When a company discovers that sensitive data has been lost or stolen, two of the toughest decisions that it faces immediately are whether and when to let the public—including regulators and customers who might have been affected—know about the loss.
Going public about a data breach poses significant compliance and legal risks for companies. Report a data breach before all the facts are known and you risk the possibility of disseminating false or incomplete information, but report too late and the reputational and regulatory repercussions could be worse.
During a recent forum at the Massachusetts Institute of Technology’s annual CFO Summit, company executives and former and current regulators discussed the conflicts that inevitably arise when companies must decide whether to disclose a data breach to regulators and the public. The overwhelming theme among those on the panel: The most effective plans of action materialize long before a breach ever occurs.
“Data privacy and data security are all about effective crisis management,” Gerard Leone, a partner with law firm Nixon Peabody, said. “When things go bad, either through an incident or a breach as it relates to data and sensitive information, you have a crisis on your hands.”
Before the need to notify the public or regulators of a data breach occurs, the first line of defense is to have in place a crisis management response plan, Leone said, which ought to include who to notify following a potential data breach.
Carmen Ortiz, U.S. attorney for the District of Massachusetts, reiterated that point. “Being prepared up front will make the situation a bit easier to deal with,” she said.
Not having an incident response plan in place can turn a company on its head when a breach does occur. Cynthia Izzo, a principal in the IT advisory practice at KPMG, cited an example of a company that found itself in this exact situation, resulting in a panicked late-night phone call.
“They didn’t know to whom they had to report, and it was a pretty significant breach,” Izzo said. “They thought they were cyber-security ready.” Because they did not have an incident response plan in place, however, it took several hours before the company, with KPMG’s assistance, finally was able to figure out who to notify.
Better Know the Breach Laws
The decision of whether to report a data breach to regulators is “very fact-dependent and depends on the company and the nature of the incident,” Leone said. Aside from certain regulatory and legal disclosure obligations to government regulators that are triggered following a breach, he said, companies must also take into careful consideration the obligations they have to directors, shareholders, customers, and various other stakeholders—not to mention non-obligatory considerations, including reputational risk.
“Data privacy and data security are all about effective crisis management. When things go bad, either through an incident or a breach as it relates to data and sensitive information, you have a crisis on your hands.”
Gerard Leone, Partner, Nixon Peabody
You can be discreet about responding to a data breach within the four walls of your organization, but at some point transparency is going to have to kick in, Leone added.
Before a company can decide whether and when to disclose a data breach, it must first navigate its way through a patchwork of various—and often conflicting—federal and state data breach notification laws. In April, Kentucky became the 47th state to pass a data breach notification law, along with the District of Columbia, Puerto Rico, and the U.S. Virgin Islands. The only states that do not currently have data breach notification laws are Alabama, New Mexico, and South Dakota.
Under many state laws, companies are not required to notify consumers of a data breach if, after a “reasonable” investigation—and in some cases in consultation with federal, state, and local law enforcement agencies—it’s been determined that the breach likely has not resulted, or will not result, in harm to individuals whose personal information has been compromised. Examples of states that include such a provision in their laws include Alaska, Connecticut, Delaware, Maryland, Michigan, Oregon, and many others.
Several states, however, do require notification of a data breach to the state attorney general. With one of the most stringent data breach notification laws, California, for example, requires notice to the state attorney general if a single breach affects more than 500 California residents.
Then the question becomes when to report a breach. When a breach results in the compromise of personal information, most states generally require notification “without unreasonable delay.” Some states call for the delay of notification, however, if it would impede a criminal investigation.
DATA BREACH RESPONSE PLAN
The following remarks from Gerard Leone, a partner with law firm Nixon Peabody, describe what measures a company should have in place both before and after a data breach occurs.
On the front-end, before a breach even occurs, Leone said, companies should ensure they have five Ps in place:
“If those things aren’t in place, you’re going to be in trouble when the incident or breach hits,” Leone said.
On the back-end, when a breach does occur, a company additionally wants to make sure it has in place the four Cs:
Source: Jaclyn Jaeger.
Other state and federal laws provide a firm deadline. California, for example, requires notification within five days of discovering the breach. Vermont requires notification to the public within 45 days. The HITECH Act, a federal breach notification law, requires notification within 60 days.
Know Your Regulators Too
Companies that suffer a data breach inevitably will have to interact with several different state and federal regulators at once, and so a company would do itself a favor by developing relationships with regulators beforehand, panel members agreed. “Establish a relationship with the government, so you don’t feel so alienated,” Ortiz advised the audience.
If notifying regulators of a data breach is not clearly required, however, many companies understandably reason: “‘Why should I feel comfortable about coming to law enforcement with my problems? I just want to deal with them internally and try to get rid of them,’” Leone said.
To Leone’s point, Ortiz responded that law enforcement can offer assistance to a company following a data breach in ways that a company cannot help itself. “Getting search warrants, arrest warrants, getting property back, I think we bring something very unique to the table,” she said.
Ortiz added that prosecutors are always “very sensitive” to the personal and proprietary information companies need to protect. “It’s always a balance we’re trying to strike between privacy, as well as the public safety aspect of it,” she said.
Aside from regulators, developing and maintaining relationships with the media is also important, Leone said. You don’t want the first time that you’ve ever talked about what a “holding statement” is to come up in the event of a data breach, he said. A holding statement is a statement that the company has prepared following an incident. It’s essentially meant to satisfy immediate media inquiries, while giving the company time to investigate the incident and its cause.
Consider engaging in a practice-holding statement, Leone advised. How do you plan to respond when the media inquires about the data breach?
The bottom line is that if a company has in place an effective crisis management plan, knows who to contact in the event of a breach, and has established ongoing relationships with regulatory bodies long before a breach has occurred, those measures can go a long way toward alleviating the pain of a data breach.