorities take unsupported or unreasonable settlement positions.
Conduct a post-incident review.
There are many lessons to be learned through effective post-incident review. Following any incident, a company should perform a careful root cause analysis and assess what changes should be made in light of the experience. Public companies also must consider whether the incident triggers further disclosure requirements.
Watch the evolving regulatory landscape.
On February 4, 2014, U.S. Senators Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introduced the Personal Data Protection and Breach Accountability Act, which seeks to establish a federal breach notification standard and impose minimum data security requirements for businesses, like the approach taken in Massachusetts. See 201 C.M.R. 17.00, et seq. (2007)
Similar past proposals from federal legislators have not gained traction, but with the recent spate of highly publicized breaches, a proposal may soon become law. Familiarity with the regulatory landscape is vital when advising clients responding to complex data security breaches.
Heather Egan Sussman is a partner at McDermott Will & Emery LLP. Heather co-chairs the Global Privacy & Data Protection Affinity Group and is a recognized leader in her field.
Sabrina E. Dunlap is an associate in the law firm of McDermott Will & Emery LLP, focusing on privacy and data security and employment law. Sabrina is a Certified Information Privacy Professional (CIPP) and an active member of the International Association of Privacy Professionals.