When a breach occurs, attorney generals look for encryption, response and a good attitude

Here is where you don’t want to be.  You don’t want to be the company that doesn’t protect data with even the most basic methods and technologies; that doesn’t have a breach response plan; that takes its sweet ol’ time addressing or reporting a breach; that lets the government read about the breach in the newspaper; and whose people welcome government investigators with the same warmth as they would, say, a wedding crasher with the flu.  

Do regulators interpret notification requirements the same way businesses do?  Do regulators actually assist companies when responding to breaches or are they there to uncover everything your company is doing wrong? What are regulators looking for from your company after a breach?  These were questions answered during the recent NetDiligence® Cyber Risk & Privacy Liability Forum held in Marina del Rey, California.  One of the sessions, moderated by Jason M. Weinstein, a former deputy assistant attorney general with the Department of Justice and now a partner at Steptoe & Johnson LLP, featured insights from representatives of attorney general offices in three states:  Ryan Kriger from Vermont, Patrice Malloy from Florida, and Adam Miller from California.

First, Weinstein asked the panel to respond to company concerns that they will become the subject of an investigation after a breach, when they view themselves as victims.  

Not Reporting Gets You Dinged

Adam Miller of the California AG’s office has heard that concern. While every form of breach will not be investigated, his office will pursue companies that fail to have processes or procedures in place to mitigate risk.  He also disagreed with the mantra that it is not a matter of whether but when your company will be breached.  Many effective protocols and protections were chronicled during the course of the conference.  “It’s not fair to say that if you report something to the government that you’re going to get dinged by the government.  The better argument is that if you do not report to the government and we find out about it—you will get dinged,” Miller said.

Patrice Malloy of Florida also heard that refrain from companies, “but we also hear from consumers and they feel victimized.  While the company wants to know why they are in the middle of an investigation, the consumer wants to know what we are going to do to protect them since their social security number has been stolen.”  She added that once her department walks through a breach with a company “they start to realize the role we are playing.” 

Miller of California said a company recently contacted them about a breach even though it was not big enough to require notification to the state.  “This demonstrated the company’s willingness to work with us,” he said.   “It’s also helpful to have tabletop exercises and to have a plan in place if we do talk to you.  Most of the time we find there has been a reasonable mistake and precautions were in place, and we just move on.”

“We get hundreds of breach notices a year and we are not investigating and looking into every one of these breaches,” Vermont’s Kriger said.  All three speakers shared the reality that resources simply do not allow them to investigate each breach.  “If a company is being investigated by an AG’s office something pretty bad probably happened.  We’re trying to look for the most egregious examples to show other businesses that we take this seriously and this is the sort of thing you should do.   In Vermont we have a lot of small businesses which are frequent victims of breaches. We end up helping the business repair their security.”

Malloy applauded the company that contacted the state  even though the extent of the breach was relatively small.  She said it is good form to “proactively reach out to us so we won’t read about your breach in the newspaper or hear about it from another state.  We have received specific information, the company has come forward, and it answered a lot of questions about who, what when and how.   So we don’t escalate further.  The breach has been contained.” 

Steptoe’s Weinstein said much attention goes to the investigations states conduct, but much less goes to the services they provide to help companies avoid breaches or respond to them effectively. Miller directed people to the California AG’s website—oag.ca.gov/privacy—which provides resources for consumers and businesses alike.  It also lists who has reported breaches.  Miller recommended reading the California Attorney General’s Data Breach Report 2012 which is designed to help companies and government agencies review their privacy and security policies.  “Spoiler alert,” he said, “There is a heavy focus on encryption.”  (The report is available for download at http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/2012data_breach_rpt.pdf.)

Red Flags

“Generally speaking,” Weinstein asked, “how do you decide which breaches to investigate?” 

If we receive a notice and the breach took place three months ago, that’s a red flag, Kriger said, noting Vermont’s 14-day notification rule. Generally speaking a company should describe what happened in the breach, but that initial notice does not have to be elaborate.  “If it turns out to be wrong later, we’re more concerned with knowing that something happened,” he said. 

“An example of one we escalated in Vermont was when a business didn’t take any action to stop the breach for a period of time that was unacceptable.  A $5,000 fraud became one of tens of thousands of dollars.  We had cases where people were getting new credit cards after the fraud, using them at the hacked business only to have them stolen again.  The concern is not only the security a company has but how it behaves after the breach.  We are not forensic investigators, so if a breach raises a red flag with an attorney that’s a red flag for us.”  He said his group is not concerned about the grey areas as much as cases that  prompt the reaction, “Wow, you really should have done something there!”

“The big point is delay, or reasonable delay,” said Malloy of the Florida AG’s Office.  “Did you wait too long to hire a forensic investigator?  Did the forensic company get into it right away?  Do you know that you shut it down?  Did you wait until we called you?  Or did you call us to say there was an incident, we’ve hired an investigator, etc.” 

Miller said that in California they want to be notified “in the most expedient time possible.  Waiting three months to complete analysis of a breach, for example, is unreasonable,” he said.  Cases pursued in California, as examples, included one in which 30,000 Social Security numbers could be seen through envelop windows, and one where a bank suffered a massive breach that compromised 360,000 customer account records.  The reason California pursued the bank was that hackers used a well-known and established exploit to access the system.  “We also are focusing on unencrypted ‘data at rest’ on laptops and USB drives,” he said.  “It’s pretty straightforward to establish security and not doing so is serious.”

What waves a flag in Florida, Malloy said, is when an employee loses an unencrypted laptop, was provided no company education, the company had no data security policy, the data at rest was no longer useful and had been on the server for many, many years.  “The company probably wasn’t even aware the data was there until it was stolen,” she said. 

Fear of Early Reporting

Weinstein said companies are concerned about reporting when they don’t fully understand what they are reporting about.  They fear notifying consumers or the AG’s office then having to retract or correct their notifications.  If early reporting is a factor, what should a company do if they don’t know the full extent of the breach?

Miller said a company should consider making contact with at least some AGs such as the ones in the company’s home state and the state where most people will be affected.  “As soon as you know who some of the victims are you need to start reporting and have the processes in place, like toll-free numbers and call centers.  Sometimes that’s difficult and sometimes mistakes are made, but consumers would rather know early that they might have been a victim than being told they are okay and finding out they are at risk three months later.”

It’s a tough position to take for a company, Malloy said.  “They don’t all want to do rolling notices, and prefer to wait until they have a complete set of customers at risk and notify them all at once.  But is a tougher position to defend if a company knows a consumer was at risk and the company had the consumers’ correct contact information and chose not to notice them six months later when they had all of the consumers’ contact information?”

Miller noted alternative notice methods, like website posts.

Kriger said the initial heads-up notice to the AG’s office is statutorily protected information so there is no downside to reporting a breach.  “In the event of an eventual delay in notice and the company provides good reasons, we are much more likely to believe them since they notified us right away and appeared to be on top of the situation.  The subsequent, more detailed notice is public.”

In California, Miller said, a copy of notice to AG is public record.  “If you were to make a phone call, that would not be public,” he explained. 

“What other factors do you consider?” Weinstein asked.   “The number of victims? Estimated dollar loss?  An industry where competitors have been breached?” 

“Number of victims is a significant factor,  due to resources,” Miller said.  “Having a plan in place and chief privacy officer or at least having someone in charge, that helps.”

“When I would first get reports of a breach from consumers or newspapers, or they heard about it in another state, the size of the breach was important, but companies are getting better at having someone designated so when we call the switchboard operator and try to find someone who might know about the data breach it is important we have someone to contact and knows the basics of your company’s response, such as the 800 number for consumers to call.”

Attitude Matters

Kriger said a company will get his office’s attention “if we get a complaint we didn’t know about.  Due to resources, we are going to look at the deterrence or strategic value of going after a breach, that is, if it is an example that needs to be made.  The attitude of the breach victim is important.  If they acknowledge something went wrong and want to protect their customers, that’s going to go further than a company that says ‘I am the victim, this is going to cost a lot of money, what’s the bare minimum I can do to comply with the law and get on with this?’” 

Malloy noted that there are a lot of third parties involved in these incidents, so when a third-party vendor doesn’t agree about notice, that is something that is best resolved early.

“It is difficult to convince companies to take proactive measures to put themselves in the best position possible if they are breached, because a lot of companies don’t want to spend money to fix a problem they don’t believe they have experienced yet,” Weinstein said.   “Talk to us more about proactive steps a company can take.”

Miller said companies should treat Personally Identifiable Information or PII as they would a toxic chemical.  “In California, if you didn’t take reasonable safeguards under our Unfair Competition Laws we can fine you $2,500 per violation, which can be each individual or, as some argue, each time that a piece of information is exposed.

Malloy said consumers want to know we are engaged, that we have been contacted.  They also want to know the point of breach, not just that they were breached, so they can reconsider where they shop.

Kriger, underscoring the importance of response and attitude, said one company discovered they were breached on a Thursday.  The next day they contacted the Secret Service and pulled hard drives from every computer, except one being used in a sting operation.  The following Monday the president of the organization called the AG’s office, explained what happened and what they were doing.  “We talked for 45 minutes and at the end of that, I said the response ‘looks good.’”

Cyber Insurance

“How important is cyber security insurance?” Weinstein asked.

Miller said that while it is not a factor right now (they do not ask if companies have insurance), “cyber insurance acts as a quasi regulator in that it informs a company what actions to take and what policies to have.  That is all very helpful to us and makes our job a lot easier.  But,” he said, “if you give an insurance policy to just anybody without doing due diligence and adequate underwriting, that’s not going to be very helpful.”

Malloy echoed Miller’s observations, adding that “insurance measures vulnerabilities, identifies compliance issues, and will help a company to not start thinking about a breach the day it happens.” 

Kriger added his hope that a company will provide policies for small businesses, many of which are just trying to stay open.

Weinstein closed by saying he would hope insurance would economically incentivize companies to take proactive measures in order to get coverage or a reduced premium .