Ideas and suggestions are always welcome. Please let us know how we can improve your newsletter! We welcome your feedback.
LexisNexis® for Corporate Counsel
LexisNexis® Webinar Center
LexisNexis® Legal Newsroom
Live CLE Webinars | OnDemand Webinars
Retail businesses look forward to the holiday season as the pinnacle of their annual sales, with a strong finish spelling success for the coming year. With millions of transactions processing per day, the holidays present a ripe opportunity for hackers to breach corporate systems and steal valuable customer data.
This nightmare scenario became a reality for a large retailer in 2013 when a data breach exposed personal and financial information for more than 70 million customers. It resulted in major financial losses for the retailer1, a loss of consumer confidence in the company and exposure to legal liability from regulators and consumers for harms resulting from the breach.
“Your organization will experience a (data) breach at some point,” said John Kropf, a deputy privacy and information governance professional now with the Information Accountability Program. Before that Kropf served for the U.S. Department of Homeland Security, the U.S. Department of State and LexisNexis parent company Reed Elsevier. Kropf recently spoke on a LexisNexis® Webinar with David Katz, partner at Nelson, Mullins, Riley & Scarborough, Oliver Brew, Vice President of Professional, Privacy and Technology Liability (insurance underwriters specializing in data breach) and Adam Miller, Supervising Deputy for the Privacy Enforcement and Protection Unit of the California Attorney General’s Office.
This presentation, “Mitigating the Existential Risk of Data Breach,” offered practical insights for lawyers to advise clients on data privacy issues such as:
While data breaches are an inevitable risk of doing business, the insights shared on the Webinar can help any company prepare, respond and limit liability for potential breaches of data security.
Planning: Comprehensive Data Breach Controls and Procedures
“Think of data privacy like your health,” Kropf said. Companies with good data privacy habits are in better shape to survive a breach. He suggested a proactive approach over a reactive one, involving buy-in from stakeholders, dedicated resources and the establishment of a data privacy protection culture. Senior leadership commitment to investing in ongoing data breach prevention enhances incident responsiveness and competence.
The following preparation steps, he said, are essential to prevention and proper response:
Inventory & Review—conduct initial data audits and establish regular oversight and risk mitigation assessment and review.
Roles & Responsibilities—assign roles to a dedicated response team and prepare communication templates that can be customized and deployed; the team usually consists of people from the following departments:
Policies & Training—document all policies to address legal obligations, and establish ongoing training programs for anyone with access to company systems (e.g. former employees, contractors, vendors).
Investing resources in breach prevention should be a top priority. Hackers only need a single point of entry to wreak havoc on your systems. Investigators traced the large retailer’s data breach of 2013 to a refrigeration contractor who had an e-Billing link into the retailer’s computer systems. With so many data breach vulnerabilities, proactive organizations are better equipped to deal with threats.
Situational Management: What Should You Do When a Data Breach Happens?
“The Chinese symbol for ‘Crisis’ is a combination of the two symbols for Danger and Opportunity,” said David Katz. Good data response plans prepare companies to handle the dangers and seize the opportunities. The following steps illustrate an ideal approach in the event of a data breach.
Step 1: Gather Facts
Data breach plans require assembly of a dedicated team with assigned roles. After breach discovery the CTO and CIO usually lead fact-finding efforts, the legal department reviews results and a report is prepared outlining such things as:
Katz went on to say that companies get into trouble when they have not figured out how and what to communicate to the public and the media. Data breaches take on a life of their own when they become news. Each communication you generate becomes part of a record that can either be used against you or assist the investigation. Know how you will communicate and whether outside help is needed to do so. Especially consider hiring outside counsel to protect privilege and bring a fresh perspective to the risk response team.
Step 2: Activate the Response Team
A data breach chain of command allows for rapid response and informed decisions to be made on the fly, Katz said, while balancing the needs of different departments (legal, marketing, PR and executive level).
Proactive companies take action on the following items:
The legal department plays a crucial role in determining the company’s notification obligations. Data notification statutes exist in 46 states, Washington, D.C., Puerto Rico, Guam and the U.S. Virgin Islands. There are common pieces present in most of them, such as notification obligations for breach of personally identifiable information, or PII, but different jurisdictions may define PII differently, require notice sooner than others and obligate companies to act as a result of certain triggers. The diversity among jurisdictions includes:
Since the response team wants to shoot for sending out fewer notifications while covering all the bases, it’s best to account for all the jurisdictional variations ahead of time.
Step Three: Communicating the Breach
You should be prepared to explain your actions to stakeholders, shareholders, customers, regulators, insurance underwriters and the media. The entire decision-making process will come under scrutiny, and the utmost sensitivity and attention must be paid to the record being made so you can say with certainty that you did everything in your power to prevent the breach, respond appropriately and swiftly, and mitigate risk to the customer.
Some best practices for communicating a breach include:
Most important: ACT NOW. Companies should not wait to create a response plan. Budget for it and invest in data breach protections and procedures, while making data privacy best practices a part of your company’s culture. The benefits far outweigh the costs incurred, and trying to limit liability on the fly often misses the mark.
Limiting Liability: Insurance and Regulatory Compliance
Potential liability for a data breach triggers when there has been “personal and advertising injury” which materialized as “oral or written publication, in any manner, of materials that violate a person’s right of privacy.”2
Standard insurance does not affirmatively cover privacy risks and data breaches, as they fall into an area of “cyber risk” that many carriers exempt from their commercial general liability policies. To ensure maximum protection, companies should seek out cyber insurance coverage for both first- and third-party liabilities.
First-party coverage addresses loss resulting from:
Third-party coverage addresses loss resulting from:
Many risk factors are considered during the application process to provide appropriate coverage at the right cost. Industry and company size play major roles in this decision. For example, companies dealing in health and finance present much greater risk than companies dealing in logistics or mining; larger companies with many systems, employees and third-party providers have greater system vulnerability and access points for intrusion.
Underwriters also consider the universe of data at risk, which can be larger and sensitive even for smaller companies, such as Silicon Valley companies dealing in niche software, online services and social media. The existence of risk management teams, processes and technology, as well as your history of data protection and incident response, all play into the coverage determination. Finally, underwriters may conduct “penetration tests” simulating a breach to determine your company’s level of risk, and compare all findings to industry risk benchmarks, which can affect the policy cost.
Clear lines of communication with the insurer helps control costs and maintain best practices. You should notify the insurer whenever you suspect or detect a breach. There is a possibility that your premiums will increase should additional vulnerabilities come to light, but few companies can afford to isolate insurers until a crisis explodes, especially if they ever wish to obtain coverage after the dust settles.
Data Breach Regulation: Protecting Consumers From Harm
When a data breach happens, regulators want companies to notify consumers ASAP to prevent harm. “Once you can identify some of your customers who have been affected, you should start telling people,” said Adam Miller, deputy attorney general for the Privacy Enforcement and Protection Unit in California.
He explained that regulators want to see companies putting consumer needs before or on par with the need to protect the business. Companies that notified consumers quickly about a breach, maintained systems and processes to prevent it, and collaborated with the Attorney General’s Office to protect the public fare much better legally than companies who tried to avoid an investigation by invoking ACP or other suppression mechanisms.
Miller suggests that companies publish data breach notices in plain English. They should use as many channels of distribution as possible, such as web and media notices, direct consumer outreach and collaboration with the AG to minimize the risk of consumer harm.
“Assume you are a target,” Miller said, because failure to prepare for a breach intensifies legal consequences. When it comes to data breach, it is not a question of “if” but “when.” Companies that implement comprehensive data protection and response plans, carry cyber insurance to limit liability and collaborate with consumers, underwriters and regulators in the event of a breach stand a much better chance of surviving a data breach.