Navigating today’s complex legal and regulatory framework surrounding data breaches can be a daunting process for even the most sophisticated organization. In the United States, there is not currently a national uniform data breach notification law. Instead, organizations experiencing a data breach face a patchwork of 47 different potentially applicable state laws to-date, in addition to industry-specific federal laws such as Gramm-Leach-Bliley.
Adding to the complexity, more data is being stored in the “cloud,” thereby allowing potentially sensitive information to move more seamlessly across country borders, and requiring organizations to be familiar and compliant with international laws and regulations.
Understanding the various and changing state, federal and international laws and regulations will be increasingly important for organizations moving forward. In addition to keeping pace with evolving state, federal and international laws, organizations will need to ensure that effective data breach and cybersecurity incident response plans are in place to address breach incidents — whether they are local or global in nature.
Federal and Foreign Standards — A Renewed Focus on Data Breach Regulation
With the recent rise of highly publicized breaches top of mind, several efforts have been made by congressional committees aimed at forging a comprehensive federal data breach notification law. Although lack of consensus on specific issues related to the preemption of state laws has halted this progress in the past, federal legislation is once again a top priority for lawmakers.[1] Legislators in several states are also considering expanding existing breach notification laws by being more prescriptive about what information must be included in a notice. This may include such information as the time of the breach and the type of data affected.
On an international level, stricter data breach notification requirements are already underway. The European Union implemented new data breach requirements last August, requiring telecommunication operators and Internet service providers to notify national data protection authorities within 24 hours of detection of a theft, loss or unauthorized access to customer data, including emails, calling data and IP addresses. The EU is now also considering expanding this requirement to all commercial sectors.
Data Breach Preparedness — Going Beyond the Regulatory Checklist
The number of data breaches is anticipated to continue to increase throughout the year, both within the U.S. and across the globe. Between January and March of 2014 alone, nearly 200 million data records were stolen, the equivalent of approximately 93,000 records stolen every hour. This is an increase of 233 percent over the same period of time last year.[2] These facts, together with the specter of more — and more stringent — laws and regulations present organizations with increasingly important and complex data breach response issues.
Unfortunately, most U.S.-based organizations do not appear to be sufficiently prepared to deal with an impending data breach incident. Even after experiencing a breach, a surprising 39 percent of companies surveyed last year indicated they still have not developed a formal data breach response plan.[3] And since 2001, the Federal Trade Commission has brought more than 50 cases alleging that organizations failed to protect consumers’ personal information. Generally, settlements with the FTC require companies to implement a comprehensive information security program and undergo evaluation every two years by a certified third-party.
Facing increased regulatory scrutiny, organizations are advised to work closely with legal counsel to ensure that they are prepared to comply with state, federal and international laws and regulations and otherwise are best positioned to mitigate the fallout of a breach incident — both financial and reputational.
1. Develop a Diverse Response Plan
According to research from the Ponemon Institute, having an up-to-date response plan can save a business nearly 25 percent per compromised record.[4] The average cost of a breach in the U.S. last year was $188 per record, with each breach reportedly exposing an average of 23,647 records. At that rate, a 25 percent reduction could save a company $1.1 million per breach.
Organizations are advised to have a diverse response plan in place that clearly outlines protocols and a response team for security incidents, with scenarios mapped out for both the U.S. and abroad. Just as data breach regulations evolve, so should a data breach response plan. It is important for an organization to regularly audit and adjust its preparedness plan in order to include new technologies and address changes in the legal, regulatory and security landscapes.
2. Engage Outside Legal Counsel
Many law firms have attorneys that are dedicated to assisting organizations in developing effective breach incident response plans, including a protocol for who to call within the organization. Additionally the protocol should identify which law firm “breach coach” to notify, in addition to other responders (which are preapproved by the organization, its outside counsel, and preferably by the organization’s insurance carrier) that will undertake critical crisis management functions, such as notification to persons whose personally identifiable information or protected health information may have been compromised, credit monitoring, call center services, forensics, and public relations efforts. Effective incident response and crisis management planning can greatly mitigate an organization’s financial and reputational fallout following a data breach incident.
In addition to formulating an effective breach response plan, the engagement of outside counsel first in the wake of a breach incident, before other breach responders, will preserve, to the extent possible, the attorney-client privilege and the work-product doctrine.
3. Communicate With Customers
Part of an effective response plan is ensuring quick, clear communication with potentially impacted individuals and providing guidance and next steps on how they can protect themselves. Open communication following a breach can help maintain trust and preserve brand reputation — arguably an organization’s most valuable asset.
It is also important to note cultural and language differences may impact a customer’s response to a data breach, and notification materials. When managing an international breach, it can be beneficial to seek counsel on how to mitigate any issues that may arise due to these different standards, and communicate effectively.
Regardless of the legislative environment, data breaches present a substantial business risk to organizations both in the U.S. and across country borders. Creating a diverse security incident response plan and proactively engaging with legal counsel, local authorities and forensics experts will enable companies to better handle an incident when it occurs.
Notes:
[1] Experian Data Breach Resolution Legislative White Paper, “Policymakers Renew Focus on Data Breach Laws,” 2014
[2] SafeNet, “Breach Level Index (BLI),” April 2014
[3] Data Breach Response Guide, April 2013 http://www.experian.com/data-breach/response-guide.html
[4] Ponemon Institute, “Cost of a Data Breach Study: Global Analysis,” 2013
