When you discover that a hacker has penetrated your system, the scramble is on to respond properly. And nobody is going to be the first to suggest, “Let’s tell all our customers what just happened!” But as tempting as it is to bury a breach deeper than a political scandal, that move has a couple of drawbacks:
1. Any good public relations consultant will tell you that the best way to manage bad news is to get out ahead of it and drive the narrative.
2. Burying news of the breach is probably illegal.
But even when you genuinely want to follow your legal obligations for reporting breaches, the law doesn’t make it easy. All 50 states have their own codes in this area. You can look up your state’s notification laws on a site like this one. After you’ve waded through all the statutes, however, the way forward will almost certainly remain murky.
Matthew McKinney, an attorney with BrownWinick in Des Moines, Iowa, says, “What’s commonly misunderstood about breach notification? Almost everything. It’s still the Wild West. There’s no universal standard. The biggest thing is the uncertainty and the lack of uniformity.”
In many states, lawmakers and industry associations are working to pass codes built on frameworks that offer uniform standards across state lines. In Iowa, for example, McKinney is working with the Iowa Insurance Division on a new act the Division crafted that proposes to implement standards for insurance companies and that follows a model developed by the National Association of Insurance Commissioners.
In the meantime, answers to breach notification questions almost always start with, “Well, it depends…” But the following guidelines address some common questions.
Which industries are subject to breach notification requirements?
As with most data privacy laws, the healthcare and financial services industries face the heaviest breach notification frequency given they often hold the most sensitive and valuable personal data. HIPAA, for example, established some of the earliest requirements for notifications of compromised data. But at this point, nearly every business has notification responsibilities to follow.
What are my first steps regarding notification when a breach happens?
Ideally, you have a solid incident response plan in place, so no one has to figure out next steps under the pressure of a crisis. As part of that plan, make sure you’re building a relationship in advance with a digital forensics team, qualified attorneys and a cyber insurance firm.
As we’ll discuss below, the forensics team can help clarify your notification requirements based on what data was actually affected.
McKinney says it’s also important to have legal counsel available as soon as you discover the breach due to potential liability considerations, the benefit of privileged communications, and compliance with some strict breach notification requirements that, in some cases, have windows as short as 72 hours.
What events trigger a notification requirement?
This is where things start getting fuzzy.
One thing that generally doesn’t matter is the number of customers affected. So thinking, “We’re not Facebook, so our little breach doesn’t really matter” won’t get you off the hook. The key factor, McKinney says, is whether the breached data is protected by the law.
That means it’s time to contact your digital forensics firm. McKinney says the difference between accessible and accessed information can determine whether a notification is required in some states. Bad actors may not even realize the treasure trove they’ve found, so they can leave protected data untouched. It’s like a burglar who walks right past a folder full of classified information laying on someone’s desk. A digital forensics team can track the hackers’ steps and help a company determine exactly what was compromised and whether notification may be required.
That information will help you understand your notification requirements based largely on two factors: Was the compromised data encrypted and is the data protected by the law, such as PII (personally identifiable information)?
“Every state is so different, but a generalized theme is that if it’s encrypted, then you have some pretty good protections against having to do a notification in many states,” McKinney says.
Your legal obligations will also depend on whether hackers could link up two pieces of PII using what they stole. “We’re not going to require notification if the compromised information only reveals the type or color of a car,” McKinney says. “But we’re looking for whether bad actors can marry up two concepts, such as your name and date of birth. If you have that situation, and it’s unencrypted, you’re mostly likely going to be navigating the breach notification maze.”
What laws apply to my situation?
“We do a lot of ‘conflict of laws’ analysis” to untangle all the relevant jurisdictions, McKinney says. Key questions an attorney will guide a company through include:
- In what state(s) is the data located?
- In what state(s) are the affected customers located?
- In what state did the “harm” occur?
- Who owns or is responsible for the data?
It’s easy to see the thicket of statues in play in a situation like this one: A company headquartered in Illinois, has offices in five other states, and stores data on servers owned by a third party in Nevada. The business serves customers in 30 states. When a breach occurs, which state’s notification laws are in effect?
Specific contract details also affect which law is relevant and who might be responsible. “If I give you a hard drive, do you own it and hold all responsibility for the data stored on it?” McKinney asks. “Alternatively, if you just possess the hard drive temporarily, for service purposes, what responsibilities do you have? Importantly, your master services agreement or statement of work may address who owns the data and could very well play into which state law applies.”
What constitutes a notification?
By now, you know the answer depends on your state and the individual facts of each incident. Notification requirements have varying rules covering timing, messaging and whether a company must provide credit monitoring.
For regulated industries, one best practice McKinney recommends is to let any pertinent regulatory agencies know about a breach right away. “You don’t want your state insurance regulator or banking superintendent to learn through the newspaper that you had a breach,” he says.
What happens if I fail to provide the required notification?
McKinney points to several potential penalties:
- Civil penalties – The state attorney general could bring an action and seek significant fines for failure to follow requirements.
- Federal penalties – The Federal Trade Commission may take action against companies it concludes have made false or misleading statements related to security and privacy or those who violated trade practices and seek fines.
- Private lawsuits – McKinney describes this potential scenario that could generate a suit: A company is breached and fails to notify customers as required by law, leading to customers having their identity stolen and eventually financial harm. A customer could bring a suit claiming that they would have changed their username and password if the company had notified them of the breach.
Clearly, the best responses to data breaches are put in place months before the breach occurs. By creating a solid incident response plan, taking steps such as segmenting access to your system and properly patching all your software, you can prepare for and possibly stop breaches altogether. To talk with one of our experts about starting your plan, contact us today.