[BreachExchange] How Employers Can Become Experts at Data Breaches: Understand the Lingo
Audrey McNeil
audrey at riskbasedsecurity.com
Tue Oct 3 20:12:17 EDT 2017
http://www.jdsupra.com/legalnews/how-employers-can-become-experts-at-55276/
Many human resource professionals may not be familiar with data
security-related terminology. As a result, when an incident occurs there
can be confusion when terms like “security event” or “data breach” are
thrown around. Indeed, one of the most common mistakes made by human
resource professionals is assuming that a situation involves a data breach
because that term is used by others, and then believing that statutory or
contractually obligations that are triggered by a breach must apply.
The problem stems from the fact that many people refer to a “data breach”
loosely as any situation in which data may have been removed from, or been
lost by, an organization. Technically, however, “data breach” is a legally
defined term that typically refers in the United States to a –situation
where there is evidence of an unauthorized “acquisition” or “access” to
certain types of sensitive personal information (e.g., Social Security
Numbers, driver’s license numbers, or financial account numbers) that
trigger a legal obligation by an organization to investigate the situation
and to notify employees, consumers, regulators, or business partners. It is
important to realize that many of the situations that are referred to as
“data breaches” in the media, and possibly by others in your organization,
do not in fact meet the legaldefinition of the term. For the purpose of
clarity, this handbook uses three terms to refer to security situations: a
data security “event,” “incident,” and “breach.”
A. Security Events
A “security event” refers to an attempt to obtain data from an organization
or to a situation in which data might be exposed. Many security events do
not necessarily place the organization’s data at significant risk of
exposure. Although an event might be serious and turn into an “incident” or
a “breach,” many events are automatically identified and resolved without
requiring any sort of manual intervention or investigation and without the
need for legal counsel. For example, a failed log-in that suspends an
account, a phishing email that is caught in a spam filter, or an attachment
that is screened and quarantined by an antivirus program, are all examples
of security events that happen every day and typically do not lead to an
incident or breach.
B. Security Events
A “security incident” refers to an event for which there is a greater
likelihood that data has left, or will leave, your organization, but
uncertainty remains about whether unauthorized acquisition or access has
occurred. For example, if you know that an employee has lost a laptop, but
you do not know what information was on the laptop or whether it has fallen
into the hands of someone who might have an interest in misusing data, the
situation would be referred to as a “security incident.” Another way to
think of a security incident is as a situation in which you believe that
electronic data that contains personal information may have been improperly
accessed or acquired.[1] As discussed in this handbook, security incidents
almost always necessitate that you thoroughly investigate to determine
whether personal information was improperly accessed or acquired. Put
differently, companies conduct investigations to determine whether there
is, or is not, evidence that would redefine the “incident” as a “breach.”
Security incidents are attributable to a variety of different
causes—sometimes referred to as “attack vectors.” Approximately 75% are
caused by third parties, with 25% relating to the actions of employees from
within an organization.[2]
C. Security Breaches
As discussed above, a “security breach” or a “data breach” is a legally
defined term. The definition varies depending upon the data breach
notification law that is at issue. As a general matter, however, a security
breach refers to a subset of security incidents where the organization
discovers that sensitive information has been accessed or acquired by an
unauthorized party and that acquisition has created the possibility that an
employee or a consumer might be harmed by the disclosure. In the laptop
example provided above, if you determine that the laptop was stolen and it
contained unencrypted Social Security Numbers (e.g., a spreadsheet of
employee W2 information), the incident would fall under the definition of a
“security breach.” As discussed below, security breaches almost always
dictate that you consider the legal requirements of data breach laws.
If you identify a security breach, you should be cognizant that security
breaches typically impact organizations in a number of ways:
Reputational Cost: A security breach can erode the confidence of employees,
customers, donors, or clients, which can significantly impact sales,
recruitment, and/or the overall reputation of your organization. Often the
indirect cost to the organization from adverse publicity significantly
outweighs direct costs and potential legal liabilities.
Business Continuity Cost: Breaches that create, expose, or exploit
vulnerabilities in network infrastructure may require that a network be
taken off-line to prevent further data-loss. For organizations that rely
heavily on IT infrastructure (e.g., an ecommerce retailer), removing or
decommissioning an affected system may have a direct adverse impact on the
organization.
Competitive Disadvantage: Breaches that involve competitively sensitive
information such as employment compensation, trade secrets, customer lists,
or marketing plans may threaten the ability of your organization to compete.
Investigation Costs: Security incidents involving IT infrastructure may
require the services of a computer forensics expert in order to help
investigate whether a breach has occurred and, if so, the extent of the
breach. Security incidents that involve the potential of insider misconduct
may necessitate an internal investigation in order to determine whether an
employee has committed misconduct.
Contractual Costs: Your organization may be contractually liable to
business partners in the event of a data security breach. For example, a
breach involving a retailer’s electronic payment system will typically
trigger obligations under the retailer’s agreements with its merchant bank
and/or its payment processor. Those obligations may include, among other
things, the assessment of significant financial penalties. As another
example, some outsourcing contracts require companies that provide services
to other companies to pay for the cost to notify impacted individuals and
to indemnify their business partner from lawsuits. In the human resource
context, if your organization is a human resource-related service provider,
a breach of information that has been placed in your custody in order to
provide services could lead to contractual liabilities depending upon the
terms of your service agreement.
Notification Costs: If your organization is required to, or voluntarily
decides to, notify employees of a data security incident, it may incur
direct notification costs relating to identifying applicable data breach
notification statutes and physically printing and mailing notification
letters. Although most statutes do not require organizations to provide
employees with credit monitoring, identity-theft insurance, or
identity-theft restoration services, in some situations, offering such
services at the organization’s own cost has become an industry standard
practice.
Regulatory Costs: A regulatory agency may decide to investigate whether an
organization should have prevented a breach and/or whether an organization
properly investigated and responded to it. In addition, some regulatory
agencies are empowered to impose civil penalties or monetary fines in the
event that they determine the organization’s security practices were
deficient or that an organization failed to properly notify employees,
consumers, or the agency itself in a timely matter. Significant legal
expenses can be associated with a regulatory investigation.
Litigation Costs: While Bryan Cave LLP’s 2016 Data Breach Litigation Report
found that approximately 5% of publicly reported data security breaches
result in the filing of a federal putative class action lawsuit,, the vast
majority of suits filed did not relate to breaches involving the loss of
human resource-related data; far fewer HR-related data breaches turn into
litigation.[3]Although most suits have not resulted in a finding of
liability, defense costs and settlement costs can be significant if
litigation is initiated.
TIP: While it may seem like there is no harm in using terms like “data
breach” to describe any event or incident, the term can cause confusion to
employees, others in your organization, or the public who may jump to the
conclusion that you have actually confirmed that sensitive information has
been accessed or acquired by a bad actor. Using the correct terminology
can avoid that problem.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171003/5093606e/attachment.html>
More information about the BreachExchange
mailing list