This post originally appeared in the June edition of Cyber Law & Strategy.
Somewhere today at least one data security breach is likely to happen. It might not have been publicized and may not have involved millions of records, but there is no doubt it will happen. That is because cybercrime remains one of the most common crimes in the world, and noncriminal exposures are fairly common as well.
According to Verizon's 2018 Data Breach Investigations Report, there were 2216 confirmed data breaches in 2017—that's more than six per day. Whether it is a 24/7 bots testing cyber defenses, employees falling for phishing schemes, misuse by service providers or business partners or traditional employee or competitive theft, the question for most companies is not "if" a breach will happen but "when"—or when will it happen again?
CIOs and GCs lose a lot of sleep worrying about thefts of the family jewels—customer and other confidential information. Other C-Suite execs might lose some sleep too, since a breach can have an adverse impact on a company's goodwill or stock price. Yahoo lost $350 million in value after the disclosure of two major breaches, and Altaba (formerly known as Yahoo) recently agreed to pay a $35 million fine to settle an SEC claim that Yahoo unreasonably delayed in disclosing a security breach.
It also takes a lot of time and resources to effectively separate the wheat (an actual security breach) from the proverbial chaff (a security incident or vulnerability that did not result in unauthorized access, or disclosure of protected information). But the confusing and conflicting world of contractual requirements and personal data security breach notification laws can add insult and expense to injury, and sometimes adds injury itself. Tough and sometimes expensive choices need to be made quickly—and a company can get skewered in the media or court of public or customer opinion if they get it wrong.
Because of what is at stake, it is more important than ever for companies to: 1) have robust programs designed to identify risks, quickly respond to and investigate potential security incidents, and make technical and legal determinations regarding official and public responses; 2) have an incident response program mapping the appropriate actions to take; 3) have service providers vetted in advance available when needed; 4) train virtually the entire organization on their respective roles and; oh yeah 5) get someone within the organization to provide management and financial support for all of this.
And even all of that may not be enough. As we have learned from the recent Delta, Sears and Facebook incidents (and the Target breach, among others, before that), just having your own house in order may not be enough. In today's technological and employment environment, where companies outsource services and contract with business partners to manage and/or commercialize personal data—it is often those trusted third parties that can be the source of the breach.
The Notification Landscape
Once your enterprise experiences a security incident involving the unauthorized access, acquisition, use or disclosure of personal information, a key legal inquiry is whether any notifications are required. Whether notifications should be provided as a best practice is beyond the scope of this article, but is a genuine consideration if a company believes that customers could be subjected to identity theft from a security incident regardless of legal obligations.
Historically, companies handling information have had a variety of federal and state laws to deal with in navigating security breaches. On the federal front, HIPAA (Health Insurance Portability and Accountability Act) and GLB (Gramm Leach Bliley Act) are the acronyms of interest. For entities in the health care industry, which constitutes 24% of 2017 data breaches according to Verizon, and group health plans, a breach notification is required to be sent to patients (as well as the Department of Health and Human Services if more than 500 individuals are affected and the media if more than 500 individuals in one state or jurisdiction are affected) under HIPAA when unsecured protected health information is used or disclosed in an unauthorized fashion. There are exceptions to notifications if the disclosure was inadvertent or unintentional and did not go outside of the organization or service providers who would be expected to handle the matter responsibly. Also, if an entity conducts a risk assessment and can demonstrate that there is a low probability that the protected health information has been compromised, that is another reason to get off the notification track
Under the GLB statute, several agencies enacted guidance to the effect that if a financial organization becomes aware of an incident of unauthorized access to sensitive customer information, the organization should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. If the organization determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible.
Forty-eight states (all but Alabama and South Dakota), the District of Columbia, Puerto Rico and the US Virgin Islands) have their own database security breach laws. While there are many similarities between them, material differences between these statutes include, among other things: the definition of personal information covered by the statute; the definition of a breach; exceptions for providing notice because of the lack of materiality or risk of harm associated with the breach; whether and to the extent encrypted data is exempted from a breach; timing requirements for providing notice to individuals; the contents of a notice; the circumstances under which notice is to be provided to regulators, the media, credit reporting agencies or law enforcement; and whether or not there is an individual right of action associated with a breach of the statute.
All of the differences in language can create confusion and the unnecessary expenditure of time and resources figuring out a company's responsibilities, battles between companies and their service providers about whether a notification should be sent, who sends notifications, the content of the notification and when the notifications should be sent. For example, an important consideration is that the differences between the statutes could mean that affected individuals in one state are entitled to notice, while affected individuals in another state are not. That does not seem to be a fair result, and the rational best practice is that if notice is required to be sent to individuals in some states it makes sense to send the notifications to everyone, either to be fair, avoid a disparate treatment claim or both. This is one of many reasons why contracting is very important to defining responsibilities and control in the event of a breach.
Similarly, the content of any communication sent is critical. You must consider that the notifications are not merely legal communications in nature—since they are sent to your customers or employees, are strategic communications. The public perception derived from notifications can impact a company's employee or consumer goodwill and even stock price. Therefore, maintaining control over the content of a notification must be considered part of the entire crisis communications and response plan. If you utilize a credit monitoring provider the communications sent to affected individuals are equally important because the forms used by many of the providers read as marketing pieces, and some recipients believe that the credit monitoring companies, who may require personal information to register for their services are also engaging in identity theft.
GDPR Changes the Game
While the U.S. has been a leader in developing breach notification laws, the European Union empire is about to strike back. The most recent development in the ever-changing landscape of security breach law comes from the EU and its General Data Protection Regulation (GDPR), which went into effect on May 25. The GDPR provides that in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the appropriate supervisory authority, unless the breach is unlikely to result in a risk to the individuals. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
What does GDPR mean for data security breach responses? In order to understand, we need to quickly define a few terms. First, is "personal data," which under GDPR is a lot different than how the U.S. looks at personal data for security breaches. The most telling difference is that in the U.S., email address or online identifier, without more, is not personal data. Under the GDPR, it is. The "controller" is the entity that determines how personal data is collected and/or used. A "supervisory authority" is a European regulator.
Even though it can often take weeks or months to actually figure out the nature and extent of a data security breach—or even if you have had one—within 72 hours of learning about a breach, a multi-national company will need to notify a local European data protection authority or have a good reason not to do so.
Such a deadline creates a potentially unreasonable sense of urgency. While a company should not reasonably be expected to have all the details within 72 hours, the GDPR requirement will put a great deal of strain on service providers to notify their business customers very quickly, and could even divert resources from actually solving the breach to provide the report—hopefully that won't be what happens. But, with potential fines under GDPR ranging up to 4% of a company's annual turnover, we can anticipate erring on the side of greater disclosure.
While the data security breach process is difficult to navigate, being Chicken Little won't help anything, neither will sweeping responsibility under the carpet. What will help is to create an environment where data security is respected, technology is employed, staff is trained, responsibilities are allocated and your team of internal (and, if necessary external) subject matter experts and decision makers are ready to act to determine the actions and communications that are necessary— because — to quote the famous data security expert Yoda: "There is no if."
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.