One of the first questions companies ask us when we are hired to help them respond to a new security incident is how fast they have to notify if the investigation shows that a “breach” occurred. Except for a couple of states that require notification to occur no later than 45 days after discovery, there is not a bright-line, objective answer. Most state breach notification laws require notification to occur as soon as reasonably possible and without undue delay subject to some qualifications. For example, California’s law requires that: “The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement. . . or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.” Aside from one state attorney general who uses notification within 30 days as a guidepost, there is relatively little precedent to guide companies in determining how fast they have to mail notification letters to comply with applicable laws. A recent enforcement action against a company who learned that one its computers had been sold at a thrift shop provides an example of what may not constitute “expedient” notification.
In January 2014, a California company agreed to pay $150,000, notify employees as information becomes available (instead of at the conclusion of an investigation), conduct additional employee training on safeguarding sensitive information, and review and improve its policies regarding protecting sensitive information to resolve an enforcement action brought by the California Attorney General. The lawsuit alleged that the company learned of the sale of a hard drive at a thrift store on September 24, 2011 and was able to begin forensic analysis after it obtained the drive on December 21, 2011. The preliminary forensic analysis was alleged to have been completed in a week (showing that the drive contained personal information of employees) with the full forensic analysis continuing into February 2012. The complaint further alleges that the company mailed notification letters in mid-March 2012 to approximately 20,000 current and former employees informing them that the drive contained their personal informatiom.
As part of the contention that the time between obtaining the drive in December 2011 and notification of California residents in March 2012 constituted a violation of California’s law, the complaint specifically alleged that the company “could have notified individuals it had identified as affected by the breach as early as December 2011, but did not commence notice until, on, or about March 2012.” Essentially, the complaint alleged that it is a violation of California law to wait until the investigation was complete to notify all affected individuals instead of notifying segments of individuals on a staggered basis as they were identified over the course of an investigation.
Initially, it sounds reasonable to suggest that companies should provide staggered notification. In some circumstances it may be appropriate, such as when a company believes the information of a segment of affected individuals is actively being misused. But a staggered notification can also create problems. Examples of such problems include: (1) multiple notifications over time can create a perception that the company mishandled the investigation or that there was a “second breach”; (2) if a segment is notified initially that only their name and SSN were affected but the investigation later shows that their credit card information was also affected, the company may need to send a second letter; and (3) uncertainty in the initial notification as to who will be notified creates apprehension among the group of potentially affected individuals.
Affected individuals often want the notification to occur “immediately.” But the work necessary to determine what occurred, who is affected, and then to complete the logistics necessary for a large mailing (which can require multiple vendors) can be very difficult to complete within 30-45 days. If a forensic investigation is required to determine if a “breach” occurred, it can take weeks for the investigation to produce preliminary findings. It often takes at least a week just for the forensic firm to be engaged, arrive on site, acquire forensic images, and then take the images back to their lab to start the investigation. After findings show a “breach” may have occurred, it can often take several additional weeks to determine the scope of the attack (when it started, when it was contained, and what “personal information” could have been accessed during that time frame).
We often advise companies faced with a potential “breach” to conduct their response in parallel tracks—while one group is investigating to determine if there was unauthorized access or acquisition of “personal information” a second group begins preparing to mail notification letters in the event the investigation shows a “breach” might have occurred. In the hundreds of incidents we have helped clients manage, we have found that there are four important questions companies should be ready to answer before sending out notification letters (because these are questions the letter recipients will ask): (1) what happened; (2) how did it happen; (3) what are you doing to protect affected individuals; and (4) what are you doing to stop this from happening in the future? A quick notification sounds good, but an accurate notification is critical.