Data Privacy Breaches Part 2: Preparing for the government investigation.
The first part of this article series examined a company's need to organize an incident response team to "get ahead" of various types of potential data breaches. The truth is, no matter how robust and organized a company's incident response team is, there is no way to ensure that a data breach will not occur.
Nearly all businesses already have suffered a data breach or will likely suffer a breach in the future, and it would be naive of a company to not also prepare for the reality that a government investigation at the federal or state level, or both, may follow a data breach. Simply put, a company would be remiss if it did not also have prudent policies and procedures in place designed to address preparation for a data breach government investigation.
After an incident occurs, the incident response team should convene and take a series of four steps, which should be properly documented because the steps most certainly will be considered by the government in determining whether the company's response to the breach was reasonable.
First, the incident response team should take all necessary steps to contain the data breach and further limit the loss of data. This includes both securing any physical area housing the data if the breach involved data stored physically on company premises and isolating any affected systems to determine technical measures to contain the incident, such as changing passwords and administrative rights.
Second, the incident response team should collect all data relating to the breach, such as the date, time, duration and location of breach, how the company discovered the breach, the entry or exit points of the breach, and details about compromised data. Of course, all forensic evidence the company collects must be properly preserved in the event of future litigation.
Third, the company should analyze the facts surrounding the breach, which must address whether personally identifiable information was compromised, who the affected persons were and the scope of the breach.
The final and perhaps most important step is ensuring that the company is complying with federal and state data breach notification requirements.
A company is best suited to mitigate its exposure to a prolonged government investigation by ensuring that it has complied with applicable data breach notification laws. Practically all states (as well as the District of Columbia, Guam, Puerto Rico and the Virgin Islands) have adopted general data breach notification statutes. These state statutes require businesses to take certain steps when a data breach occurs that involves protected personal information.
The first state to adopt such a statute was California, and since then, the state has amended the statute four times. California's statute is important to a company's data privacy policies and procedures because essentially all state general data breach notification statutes are modeled after or are substantially similar to the California statute. While most state general breach notification statutes only apply to electronic records, it should be noted that a number of state laws apply to a breach of paper records as well.
Typically, data breach notifications must be made to some or all of the following: the affected persons, law enforcement, regulators, the media and the consumer reporting agencies. A company should also be mindful that some states have enacted sector-specific laws in addition to their general data breach notification statutes, which require certain types of businesses, such as regulated insurance licensees, to provide notification of a data breach to specific persons, such as state insurance commissioners.
Part of the incident response team's analysis of the facts surrounding the data breach, in light of notifications that might apply, should include a determination as to the level of risk of harm to affected persons. The majority state view is that notification requirements are triggered only when the risk of harm to affected persons is "substantial" rather than "material."
The majority view is also that a notification is triggered only when data misuse is likely to occur as opposed to when a company can conclude that such misuse is not likely. And a word of caution: even if a company concludes that misuse is not likely, still, several state statutes require that the company notify the state that it has independently determined that there is no risk of harm.
An issue that will most certainly arise during a government investigation is whether the breached data was encrypted. Companies can find solace in the fact that, as a general rule, notification is not required if personal information was encrypted; however, if the encryption key also succumbed to the data breach, then this exception will not apply.
Thus, the incident response team must be prepared to affirmatively state to the government whether the company's encryption key was also compromised. Accordingly, the company's policies and procedures must dictate processes by which encryption keys are segregated from encrypted information.
Another issue that will, no doubt, be raised in the course of the government investigation is the length of time it took the company to provide notification to the affected persons. The good news is that most state general data breach notification statutes do not set a bright line as to the timing of notification, but instead they codify that notification to affected persons must occur as expediently as possible, without unreasonable delay or both.
Some statutes define narrow circumstances that may serve as a premise for reasonable delay, such as when notification will compromise law enforcement efforts. In spite of all this, several states have provided bright line rules that companies must follow.
In Florida, for example, notification must occur to affected persons no later than 30 days from the data breach. Ohio and Wisconsin have similar timing, both of which require notification within 45 days from the data breach.
And in Maine, if notification will impede law enforcement activities, notification must occur within seven business days after the government states that notification will no longer compromise the investigation.
Providing the actual notification to affected persons is also not as easy as it may seem, particularly if a company did not have the foresight to draft policies and procedures to govern the manner in which it may contact its consumers concerning a data breach.
For all states, written notice satisfies the notification requirement. But given that we live in the digital age and practically all communications now occur electronically, a company might prefer to send electronic notice.
Only a few states allow notice by email, and most states do not allow email notification unless the company provides the email under the laws governing electronic notice. Effectively, this means that a company must have already had the affected person's prior consent to provide the email before a data breach occurs.
During the government investigation, a company should not only be prepared to disclose its method of notification, but also to substantiate whether the affected persons who might have received an email notification consented to notification in that manner.
The consequences of failure to follow a state's general data breach notification statute can be disastrous. Most jurisdictions allow for enforcement by the attorney general, which typically can sue for civil or injunctive relief. A minority of states, such as California, Texas and New Jersey, have also granted a private right of action that allows individuals to sue for actual damages resulting from a company's failure to provide timely notification of a data breach.
Organizing an incident response team and testing its protocols with a simulated data breach is far from the only step a company must take to protect against data breaches. It is the manner in which the company responds to government investigation that will determine if it can survive the breach and continue business as usual thereafter.
Although no set of policies and procedures can ensure that a government investigation will not be launched, it can ensure that the company is as prepared as possible to show its due diligence to meet the requirements of the law.
Is cybersecurity becoming less of a concern?
The security vulnerabilities law firm hacks create for corporations
Data security is the most significant risk facing in-house counsel today
Copyright [c] 2016 Summit Business Media. All Rights Reserved. Provided by SyndiGate Media Inc. ( Syndigate.info ).
|Printer friendly Cite/link Email Feedback|
|Date:||Jun 21, 2016|
|Previous Article:||You successfully registered your trademark. What's next?|
|Next Article:||When can the government thwart a False Claims Act settlement?|