All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
Ten ways to prevent a data breach from Breaching a Budget
1. Ten Ways to Prevent a Data Breach from
Breaching a Budget
DAVID ZETOONY
With data breaches a fact of life for many companies today, the author
provides a 10 point checklist, which includes steps a company can take
before a breach occurs, immediately after a breach occurs, and well after
a breach occurs, designed to lower the cost of responding to data security
breaches.
D
ata breaches are now a common occurrence, with over 300 major
breaches involving over 100 million consumer records reported
each year. Although each breach is unique in terms of its cause,
its scope, the type of business it affects, and the type of consumer information it involves, every breach shares two characteristics: (1) It is unanticipated (and therefore usually not expected in the budget) and (2) It can be
extremely costly. Beside the internal cost of investigating a breach, which
itself usually entails numerous hours from employees, in-house counsel,
and outside counsel, where consumer notification is needed a company
usually must pay the following costs:
•
Printing and mailing notifications;
•
Staffing call centers to respond to consumer questions;
David Zetoony is an attorney at Bryan Cave LLP in Washington D.C. He practices antitrust and consumer protection litigation and, over the past five years, has
assisted dozens of companies to respond to data security breaches, and investigations that result from data security breaches. He may be contacted at david.
zetoony@bryancave.com.
449
Published in the May 2009 issue of Privacy & Data Security Law Journal.
Copyright ALEXeSOLUTIONS, INC.
2. Privacy & Data Security Law Journal
•
Credit monitoring for affected consumers;
•
Legal fees for responding to government investigations, and
•
Litigation fees if suit is brought by consumers or regulators.
Companies often pay between $50 and $79 per lost record.1 For relatively small breaches involving hundreds or thousands of records, the cost
can be substantial; for large breaches involving millions of records, the
total cost can be enormous.
Although there are always costs in responding to a data breach, companies, especially companies responding to a data breach for the first
time, often overlook simple ways to reduce and mitigate these costs.
The following suggestions illustrate 10 specific ways in which companies could (but most companies don’t) lower the cost of responding to
a data breach. These suggestions include steps that a company can take
before a breach occurs, immediately after a breach occurs, and well after
a breach occurs.
BEFORE A BREACH OCCURS
1. Create a Notification Policy
Most notification statutes provide that if a company creates its own
policy for notifying consumers, and that policy is consistent with the law’s
“timing requirements,” then a company that complies with its own policy
will be “deemed” in compliance with the statute. Fashioning a corporate
notification policy before a breach occurs can help avoid some of the largest costs associated with consumer notifications. For instance, a corporate
policy might state that consumers will be notified by e-mail instead of by
mail, alleviating thousands of dollars for printing fees, and mailing fees, if
a breach occurs.
In addition to the direct savings that can be achieved through the substantive provisions of a corporate breach notification policy, a breach notification policy can also have significant indirect savings by establishing
a clear procedural framework. For instance, by providing instructions for
how breaches will be reported internally through a company’s organizational
450
Published in the May 2009 issue of Privacy & Data Security Law Journal.
Copyright ALEXeSOLUTIONS, INC.
3. Ten Ways to Prevent a Data Breach
structure, and who (or which department) will be responsible for investigating a breach, the policy can prevent the loss of time and money that occurs
during the first few days of an uncoordinated response to a data breach.
2. Up-to-Date Safeguards Policy
The best way to save money when responding to a data breach is to
not have the breach in the first place. Although most companies are required under federal law (e.g., Gramm-Leach-Bliley, the Health Insurance
Portability and Accountability Act) or state law (e.g., state “safeguards”
statutes) to evaluate security risks and to create a policy to address those
risks, many companies do not evaluate security risks regularly. Although
the frequency needed to evaluate risks varies by industry, and the type of
data that a company maintains, every business should consider reevaluating its safeguards policy at least annually.
Even companies that regularly review their security policy often limit
that review to evaluating whether the security policy adequately addresses
new technological threats, such as viruses or Malware. Often security
policies neglect the fact that most breaches are not caused by a breach of
the company’s information technology infrastructure. When evaluating a
security policy, a company should consider the following rough breakdown of where breaches occur:2
•
40 percent laptop thefts (half stolen outside of company; half stolen
while inside the company);
•
20 percent human or software error;
•
15 percent non-laptop theft;
•
15 percent hackers; and
•
10 percent employee intentional acts.
AFTER A BREACH
3. Do Not Notify Consumers Unnecessarily
Many companies have started notifying consumers anytime a potential
451
Published in the May 2009 issue of Privacy & Data Security Law Journal.
Copyright ALEXeSOLUTIONS, INC.
4. Privacy & Data Security Law Journal
breach occurs. Often the decision to issue notifications is made under the
mistaken belief that companies are legally required to issue notifications
after any potential breach, or under the belief that there is no downside to
giving notice. Notifying consumers before a company has fully investigated a potential breach can be incredibly costly. First, the company must
bear the direct cost of issuing the notification, which, as discussed above,
can be substantial. Second, notifying consumers before a company has
fully investigated a breach may unnecessarily alarm or confuse consumers. Consumers who mistakenly believe that their data has been breached,
or that they are at risk for identity theft, are more likely to file administrative, or self-regulatory (e.g., Better Business Bureau) complaints or to initiate civil suits. Although there may be no substance to those complaints,
the cost of responding to government investigations, demand letters, or
complaints is almost always substantial.
Deciding whether to notify consumers of an incident should be done on
a case-by-case basis. In many situations, what might look like a data security breach at first may not require notifying consumers if, after a careful and
thorough investigation, it becomes apparent that the security, confidentiality,
and integrity of consumers’ information has not been compromised.
4. On the Fence About Notifying Consumers? Consider Asking
Regulators Before Taking the Plunge
After investigating a potential breach, companies often conclude that
either a breach has not, in fact, occurred, or that the security and confidentiality of consumer information has not been compromised as a result of a
breach. Companies often decide to issue consumer notifications nonetheless, because they fear that a state or federal regulator may see the situation
differently and penalize them for having not made consumer notifications.
Instead of second-guessing a reasoned decision that consumer notification is not needed, or warranted, consider voluntarily providing state or
federal regulators with information concerning the potential breach and
the company’s rationale for not issuing consumer notification, and inviting
the regulator to offer its comments or opinions. If the regulator disagrees
with your assessment and requests consumer notifications, the company is
no worse off than it would have been had it issued the consumer notifica452
Published in the May 2009 issue of Privacy & Data Security Law Journal.
Copyright ALEXeSOLUTIONS, INC.
5. Ten Ways to Prevent a Data Breach
tions; on the other hand, the regulator’s agreement with the company’s
position (or the regulator’s silence) can be a powerful defense against any
future claim that the decision not to notify consumers was unreasonable.
5. Consider Informally Notifying Government Regulators
Although some states require notification of regulators each time a
breach occurs, most states, and most federal regulators, do not have such a
requirement. Just because reporting an event is not required does not mean
that it is not a good idea to consider reporting it voluntarily. Although in
some cases voluntarily reporting a breach to regulators may bring unnecessary (and unwanted) attention from the government, in other cases, especially when a breach has already been publicized, it may head off government
investigations or formal requests for documents and information.
6. Keep a Written Chronology of the Breach
The hours and days following a breach are usually hectic and filled with
sometimes conflicting information arriving from various sources. Often information that is filtering in comes in the form of internal e-mails, teleconferences, or interviews. During this process few companies keep a formal
log of what the company/legal department knows (and when the company/
legal department became aware of the information). Having an in-house, or
outside, counsel keep a running written chronology in anticipation of possible litigation can form the basis of what may ultimately become an incident
response report, and can save countless hours reconstructing events from
e-mails, handwritten notes, and follow-up interviews.
GOVERNMENT INVESTIGATIONS
7. Have your Privacy Policy, Security Policy, and Safeguards
Policy in One Place
It is not uncommon for a company to receive a subpoena, civil investigative demand (“CID”), or nonpublic inquiry following a breach. Although the inquiry may have been triggered from the breach, regulators of453
Published in the May 2009 issue of Privacy & Data Security Law Journal.
Copyright ALEXeSOLUTIONS, INC.
6. Privacy & Data Security Law Journal
ten ask to see all of a company’s consumer-focused statements concerning
privacy and security. Making sure that these documents are up-to-date and
that past versions of these documents are easily accessible can eliminate
time (and money) to find, collect, or reconstruct these policies.
8. Take a First Stab at Responding to Investigatory Demands
Most companies turn to outside counsel who specialize in consumer
protection when they are the target of a government investigation. Outside counsel can be invaluable in helping to respond to a CID from the
Federal Trade Commission, or a subpoena from a state Attorney General.
Among other things, they can provide insight concerning issues and facts
that will likely be of interest to the government agency, they can draw
from their experience with particular government agencies and particular
government staff attorneys, and can help craft interrogatory responses and
organize document productions.
At the same time, outside counsel are often not the best resource to
coordinate the collection of documents and information from in-house departments and corporate employees. If a company has available in-house
resources, having in-house counsel take the first steps to collect documents
responsive to document requests, and to draft responses to investigatory
demands, and then having outside counsel explore additional sources of
information, and revise written responses, can keep billable hours to a
minimum, while effectively leveraging resources.3
9. Propose Alternative Documents to Satisfy Requests
It is not uncommon for a subpoena or CID that was triggered from a
data breach to go far a field in its request for documents and for information. Sometimes this reflects a regulator’s desire to investigate a company’s overall practices and procedures. Other times, this reflects a genuine
misunderstanding of the facts or circumstances of a data breach. Before
spending countless hours collecting documents or information that might
not be needed, outside counsel might be able to explain informally the
basic facts underlying the breach, and to propose what documents might
best illustrate those facts.
454
Published in the May 2009 issue of Privacy & Data Security Law Journal.
Copyright ALEXeSOLUTIONS, INC.
7. Ten Ways to Prevent a Data Breach
WELL AFTER A BREACH
10. Learn the Lessons
After responding to, investigating, and/or reporting a breach, it is
tempting to breathe a sigh of relief and return to other matters that were
put-aside in the rush to take care of the incident. A data breach provides
a one-of-a-kind opportunity to test existing policies and procedures. Investing a small amount of time and money one or two months after a data
breach has been successfully resolved to determine what worked, what did
not work, and what could have worked better in responding to the breach
can save a large amount of time and money when responding to the next
breach.
Notes
United States Government Accountability Office, Report to Congressional
Requesters: Personal Information, Data Breaches Are Frequent, but Evidence
of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown
34 (June 2007) (citing various surveys of corporate expenditures following
data breach).
2
For more detailed data showing where data breaches most often occur, see
http://www.privacyrights.org/ar/ChronDataBreaches.htm.
3
As a caveat, companies that do not have experience responding to document
requests issued by government agencies, or issued as part of civil litigation, may
spend more money by attempting to coordinate or collect documents on their
own. For instance, if documents are collected without keeping a proper chain
of custody, without appropriately evaluating material for responsiveness and
privilege, and without sensitivity to preserving the documents’ integrity (e.g.,
the metadata of electronic documents) the collection may need to be redone
by outside counsel increasing, instead of reducing, a company’s overall costs.
The best advice when deciding how in-house and outside counsel resources
should be used is to discuss with outside counsel, at an early stage, a proposed
process and procedure for collecting materials and information in order to
identify potential problems or deficiencies.
1
455
Published in the May 2009 issue of Privacy & Data Security Law Journal.
Copyright ALEXeSOLUTIONS, INC.