Reports that there has been yet another data breach or malicious hacking attack targeting the personal and financial information of thousands or even millions of consumers have become so common they barely constitute news. For most companies and yes, law firms, the question is not if a significant data breach or hacking attack is in their future, but instead when. Is your company or law firm ready?
In an informative article in Law Technology News entitled, What to do about high data breach costs, Judy Selby writes about the importance of being proactive to minimize the risk of a serious security breach in the first place, and to mitigate the damages if a breach should occur. Among her suggestions are an annual review by a data security and policy compliance consultant (If a recommendation is needed let me know), developing a comprehensive incident response plan, employee education and working with vendors to ensure they are complying with company data security policies and the law. This is the best practice and what we recommend to our clients; however, a recent study indicates that many companies are woefully unprepared or underprepared to respond to a significant data breach. See Is Your Company Ready for a Big Data Breach?
Assume for the sake of argument your company has not been proactive and does not have a comprehensive data breach response plan in place. Further suppose an employee [or perish the thought an attorney] leaves a laptop containing personal identifying (names, birth dates, social security numbers) and credit card information of thousands of company customers on an airplane. The computer cannot be located, and the presumption is the confidential data is in jeopardy. You are the General Counsel for the company. What now?
Upon learning of a potential breach, inside counsel in this situation should stop kicking themselves for not being proactive, take a deep breath—and then promptly make a call to retain outside counsel knowledgeable in responding to data breach emergencies. It is important the counsel (“breach counsel”) retained be able to drop everything and respond to the emergency promptly. Ideally the breach investigation will be conducted by breach counsel and subject to the attorney-client privilege. Under these circumstances, breach counsel should come into the engagement with an outline of an action plan ready to be implemented by the company, subject to adjustments based upon the actual reality on the ground. The first order of business is to close the leak and to secure any data that has not yet been compromised. Breach counsel will need to be able to “talk the talk” with IT personnel. An immediate investigation should be commenced to determine the cause and extent of the breach, the nature of the data compromised, and whether there are indications the data is likely to be used in a criminal or unauthorized manner in the short term. In many cases, computer forensics specialists should be retained to assess the damage. The complete investigation should be thoroughly documented in writing, noting the details of the breach including when it occurred, when it was discovered, etc.. Again, in our view this investigation should be conducted by breach counsel to maintain the privilege.
There are a myriad of complex legal issues that arise when a data breach has occurred. Besides the requirements of federal law if applicable, e.g., those pertaining to medical information under HIPPA and the HITECH Act, forty-six states have enacted their own data breach notification laws requiring consumer notification when there is a data breach involving personal information such as names coupled with social security numbers, birth dates, financial information, etc.. The terms of these laws vary, and are often inconsistent or even contradictory. See Interactive Map of State Data Breach Data Breach Notification Statutes, resources and related information. In many states, safeguards such as encryption and/or the partial redaction of the exposed data may limit state law statutory exposure and avoid notification requirements. Not so in other states. Since customer notification requirements vary significantly between states, most clients with a national customer base will need experienced legal assistance if they are to adequately assess and meet their compliance requirements. Failure to meet the state reporting requirements and deadlines can result not only in civil liability, but in some cases significant per record fines and assessments.
As one of the first orders of business. breach counsel is likely to advise the client to put together an emergency response team including key executive decision-makers, in-house counsel, IT/security managers, customer relations executives and potentially public relations personnel, among others. The point is to have all the key players and decisions makers involved and informed. Depending upon circumstances, law enforcement personnel may also need to be brought in, and regulators may need to be notified. All of this activity should be pursued with a sense of urgency, as many states require consumer notification in the most “expedient time possible without unreasonable delay.” See e.g., S.C. Code Ann. § 39-1-90 (“The disclosure must be made in the most expedient time possible without unreasonable delay….”).
If counsel determines that a significant data breach requiring reporting has occurred, he or she may also recommend the engagement of one of the major credit reporting services that has extensive experience in credit report monitoring in data breach situations. Offering customers credit monitoring services is expensive, but often eliminates or significantly mitigates significantly greater liability exposure going forward. See e.g., Hammond v. The Bank of New York Mellon Corp., No. 08-Civ-6060, 2010 WL 2643307, at *7 (S.D.N.Y. June 25, 2010) (claims stemming from accidental loss of back-up computer tapes containing personal information, no allegations of loss or actual damages—two years of credit monitoring service provided by bank precluded a claim for monitoring services). These companies also typically offer notification administrative, call center and related services.
In summary, there is much to do in responding to a data breach event. The response requires quick and decisive action under pressure– not the ideal time to be learning the rules of the road or setting up a response team. As in most things in life, the more thought given to a response plan in advance the fewer mistakes will be made when the storm hits. Don’t wait until a breach occurs—prepare today!
Bill Latham a/k/a the hytech lawyer ( email@example.com )