Data Breaches: Some Lessons

Some of our readers may have read about recent high profile data breaches, such as the one involving credit card information taken from many Barnes & Noble retail stores. Or they may have heard of the huge class action law suits against Sony which resulted from its handling of a 2011 incident involving hackers into the Sony Playstation network. In that case, the hackers accessed personal information including names, addresses, user names, passwords, and other personal information from about 77 million user accounts. And they may have read about the breach involving TD Bank, in which TD Bank misplaced in March 2012 computer back-up tapes containing personal information for 267,000 customers, but did not inform the affected customers and pertinent state authorities until seven months later, in October. Each of these instances brings to light some apparent misconceptions regarding the handling of data breaches.  

Myth 1: There is no law that requires action in the event of a data breach.

Fact 1: There is no federal law (aside from laws regarding specialized industries such as banking and health care) that requires a response. However, 46 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands require certain actions be taken in the event of a data breach regarding personal information, and each of these laws is different.

Myth 2: My company only needs to comply with the data breach laws of the states in which my company has an office or other physical presence.

Fact 2: A company is subject to the data breach laws of not only the states in which it has a physical presence but also the states in which it has customers.

Myth 3: I need only look at one state’s laws if there has been a data breach.

Fact 3:In the unfortunate event of a data breach, you need to follow the laws of each state where the affected persons reside, and not just the law of the state where their information is maintained or the breach has occurred.

Myth 4: My company can have a uniform response to a data breach.

Fact 4: State laws require notifications to affected consumers and state agencies in the event of a breach. Some also require notifications to credit reporting agencies. The laws are not uniform with regard to what constitutes a data breach, the government agencies to be notified, the credit reporting agencies, if any, that need to be contacted, and the contents of the notice to individuals whose information was compromised.

Myth 5: My company is not required to have a data breach response plan in the event of a data breach.

Fact 5: If the company makes sales to residents of Massachusetts, then the company must have a written plan to disclose how it intends to respond to data breaches. This is part of a so-called WISP, as required by a 2010 Massachusetts law. Moreover, a data breach response plan can provide a critical defense to class action lawsuits claiming that your company failed in its duty to protect customers against harm resulting from data breaches.

Myth 6: My company can play it by ear when there is a data breach, so it is of little value to plan.

Fact 6: A company must and should tailor its response to a data breach to the facts and circumstances of the breach—and so there is a need “to call audibles at the line of scrimmage.” However, data breaches are dynamic events that require immediate, consistent action to: investigate what happened, determine the appropriate responses to stop the security breach, shape the correspondence with individuals whose information is compromised, and decide on notification to the appropriate federal and state authorities. Most of the actions require approval at the highest levels of a business. There needs to be a signal caller for the plays based on a play book developed before the game and the play takes place.

Myth 7: There is no requirement that my company respond quickly to a data breach, and we certainly do not want our actions to take away from our company’s efforts to operate the business.

Fact 7: No state law requires a fixed period of time to respond to a data breach. Many of the laws require prompt responses, however. And every day of delay for serious data breaches increases the potential exposure to real damage done to persons whose information has been compromised. Sony has oftentimes been criticized, and it has been hit with a number of class action law suits, because of the one week delay in notifying appropriate federal and state officials and the users whose information was compromised. A data breach response plan permits companies to continue to operate their businesses at times of a data breach, yet take the necessary action in as short a time possible under the circumstances. Finally, many state laws require notice to consumers before a data breach has been confirmed where there a reasonable likelihood of such a breach. As a result, waiting until a full investigation has been completed can violate applicable laws.

Myth 8: The data breach does not affect credit card numbers. Therefore, there is no required response.

Fact 8: Each of the data breach laws require notification of consumers and state agencies if the information compromised involves personal information, which is generally defined as a combination of a name and a data element, which may be a credit card number, but may also be a social security number, driver’s license number, bank account number. or other state-issued identification number. In addition, data breach notification requirements can be triggered even if the data involved is encrypted, since the laws of some states provide no exceptions for encrypted information.

Myth 9: The information was compromised when possessed by a third party, so my company need not make any notification to our customers.

Fact 9: The state data breach notification laws generally apply to any company that stores or maintains personal information or owns or licenses personal information of an individual. Thus, if a retailer submits personal information to a third party for processing—e.g., to a company to do a merge/purge or to send emails—it has a duty to notify the consumer whose information was compromised. All retailers should make sure that their contracts with outside contractors have suitable provisions addressing the confidentiality of personal information of their customers and employees as well as required notifications to the retailers in the event of a breach.

Myth 10: Data breaches occur only for large companies and my company is too small to be subject to either a data breach or the required response to a data breach.

Fact 10: In a recent survey, PricewaterhouseCoopers found that 70 percent of companies responding to the survey had experienced a data breach in the prior year. Other studies have found that data breaches are episodic and can occur to companies regardless of size. None of the data breach laws maintain a small business exception.

Conclusion

Inappropriate responses to data breaches can expose a company to significant liability and unfavorable publicity. Developing and implementing a sound data breach plan can reduce these adverse consequences and help avoid penalties from government “referees."