Register to receive a printed copy(For Lexis Practice Advisor® Subscribers Only)
Lexis Practice Advisor®Free Trial
Learn More AboutLexis Practice Advisor®
By: Elizabeth C. Rogers, Greenberg Traurig, LLP.
A data breach occurs when sensitive, protected, and/or confidential information is stolen, accessed, or used without authorization. The information may include an individual’s personally identifiable information (PII), protected health information (PHI), cardholder data, or a business’s trade secret or other confidential information.
WHEN A DATA BREACH OCCURS, WHETHER BY NEGLIGENT or malicious acts of employees or third parties, the response must be comprehensive and prompt. The development of a data breach avoidance plan is recommended in order to minimize risk. Such a plan will identify data content and implement management policies and employee training programs, as well as create an incident response team and a 48-hour action plan. A data breach response plan more specifically addresses measures to take in the event of a breach, including the responsibilities of a data breach response team and all obligations that might arise as required by federal or state law, or otherwise. The costs to businesses that suffer a data breach are substantial and include expenses incurred for detection and notification, economic losses due to loss of customer trust, class action lawsuits, and penalties imposed by regulators. Notification to affected customers must comply with the rules of the states where they live and/or operate.
A data breach may arise under a variety of circumstances, such as:
Regardless of the cause of a data breach, the response must be prompt and effective.
This article discusses how organizations should both plan for and manage a data breach, including best practices for creating data breach avoidance and response plans, the benefits of such plans, and the importance of promptly notifying individuals affected by a data breach.
It is crucial to have data breach avoidance and response plans in place long before a breach actually occurs. Such plans may help a business minimize security vulnerabilities, thus making a breach less likely, and may also:
Lowers the Cost of a Data Breach
The costs of a data breach are not trivial. In its 10th annual benchmark study, the 2015 Cost of Data Breach Study: United States, Ponemon Institute examined the impact of data breaches incurred by 62 U.S. companies in 16 industry sectors. According to the study, malicious or criminal attacks (rather than negligence or system glitches) continue to be the main cause of data breaches, with the average total cost of a breach increasing 11%, from $5.9 million in 2014 to $6.5 million in 2015. Lost business costs have also increased, from $3.32 million in 2014 to $3.72 million in 2015. Creating data breach avoidance and response plans, and updating or adjusting such plans when necessary, may help businesses to mitigate these costs or to avoid them altogether.
Reduces the Risk of Litigation
A number of state data breach statutes either explicitly allow for a private right of action or have been interpreted as such by the courts. See, e.g., In re Target Corp. Customer Data Sec. Breach Litig., 66 F. Supp. 3d 1154 (D. Minn. 2014). This creates the opportunity for class action lawsuits, which typically allege that a business failed to provide timely notice of a breach, as required by the relevant state laws. Such lawsuits may also allege a number of other claims, such as breach of fiduciary duty, negligence, breach of an express or implied contract, unjust enrichment, invasion of privacy, and unfair and deceptive business practices. For a more detailed discussion on state data breach statutes, see State Statutory Laws Regarding Data Breaches. Having a robust data breach avoidance and response policy—including developing and maintaining adequate policies and procedures for safeguarding personal information, staying abreast of the current legal landscape, revising or updating data security policies and procedures as necessary, and promptly notifying individuals affected by a breach—can help minimize the occurrence and negative consequences of data breaches and thus the risk of litigation.
Minimizes Regulatory Scrutiny
The Federal Trade Commission (FTC) has brought a number of enforcement actions against companies in connection with data breaches—not only for failing to stop a breach, but for failing to put in place adequate measures to avoid breaches (even if no actual breach occurred). In 2014 alone, the FTC brought cases against Snapchat, Inc.; Fandango, LLC; and Credit Karma, Inc. (in connection with their mobile apps); GMR Transcription Services; GeneLink, Inc. and foru International Corp.; Wyndham Worldwide Corp. and three of its subsidiaries; and Verizon. The Third Circuit has upheld the FTC’s authority to regulate cybersecurity under the “unfairness” prong of Section 5 of the FTC Act, 15 U.S.C. § 45(a). See FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015).
Various other federal regulators have been active in the cybersecurity space as well, such as the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), the U.S. Department of Health and Human Services Office for Civil Rights (OCR), the Food and Drug Administration (FDA), and the Federal Communications Commission (FCC). In addition, state attorneys general have the authority to enforce state statutes, and recently they have focused their attention on doing so. For example, state attorneys general have been active in breaches involving Target Corp.; Neiman Marcus Group LTD; Michaels Stores, Inc.; Home Depot, Inc.; JPMorgan Chase & Co.; TD Bank; and Zappos.com.
Given regulators’ increased focus on the cybersecurity practices of companies within their jurisdiction and the heightened risk of cyberattacks, it is crucial to have effective data breach avoidance and response plans that are regularly tested and updated to account for changes in the cybersecurity landscape. Such proactive measures may reflect favorably on businesses in the event of regulatory scrutiny, giving them valuable negotiating leverage with both state and federal regulators.
The chances are increasingly high that at least one data security incident will affect every organization at some point in time. In order to be prepared for the inevitable, a business should proactively develop both:
A data breach avoidance plan can help a business minimize vulnerabilities and prevent circumstances that lead to data loss, significant regulatory fines, litigation expenses, and brand damage. As part of a comprehensive data breach avoidance plan, a business should:
Each of these issues is discussed in further detail below.
Create a Data Map
The first step in creating an effective data breach avoidance plan is to create a data map of all the data collected by an organization. The data map should contain detailed information about each piece of data, including:
Data maps are typically created by privacy or compliance professionals who are proficient with the use of Visio (or similar diagramming software), with input from lead stakeholders in an organization. They illustrate how information flows through the organization and are a critical starting point for ensuring compliance with applicable privacy laws and regulations.
Assess and Document Relevant Laws, Regulations, and Industry Standards
Once an organization has created a data map, it should next assess and document which laws, regulations, and industry standards apply to each piece of data. The organization should then put policies and procedures in place to ensure compliance with such laws, regulations, and standards.
Categorize the Data
After creating a data map, an organization should next create a Data Classification System that categorizes the data based on its sensitivity and the legal impact to the organization in the event of a breach. Examples of data classification include:
Data classification will aid an organization in assigning the proper security controls to each category of data and will provide the skeletal framework, so to speak, for the rest of an effective data breach avoidance plan.
Implement Data Security Safeguards
Many organizations only focus on servers and databases when it comes to data security safeguards. However, much of the confidential and sensitive data that an organization maintains is in the form of paper and/or is stored in open areas that are densely populated with all levels of employees. It is therefore critical that a company establish an information security and privacy framework that involves the same degree of protection for both physical and electronic data.
This framework should be set forth in written policies and procedures. The organization should internally review and update such policies and procedures as necessary and retain a third-party consultant for periodic assessments. All changes should be thoroughly documented.
Data protection and management measures may include:
Note that many state data breach notification laws contain exemptions for encryption, while others affirmatively require encryption in defined circumstances.
Adhere to Any Data Security Representations
Companies often make representations pertaining to data security in written privacy policies, terms of service, and other consumer-facing and/or end-user-oriented statements. If your client has made such a representation, it must ensure that all data is protected and handled in accordance with that representation. Failure to do so may lead to an enforcement action by the Federal Trade Commission (FTC) and/or regulatory scrutiny.
Assess Relationships with Third-Party Vendors
An organization may be vicariously liable for data breaches affecting third-party vendors, contractors, and consultants who collect, store, use, or access the business’s data. It is therefore critical to assess your client’s existing relationships with third-party vendors, to conduct due diligence of potential vendors’ data security and privacy practices, and to include appropriate protections in any contractual agreement.
For existing third-party vendors, determine whether the relevant contracts address:
For future dealings with third-party vendors, your client should consider a rigorous due diligence program that includes a thorough review of the third party’s information security and privacy policies, practices, and procedures. Lax security and privacy practices may raise a red flag and persuade the client to choose a different vendor.
If your client decides to proceed with a particular vendor, you should ensure that essential and appropriate contractual terms (such as those listed above) are included in the agreement. The client may also wish to require the third party’s participation in an annual security awareness training program that it conducts (or one that is equivalent).
Consider Purchasing Cyber Insurance
A final important element of a data breach avoidance plan is the consideration of insurance. Your client should determine whether and to what extent its existing insurance policies cover data breaches or other cybersecurity incidents and consider purchasing cyber insurance (if not already owned). Note that cyber policies and premiums vary widely among insurers. If your client decides to purchase cyber insurance, it should be prepared to negotiate for coverage that adequately accounts for the cyber risks faced by the organization.
In addition to a data breach avoidance plan, an organization should also create a data breach response plan that thoroughly details how the organization will respond to a data breach and the requisite timelines. For many businesses, having a data breach response plan is part of business continuity planning, disaster recovery planning, and/or risk management.
The response plan should be prepared by the internal and external stakeholders who will be involved in the ultimate response efforts according to the organization’s RACI chart (i.e., who is Responsible, Accountable, Consulting, or Informed), including executives and managers of departments that will play a key role in response efforts. The response plan should also be reviewed by one or more members of the board of directors.
Broadly speaking, the data breach response plan should include the categories of data that the business has a duty to protect, the roles and responsibilities of the data breach response team, an internal and external communication plan, the detailed steps required by applicable state and federal laws that require notification, and other obligations that would apply in the case of a breach.
To create a comprehensive data breach response plan, a business should:
Assemble a Response Team
The business should assemble a data breach response team tasked with ensuring an efficient and effective response in accordance with the plan. The data breach response plan should clearly define the roles and responsibilities of each team member. The data breach response team should include the following individuals:
Incident lead. The incident lead should have extensive familiarity with the organization’s network and system security, such as the chief information security officer, and should be tasked with the following responsibilities:
IT representatives. The IT representatives should identify the root causes of the breach and secure the system, including securing machines, taking infected machines offline, and preserving evidence. These individuals may also work with a forensics firm to identify the compromised data and delete any data-compromising tools.
Legal and privacy representatives. The legal and privacy representatives should assist in directing the data breach response and notification efforts and help minimize the risk of litigation and penalties. These individuals should be tasked with the following responsibilities:
Public relations representatives. The public relations representatives should be tasked with the following responsibilities:
HR representatives. The HR representatives should direct employees to forward questions received from the public regarding the data breach to the company’s public relations or communications department.
Customer service representatives. The customer service representatives should staff a data breach hotline or respond to website inquiries from customers and/or employees.
Outline Steps That Each Team Member Should Take Following a Breach
The business should outline steps for the relevant team members to take following the report of a suspected data breach, including the following critical actions:
Determine Which Roles Might Be Considered Key Witnesses
The business should determine which roles would likely be considered key witnesses in any state or federal regulatory proceedings or litigation. The individuals who occupy these roles will need to be appropriately prepared to speak on the company’s behalf and know the protocol for responding to questions.
Compile a List of Outside Vendors
The business should compile a list of outside vendors or entities that the organization may need to immediately engage in the event of a breach. Such vendors or entities may include:
Your client should carefully consider whether to provide fraud or credit monitoring services to victims of a data breach. However, such actions may potentially weigh in favor of standing in a class action lawsuit. See Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015). Note also that some states (e.g., Connecticut and California) require companies to provide free credit monitoring services to data breach victims in specific circumstances.
Test the Response Plan Regularly
The business should test the response plan on a regular and frequent basis (e.g., tabletop exercises or drills with key stakeholders on at least an annual, if not quarterly, basis) and make adjustments as necessary.
Assess and Document the Effectiveness of the Plan Post-Breach
The business should assess and document the effectiveness of the response plan and any mitigation efforts post-breach and determine what, if any, changes should be made to the response plan to be better prepared for future breaches.
Ensure the Data Breach Avoidance and Response Plans Remain Current
Avoiding and responding to a data breach does not end with the creation of data breach avoidance and response plans. Rather, businesses must continuously ensure that the plans remain current by evaluating and updating IT security processes, employee security awareness, and representatives on the data breach response team. Businesses should also monitor and stay abreast of any changes in state and federal laws related to data breach notification requirements or other legal obligations.
After a data breach, it is imperative for a business to act quickly and decisively to regain security of the data, preserve evidence, and protect its reputation with customers. As an initial step, where a business has designated a response team, that team should be notified immediately, and the response plan activated. In particular, it is critical (whether the business has a formal response plan or not) to:
The United States does not have a uniform data breach notification law. Therefore, in the event of a data breach, businesses must rely on an amalgamation of state-by-state requirements, and in some instances, federal industry-specific requirements. Mishandling notifications can lead to severe consequences such as fines, reputational damage that leads to the loss of customer loyalty and potential revenue, and regulatory scrutiny and/or enforcement actions.
A total of 47 states, plus the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands, have statutes governing data breach notification requirements (Alabama, New Mexico, and South Dakota do not). While data breach notification statutes vary by state, most states generally require a business to send a letter to each data breach victim in the state where the victim resides.
A useful way to streamline the notification process is to draft a general breach notification that covers the requirements common to most state’s laws. The letter can then be tailored to follow the individual notification rules of each particular state to which it is sent, as well as to include the relevant requirements under applicable federal laws, such as the Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Elizabeth C. Rogers is a shareholder in Greenberg Traurig’s Cybersecurity, Privacy, and Crisis Management practice group. Formerly, she served as the first Chief Privacy Officer in Texas state government. Her practice includes supporting breach responses, privacy risk assessments, and technology transactions across industry.
RESEARCH PATH: Intellectual Property & Technology > Privacy and Data Security > Planning for & Managing a Data Breach > Practice Notes > Planning for & Managing a Data Breach
For a more detailed discussion on data breach notification, see
> CHART – OVERVIEW OF STATE DATA BREACH LAWS
RESEARCH PATH: Intellectual Property & Technology> Privacy & Data Security > Planning for & Managing a Data Breach > Practice Notes > Planning for & Managing a Data Breach
For drafting advice on preparing a breach notification letter, see
> SAMPLE BREACH NOTIFICATION LETTER
RESEARCH PATH: Intellectual Property & Technology > Privacy & Data Security > Planning for and Managing a Data Breach > Forms > Planning for and Managing a Data Breach
For more information on privacy policies and the applicable laws and regulations applicable to such policies, see
> DRAFTING PRIVACY POLICIES
RESEARCH PATH: Intellectual Property & Technology > Privacy & Data Security > Drafting Privacy Policies >Practice Notes > Drafting Privacy Policies
> PREPARING A BREACH NOTIFICATION LETTER