When Hackers Attack: Mitigating the Existential Data Breach Risk

Retail businesses look forward to the holiday season as the pinnacle of their annual sales, with a strong finish spelling success for the coming year. With millions of transactions processing per day, the holidays present a ripe opportunity for hackers to breach corporate systems and steal valuable customer data.

 

This nightmare scenario became a reality for a large retailer in 2013 when a data breach exposed personal and financial information for more than 70 million customers. It resulted in major financial losses for the retailer¹, a loss of consumer confidence in the company and exposure to legal liability from regulators and consumers for harms resulting from the breach.

 

“Your organization will experience a (data) breach at some point,” said John Kropf, a deputy privacy and information governance professional now with the Information Accountability Program.  Before that Kropf served for the U.S. Department of Homeland Security, the U.S. Department of State and LexisNexis parent company Reed Elsevier. Kropf recently spoke on a LexisNexis® Webinar with David Katz, partner at Nelson, Mullins, Riley & Scarborough, Oliver Brew, Vice President of Professional, Privacy and Technology Liability (insurance underwriters specializing in data breach) and Adam Miller, Supervising Deputy for the Privacy Enforcement and Protection Unit of the California Attorney General’s Office.

 

This presentation, “Mitigating the Existential Risk of Data Breach,” offered practical insights for lawyers to advise clients on data privacy issues such as:

• Planning: how to implement a data privacy plan and response to breach
• Situational management: how to respond to a data breach
• Limiting liability: how to secure cyber risk insurance and minimize the need for regulator intervention after a data breach

 

While data breaches are an inevitable risk of doing business, the insights shared on the Webinar can help any company prepare, respond and limit liability for potential breaches of data security.

 

Planning: Comprehensive Data Breach Controls and Procedures

 

“Think of data privacy like your health,” Kropf said. Companies with good data privacy habits are in better shape to survive a breach. He suggested a proactive approach over a reactive one, involving buy-in from stakeholders, dedicated resources and the establishment of a data privacy protection culture. Senior leadership commitment to investing in ongoing data breach prevention enhances incident responsiveness and competence.

 

The following preparation steps, he said, are essential to prevention and proper response:

 

Inventory & Review—conduct initial data audits and establish regular oversight and risk mitigation assessment and review.

• What kind of data do you have, how sensitive is it (e.g. health, financial) and what protections are currently in place?
• Where does it reside, who has custody over it and who can access it?
• Which laws apply to your data (e.g., HIPAA, FRCA), what potential legal liabilities do they create for the company, and what kinds of policies and protections are needed to mitigate harms?

 

Roles & Responsibilities—assign roles to a dedicated response team and prepare communication templates that can be customized and deployed; the team usually consists of people from the following departments:

• CIO and CTO—data breach prevention, detection and security
• Legal—crisis management, legal holds, and notifications to underwriters and regulators
• HR, PR and Marketing—internal communications, external communications and reputation management  

 

Policies & Training—document all policies to address legal obligations, and establish ongoing training programs for anyone with access to company systems (e.g. former employees, contractors, vendors).

 

Investing resources in breach prevention should be a top priority. Hackers only need a single point of entry to wreak havoc on your systems. Investigators traced the large retailer’s data breach of 2013 to a refrigeration contractor who had an e-Billing link into the retailer’s computer systems. With so many data breach vulnerabilities, proactive organizations are better equipped to deal with threats.

 

Situational Management: What Should You Do When a Data Breach Happens?

 

“The Chinese symbol for ‘Crisis’ is a combination of the two symbols for Danger and Opportunity,” said David Katz. Good data response plans prepare companies to handle the dangers and seize the opportunities. The following steps illustrate an ideal approach in the event of a data breach.

 

Step 1: Gather Facts

 

Data breach plans require assembly of a dedicated team with assigned roles. After breach discovery the CTO and CIO usually lead fact-finding efforts, the legal department reviews results and a report is prepared outlining such things as:

• What is the scope of the breach (how many systems, which data types, etc.)?
• What facts and communications does the attorney-client privilege attach to?
• What facts should be disclosed to prevent harm to consumers and to whom?

 

Katz went on to say that companies get into trouble when they have not figured out how and what to communicate to the public and the media. Data breaches take on a life of their own when they become news. Each communication you generate becomes part of a record that can either be used against you or assist the investigation. Know how you will communicate and whether outside help is needed to do so. Especially consider hiring outside counsel to protect privilege and bring a fresh perspective to the risk response team.

 

Step 2: Activate the Response Team

 

A data breach chain of command allows for rapid response and informed decisions to be made on the fly, Katz said, while balancing the needs of different departments (legal, marketing, PR and executive level).

 

Proactive companies take action on the following items:

• Identify and empower a breach response team
• Establish the privilege
• Investigate and preserve the evidence
• Involve technology and forensic experts as needed
• Prevent further exposure of data
• Develop a communications plan
• Contact the insurance carrier
• Analyze notification obligations promptly

 

The legal department plays a crucial role in determining the company’s notification obligations. Data notification statutes exist in 46 states, Washington, D.C., Puerto Rico, Guam and the U.S. Virgin Islands. There are common pieces present in most of them, such as notification obligations for breach of personally identifiable information, or PII, but different jurisdictions may define PII differently, require notice sooner than others and obligate companies to act as a result of certain triggers. The diversity among jurisdictions includes:

• 26 states list definition of PII broader than general
• 3 states trigger notice by access alone
• 39 states require a risk of harm analysis
• 17 states require notice of the AG
• 7 states require notice w/in certain time frame
• 17 states permit a private cause of action
• 42 states have a safe harbor encryption exemption

 

Since the response team wants to shoot for sending out fewer notifications while covering all the bases, it’s best to account for all the jurisdictional variations ahead of time.

 

Step Three: Communicating the Breach

 

You should be prepared to explain your actions to stakeholders, shareholders, customers, regulators, insurance underwriters and the media. The entire decision-making process will come under scrutiny, and the utmost sensitivity and attention must be paid to the record being made so you can say with certainty that you did everything in your power to prevent the breach, respond appropriately and swiftly, and mitigate risk to the customer.

 

Some best practices for communicating a breach include:

• Prepare scripts for both public and internal communications that can be tailored to the facts of the breach.
• Create as much transparency as you can, communicating the agreed upon messages with employees, business partners and even customers unaffected by the breach (this is a proactive approach).
• Set up a call center to handle inquiries, dedicated web pages and mini-sites devoted to educating the public about what happened, how it may affect them and what they can do to minimize the risk of harm—data collected from inquiries will also help in risk mitigation for the company.
• Practice the breach response plan in data breach simulations and training so employees and response team members are familiar with each other.

 

Most important:  ACT NOW. Companies should not wait to create a response plan. Budget for it and invest in data breach protections and procedures, while making data privacy best practices a part of your company’s culture. The benefits far outweigh the costs incurred, and trying to limit liability on the fly often misses the mark.

 

Limiting Liability: Insurance and Regulatory Compliance

 

Potential liability for a data breach triggers when there has been “personal and advertising injury” which materialized as “oral or written publication, in any manner, of materials that violate a person’s right of privacy.”²

 

Standard insurance does not affirmatively cover privacy risks and data breaches, as they fall into an area of “cyber risk” that many carriers exempt from their commercial general liability policies. To ensure maximum protection, companies should seek out cyber insurance coverage for both first- and third-party liabilities.

 

First-party coverage addresses loss resulting from:

• Breach notification and services
• Data restoration, recreation and systems restoration
• Public relations and business interruption

 

Third-party coverage addresses loss resulting from:

• Breach liability (civil and regulatory)
• Network security liability (viruses and malware)
• Media liability

 

Many risk factors are considered during the application process to provide appropriate coverage at the right cost. Industry and company size play major roles in this decision. For example, companies dealing in health and finance present much greater risk than companies dealing in logistics or mining; larger companies with many systems, employees and third-party providers have greater system vulnerability and access points for intrusion.

 

Underwriters also consider the universe of data at risk, which can be larger and sensitive even for smaller companies, such as Silicon Valley companies dealing in niche software, online services and social media. The existence of risk management teams, processes and technology, as well as your history of data protection and incident response, all play into the coverage determination. Finally, underwriters may conduct “penetration tests” simulating a breach to determine your company’s level of risk, and compare all findings to industry risk benchmarks, which can affect the policy cost.

 

Clear lines of communication with the insurer helps control costs and maintain best practices. You should notify the insurer whenever you suspect or detect a breach. There is a possibility that your premiums will increase should additional vulnerabilities come to light, but few companies can afford to isolate insurers until a crisis explodes, especially if they ever wish to obtain coverage after the dust settles.

 

Data Breach Regulation: Protecting Consumers From Harm

 

When a data breach happens, regulators want companies to notify consumers ASAP to prevent harm. “Once you can identify some of your customers who have been affected, you should start telling people,” said Adam Miller, deputy attorney general for the Privacy Enforcement and Protection Unit in California.

 

He explained that regulators want to see companies putting consumer needs before or on par with the need to protect the business. Companies that notified consumers quickly about a breach, maintained systems and processes to prevent it, and collaborated with the Attorney General’s Office to protect the public fare much better legally than companies who tried to avoid an investigation by invoking ACP or other suppression mechanisms.

 

Miller suggests that companies publish data breach notices in plain English. They should use as many channels of distribution as possible, such as web and media notices, direct consumer outreach and collaboration with the AG to minimize the risk of consumer harm.

 

“Assume you are a target,” Miller said, because failure to prepare for a breach intensifies legal consequences. When it comes to data breach, it is not a question of “if” but “when.” Companies that implement comprehensive data protection and response plans, carry cyber insurance to limit liability and collaborate with consumers, underwriters and regulators in the event of a breach stand a much better chance of surviving a data breach.

 

¹ http://www.nytimes.com/2014/02/27/business/target-reports-on-fourth-quarter-earnings.html?_r=1

² http://www.lexisnexis.com/legalnewsroom/insurance/b/cyberinsurance/archive/2014/02/24/the-target-data-breach-some-preliminary-thoughts-on-coverage-the-great-connecticut-coincidence-and-the-real-insurance-impact.aspx