Data Breach Incident Response: Questions and New Laws

As more and more breaches happen every month, businesses everywhere need to consider what would happen if their company had a breach.  Here is advice from the national law firm of Perkins Coie.

1. Is the breach reportable?  The list of data items which, when compromised, triggers a reportable breach keeps growing.  For example, this year Illinois and Nebraska joined a number of other states that dictate that compromised account credentials are now reportable.   This year Tennessee removed language which used to say that if the data was encrypted, the breach is not reportable.  For some states now, if the data was encrypted but the keys were likely compromised, the breach is reportable.  And, remember, what matters is where the owners of the data reside, not where your office is.
2. How fast should you notify?  That is not a simple question to answer.  While different laws come into play for different groups, caution is advisable.  If the data lost was covered by HIPAA, you have a specific amount of time to notify.  If you are a Defense Contractor, you have a different, VERY SHORT amount of time to notify the Department of Defense.  What we saw earlier this year in the P.F. Chang breach is that they over disclosed and when it was discovered that relatively few customers were impacted and they tried to get lawsuits dismissed, the court said that they told everyone that they were at risk.
3. What should the notice look like?  Some states, like Rhode Island, specify in significant detail what needs to be in the letter, but this language can get you in trouble later.  Judges are sometimes not real good at understanding the laws of other states.  When Neiman Marcus told customers, after their breach, to check their credit reports, even though the breach did not reveal any information that would allow a hacker to open a new account, the judge discounted Neiman’s claim that the reason they told people to check their credit report was that they were legally required to say that in some states.  Eventually, the courts and the legislatures will get in sync, but not as long as the legislatures keep tinkering with the laws.
4. Who receives notice?  Well, besides the affected people, in some states, the state Attorney General must be notified.  For HIPAA breaches of over 500 records, the Secretary of Health and Human Services must be notified and for defense contractors, the DoD must be notified.  These are just SOME parties that have to be notified.  And, of course, you must use the approved, state specific form.
5. Should we offer credit monitoring services? Credit monitoring and credit repair services seem to be the norm these days, at least for big breaches, but even this can come back to haunt you.  In the Neiman’s breach mentioned above, the court said that because they offered credit monitoring there must have been a risk for fraud – even though there wasn’t any, other than someone using your Neiman’s card.

All this says that the landscape is filled with landmines and you MUST have a cyber breach litigation wise attorney in your camp from the VERY FIRST MOMENTS.  As you can tell from the words above, even simple decisions have the possibility to backfire.

So if you do not have a cyber incident response plan written, approved, disseminated and tested, I recommend that be added to the high priority to do list.

Information for this post came from JDSupra.

by