Legal Matters: Preparing for and Responding to a Data Breach

Unfortunately, it's not a question of if, but when your company will experience a data breach. Whether caused by a hacker, equipment failure, theft, disgruntled employee or a vendor error, most retailers will experience an incident resulting in the unauthorized disclosure of confidential customer or employee information. According to the Open Security Foundation and security consultancy Risk Based Security, last year set a record for the number of reported data breach incidents — 2,644 incidents, more than double the number in 2011, which previously had been the highest amount in one year.

There are 46 states, along with the District of Columbia, Puerto Rico and the U.S. Virgin Islands that require specific actions to be taken in the event of a data breach involving personal information. Most significantly, a company is subject not only to the laws of the state in which the data breach occurred, but also to the laws of every state in which it has customers whose personal information was compromised. This presents a major compliance challenge because state laws aren't uniform and differ considerably in their reporting and notification requirements. Such differences include what constitutes a data breach, the government agencies that must be notified, whether credit reporting agencies must be informed, and the contents of the notice sent to individuals whose information was lost or released.

The Advantage of Preparing a Data Breach Response Plan in Advance
A data breach response plan can provide a critical defense to class-action lawsuits, which allege that a retailer was negligent in failing to protect customer information. In fact, for retailers that make sales to residents of Massachusetts, a 2010 state law requires that a company must have a written plan to disclose how it intends to respond to data breaches.

Timing is key to compliance with state data breach laws. Prompt notification to customers isn't only a legal and moral obligation, but also a good business practice. A mishandled or untimely response will seriously damage a company's reputation and result in loss of consumer confidence and good will.

Often the most hostile customer reactions aren't to the initial breach itself, but to the delay in informing them so that they can take protective action (e.g., cancelling credit cards). With a data breach response plan in place, a company is in position to take the following steps when necessary:

• activate its "response team";
• start an investigation of the cause of the breach;
• determine the categories of information disclosed and the number of individuals affected;
• assure reporting to government authorities within the time period required by law;
• employ a template to send clear and prompt written notifications to customers;
• assign responsibility for communication with media; and
• limit damage to the company's good will.

Essentially the data breach response plan is the "playbook" for managing a crisis. The response team, with the advice of legal counsel, must determine when available information triggers an obligation to report an apparent data breach to state officials and notify affected individuals. It's important to note, however, that many state laws require that when there's a reasonable likelihood of a data breach, notice must be provided to customers, even before the breach has been confirmed. Consequently, waiting until a full investigation has been completed may itself be a violation of applicable laws.