Introduction
Businesses today collect ever-increasing amounts of personal information about their customers, from account passwords and email addresses to highly sensitive medical and financial information. Well-funded, sophisticated hackers are always looking for ways to obtain such information or access and exploit a company’s most sensitive, confidential data. As a result, companies face greater risks than ever from lapses in data security. The Privacy Rights Clearinghouse reported 602 data security breaches in the United States in 2013 alone, comprising over 55 million individual records.[1] These breaches have many causes, including criminal hacking, intentional leaks by insiders, unintended public disclosures, lost laptops or flash drives, and general negligence. As a result, data breaches are difficult to predict and even more difficult to prevent.
A data breach can result in massive exposure for businesses. According to a recent study, the average cost of a data breach to a U.S. company was $188 per record compromised.[2] If thousands or even millions of customer records are affected, the damages may be substantial – this is repeatedly evidenced as more and more well-known companies experience data breaches. In 2007, for example, the TJX Companies projected costs of over $250 million due to a data breach involving the theft of some 45 million customer credit and debit card numbers.[3] Target Corporation is still incurring costs from the late-2013 criminal hacking of its point-of-sale systems and the accessing of sensitive information belonging to millions of customers, including debit and credit card data.
The costs from a breach of data security are varied. In addition to the immediate expenses for investigating and repairing the breach, companies should expect to incur costs to notify affected parties, manage public relations, and respond to government inquiries and investigations. A company may also face legal action on multiple fronts, from consumer or shareholder class actions to lawsuits from affected business partners to FTC or state attorney general enforcement actions. And, perhaps most significantly, there may be a serious long-term reputational impact on the business’s brand or customer relationships.
The likelihood of a data breach and the risks involved are so high that the possibility can no longer be ignored – companies must take the initiative to reduce the likelihood of a breach and to reduce the impact of a breach when the inevitable occurs. In addition, it is essential for affected businesses to retain counsel with expertise in rapidly evolving data privacy laws and the ability to effectively handle the onslaught of litigation in the aftermath of a data breach, including class actions and regulatory enforcement actions. Although there is no piece of comprehensive federal legislation dictating the nature of security practices companies must adopt, businesses should be aware of the numerous federal statements regarding data security, including Executive Orders,[4] White House policy directives,[5] FTC guidelines,[6] pending regulatory frameworks,[7] and proposed legislation[8] that could be argued to constitute a minimum standard of care. The imminent introduction of new data privacy directives in the European Union also means that companies doing business in Europe should consult counsel with international capabilities.
Below are suggested best practices for companies to follow to anticipate, prevent, and respond to a data breach.
Best Practices In Preparing For And Responding To A Data Breach
Before a Data Breach Occurs
- Anticipate – Catalog all confidential data owned or maintained by the company, and ensure that proper security procedures are in place for keeping it safe. Conduct ongoing risk assessments, invest in state-of-the-art security measures, and hire “ethical hackers” to test data security. It is important to understand that most companies are targeted for intrusion because of exploitable security weaknesses, not because of their high profiles or the value of their confidential information.[9] Testing the integrity of the system on a regular basis is a wise investment.
- Train – Inform employees and vendors of proper security procedures and periodically review and update data security policies.
- Organize – Create a response team to implement a plan of action when a breach occurs. The team should be multidisciplinary and composed of senior management, IT, legal, and public relations personnel. The plan should include procedures for promptly identifying and repairing the breach, investigating the cause of a breach, analyzing the implications of the breach, and notifying the necessary parties.
- Insure – Consider purchasing cyber insurance. Carefully consider the scope of coverage and exclusions under a data breach policy, including whether the policy covers costs related to lawsuits, regulatory investigations, internal investigations, notifications to affected consumers, public relations management, credit monitoring, and/or statutory penalties. A recent study showed that less than a third of companies surveyed had procured data breach insurance, but that companies were increasingly considering this option.[10]
After a Data Breach Occurs
In the aftermath of a data breach, a company may still be investigating the cause when notification is required by applicable state and federal statutes or when an attorney general investigation begins. As such, it is important for the organization to respond quickly and proactively by assembling its response team and implementing its plan as soon as it learns of the breach.
First, take the necessary steps to secure the system to prevent further data loss, isolate any malware, and repair the breach. The data breach response team should also investigate the cause of the breach, recommend and implement corrective action, and test the integrity of the restored or alternate system.
Next, work with counsel to analyze the legal and regulatory implications of the breach. This requires an understanding of what data has been compromised, whether the data was encrypted or otherwise made inaccessible, the risk that data will be used by third parties, who will be adversely affected, who should be notified and when (including whether notification may be delayed until the integrity of the system is restored), and whether insurance will cover costs related to the breach.
If necessary, work with outside counsel regarding potential obligations to contact law enforcement. While law enforcement or regulatory bodies may commence their own investigations, some state notification statutes require businesses to contact enforcement agencies or delay notification of consumers in the event of a breach.
Additionally, it will likely be necessary to notify the affected parties and implement a public relations plan to mitigate reputational harm. Because a company will likely be required by statute to notify customers or business partners affected by a data breach, an effective public relations plan should include model notice templates and scripts for relaying information about the incident and mitigation steps to the public in a consistent and timely manner. Companies may also consider notifying the public even if they are not legally required to do so in order to avoid subsequent negative publicity. Weil has relationships with vendors and extensive expertise that can help your company anticipate potential issues and formulate best practices for notifying individuals and the public.
Anticipate and prepare for inevitable litigation. A company adversely affected by a data breach may consider filing suit against those responsible for the breach; likewise, customers or business partners affected by the breach may decide to pursue civil remedies against the company or its executives. Securities and consumer class actions are likely, although this area of the law remains unsettled. The constitutional requirement of standing is just one example of the uncertainty in this area: some courts have found that consumers lack standing to sue unless they can show a concrete injury resulting from a data breach, while others have allowed consumer class action suits to go forward after a data breach, even where no customer data was actually misused. In addition, state attorneys general may institute claims against companies even where individual and class actions might fail due to lack of standing to sue or failure to identify cognizable harms.
The aftermath of the breach may also include regulatory action. State and federal authorities may launch their own investigations into the causes of the breach, not only to prosecute criminals who may have caused the breach but also for consumer protection.
Such investigations could include monetary penalties and required periodic audits lasting decades. The FTC in particular has used its authority under the FTC Act in recent years to assert that a company’s failure to take adequate steps to protect consumer information constitutes an unfair trade practice under the Act. For example, after a security breach in 2005 involving 40 million credit card numbers, the FTC prosecuted CardSystems Solutions, Inc. and required it to adopt stricter security measures and conduct an independent audit every other year for the next 20 years. Companies subject to investigations need counsel to work with federal agencies, like the FTC, as well as state agencies in the immediate aftermath of a breach to facilitate investigations and limit potential penalties.
Whether a company will be bringing an action against data thieves or defending against consumer class actions, suits by business partners, or regulatory investigations, it is vital to diligently prepare for litigation and to choose counsel well versed in data privacy issues.
Data Breach Notification Laws
When a data breach occurs, the law may require notification of affected parties or government agencies. Navigating the tangled web of notification statutes is a particular area of concern for companies recovering from a data breach. An assortment of state and federal notification laws may apply in any data breach situation; the following is a brief summary of the federal and state law trends in this area.
Federal Law
Despite pushes for a uniform body of federal laws governing cybersecurity threats and data breaches, there is currently no law providing a uniform set of rules governing data breach notification. Depending on the type of organization and the type of data involved, however, specialized federal laws may apply.
For example, the Gramm-Leach-Bliley Act requires financial institutions to notify customers of a breach, while SEC regulations and the Sarbanes-Oxley Act have been interpreted as imposing certain reporting obligations on publicly traded companies in the wake of a data breach. Other pertinent federal laws relating to cybersecurity may include the FTC Act, the Health Insurance Portability and Accountability Act, the Health Information Technology for Economic and Clinical Health Act, the Controlling the Assault of Non-Solicited Pornography and Marketing Act, and the Children’s Online Privacy Protection Act. Companies and counsel must be aware of their potential obligations under these and other federal laws.
State Law
To date, 47 states have enacted legislation requiring some form of notification following a data breach. Most are patterned after California’s notification statute and thus share many of the same requirements. Generally, the statutes require companies or state agencies to notify state residents in a timely fashion when the company or agency becomes aware of a loss of unencrypted data containing a state resident’s personal information. They also provide an exemption from compliance with the statute where a company maintains its own breach notification policy and the policy is consistent with the requirements of the statute. Some states also call for notification of the state attorney general or consumer reporting agencies, depending on the extent of the breach. If a company fails to comply with the breach notification statute, it may be subject to civil penalties enforced by the attorney general; a minority of state statutes also provide for a private cause of action.
Despite these similarities, variations exist. Some states require consumer notification whenever a breach occurs, while others only require notification if an assessment determines that misuse of the information is likely. Some states permit companies to delay notification pending an investigation to assess the breach and restore the integrity of the data, while others require notification within a certain time period. Even states permitting companies to delay notification for the purposes of investigation have different timing requirements governing when a company must notify consumers after it concludes its investigation. While many states require notice to be provided “without unreasonable delay,” other states are much stricter, with some states requiring notice to consumers within 45 days of a breach or requiring notification of the appropriate government agency within 10 days. In responding to a data breach situation, special care and expertise are required to analyze and comply with the patchwork of state laws in this area.
In the next month, Weil will publish a comprehensive analysis of each state’s data breach statutes and reporting requirements. To request a copy, please email [email protected] with “Data Breach Survey Request” in the subject line.
This article was originally published as a Weil Class Action Monitor client alert.
[1] Chronology of Data Breaches, Privacy Rights Clearinghouse (accessed Mar. 3, 2014), https://www.privacyrights.org/data-breach/new.
[2] See Ponemon Institute, LLC, 2013 Cost of Data Breach Study: Global Analysis.
[3] See Ross Kerber, "Cost of Data Breach at TJX Soars to $256m," Boston Globe, Aug. 15, 2007, http://www.boston.com/business/articles/2007/08/15/cost_of_data_breach_a...
[4] See Exec. Order No. 13636, 78 Fed. Reg. 11,737 (2013).
[5] See White House, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (February 2012), available at http://www.whitehouse.gov/sites/default/files/privacy-final.pdf; White House, Presidential Policy Directive – Critical Infrastructure Security and Resilience (February 12, 2013), available at http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-polic....
[6] See generally FTC, Data Security, http://business.ftc.gov/privacy-and-security/data-security; see also FTC, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (March 2012), available at http://www.ftc.gov/sites/default/files/documents/reports/federal-trade-c...
[7] See National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity (Feb. 12, 2014), available at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214. pdf
[8] See Personal Data Privacy and Security Act of 2014, S. 1897, 113th Cong. (2014); Data Security Act of 2014, S. 1927, 113th Cong. (2014).
[9] See Verizon, 2012 Data Breach Investigations Report at 3.
[10] See Ponemon Institute LLC, Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age, August 2013.
Published April 23, 2014.
