Legal Matters: Preparing for and Responding to a Data Breach

Unfortunately, it's not a question of if, but when your company will experience a data breach. Whether caused by a hacker, equipment failure, theft, disgruntled employee or a vendor error, most retailers will experience an incident resulting in the unauthorized disclosure of confidential customer or employee information. According to the Open Security Foundation and security consultancy Risk Based Security, last year set a record for the number of reported data breach incidents — 2,644 incidents, more than double the number in 2011, which previously had been the highest amount in one year.

There are 46 states, along with the District of Columbia, Puerto Rico and the U.S. Virgin Islands that require specific actions to be taken in the event of a data breach involving personal information. Most significantly, a company is subject not only to the laws of the state in which the data breach occurred, but also to the laws of every state in which it has customers whose personal information was compromised. This presents a major compliance challenge because state laws aren't uniform and differ considerably in their reporting and notification requirements. Such differences include what constitutes a data breach, the government agencies that must be notified, whether credit reporting agencies must be informed, and the contents of the notice sent to individuals whose information was lost or released.

The Advantage of Preparing a Data Breach Response Plan in Advance
A data breach response plan can provide a critical defense to class-action lawsuits, which allege that a retailer was negligent in failing to protect customer information. In fact, for retailers that make sales to residents of Massachusetts, a 2010 state law requires that a company must have a written plan to disclose how it intends to respond to data breaches.

Timing is key to compliance with state data breach laws. Prompt notification to customers isn't only a legal and moral obligation, but also a good business practice. A mishandled or untimely response will seriously damage a company's reputation and result in loss of consumer confidence and good will.

Often the most hostile customer reactions aren't to the initial breach itself, but to the delay in informing them so that they can take protective action (e.g., cancelling credit cards). With a data breach response plan in place, a company is in position to take the following steps when necessary:

• activate its "response team";
• start an investigation of the cause of the breach;
• determine the categories of information disclosed and the number of individuals affected;
• assure reporting to government authorities within the time period required by law;
• employ a template to send clear and prompt written notifications to customers;
• assign responsibility for communication with media; and
• limit damage to the company's good will.

Essentially the data breach response plan is the "playbook" for managing a crisis. The response team, with the advice of legal counsel, must determine when available information triggers an obligation to report an apparent data breach to state officials and notify affected individuals. It's important to note, however, that many state laws require that when there's a reasonable likelihood of a data breach, notice must be provided to customers, even before the breach has been confirmed. Consequently, waiting until a full investigation has been completed may itself be a violation of applicable laws.

Core Elements of a Data Breach Response Plan
An effective and practical data breach response plan should include the following eight elements:

1. Formation of a data breach response team. The team would typically include a senior executive with broad decision-making authority; the chief information officer; the directors of customer service, government affairs, public relations, compliance and security; a senior human resources manager; and legal counsel. Once a breach occurs, the team should be augmented quickly by a digital forensics consultant.

2. Designation of a point person. A member of the response team should be designated as being responsible for coordination of efforts and maintaining the checklist (see No. 8).

3. Identification of potential risks. It's helpful to identify areas of possible vulnerability, including recommended measures to upgrade and monitor data security.

4. List of third-party vendors. All third parties with possession of or access to personal customer and employee information should be listed, along withkey contacts.

5. Inventory of information; including:

• data location lists;
• third-party vendor contracts;
• privacy policy; and
• information security policy.

6. State law compliance matrix. A chart should be prepared showing each state's reporting and notification requirements, along with the point of contact.

7. Maintenance of attorney-client privilege in regard to the data breach investigation materials and communications

8. Checklist in response to an apparent data breach:

• Alert response team.
• Initiate measures to prevent the further disclosure of personal information.
• Conduct an IT forensic investigation to gather evidence and determine the source of the data breach, the means by which it occurred and the infor-mation involved.
• Secure relevant physical and electronic records relating to the breach and investigation.
• Determine government agencies to which prompt reporting must be provided.
• Establish a timeline for compliance with government reporting as well as consumer/employee notification requirements.
• Develop text of government agency reports, which may vary in different states.
• Develop text of consumer/employee notification, which may also vary dependent on state laws.
• Prepare a media statement and designate a company spokesperson.
• Notify law enforcement authorities if criminal conduct is suspected.
• Track consumer/employee responses to notification and confirm that all inquiries have been answered.
• Determine appropriate mitigation measures to assist consumers and employees in connection with the unauthorized release of their confidential information.

Don't Delay
In the absence of a carefully developed data breach response plan, retailers are likely to be halting in their response and uncertain as to which individuals within their organization should assume responsibility for the various technical, investigative, legal and communicative tasks, which must be completed on an expedited basis. A botched response to a data breach may carry much graver consequences than the breach itself.

George S. Isaacson is a senior partner at Brann & Isaacson, a direct marketing law firm. George can be reached at gisaacson@brannlaw.com.