[BreachExchange] Less Data Breach Disclosure is Wise, Attorneys Say

[Audrey McNeil]

http://www.bna.com/less-data-breach-n57982076510/

What is a fortune 500 company to do about informing regulators and
overseers when its network has just been breached, leaking sensitive
customer information, credit card numbers and employee records?

Should they file a Form 8-K with the U.S. Securities and Exchange
Commission, reach out to law enforcement, alert federal and state
regulators, alert valued customers or should they stay quiet until their
internal team fully investigates the matter?

Less disclosure—and in any event disclosure only after what has happened
becomes clear—is probably the best approach, privacy attorneys told
Bloomberg BNA. Trying to hide a breach when there are clear reporting
obligations will displease regulators that may come calling and undermine
consumer trust in your organization.

The questions revolving around what to disclose were what executives of The
Wendy's Co. asked themselves after finding that malware had been discovered
on their point of sale systems. After further investigation, Wendy's opted
to file an 8-K and a press release that warned the breach was
“considerably” larger than originally thought.

Wendy's and other large companies subject to a cyberattack may want to
rethink their approach to data breach disclosures. They should focus on
internal investigations and shoring up their cybersecurity before making
any material disclosures to federal regulators or the public, privacy
attorneys said.

Further, companies should pay attention to mistakes other companies have
made in the past after a data breach.

According to Steven L. Caponi, a corporate and cybersecurity partner at K&L
Gates in Wilmington, Del., companies should seek to avoid the “drip, drip,
drip” of leaked information and make “fewer and more knowledgeable
disclosures to demonstrate that you have the situation under control.”

Companies don't want to end up like Target Corp. (245 PRA, 12/20/13), “the
poster child” of mishandling data breach disclosures, he said.

Target quickly reported a credit card system hacking breach only to have to
more than once upgrade the seriousness of the intrusion, number of
customers affected, how long the intrusion went undetected and other
matters. Ultimately the chief executive officer of Target was forced to
resign.

When Is a Breach Material?

Some companies that have experienced a data breach have reported the
intrusion to the SEC through an 8-K.

Lisa Sotto, chairman of Hunton & Williams LLP's privacy and cybersecurity
practice, said that companies shouldn't furnish an 8-K when it doesn't
reach the level of a “material breach.”

According to the SEC, companies must file this form under certain
circumstances to announce material events that shareholders should know
about. What is material, however, depends on what types and the nature of
incident a company may be reporting.

For data breaches, the SEC hasn't made a definitive ruling as to whether
loss of personal information in these cyberattacks fall under the
materiality standard. As of now, the SEC has only released guidance that
says companies may want to consider filing an 8-K “to disclose the costs
and other consequences of material” breaches.

Sotto, who is also managing partner of Hunton's New York office, said that
breach materiality depends on what kinds of data are stored and protected
by the company. Before filing an 8-K, a company would want to consider if
personally indentifiable information, health care data, financial records
or consumer data was breached, she said.

“There have been very few material breaches” and companies that have filed
an 8-K would have made “strategic decision” to do so, Sotto said.

Lack of 8-Ks

According to Bloomberg Law data, large consumer-based companies such as The
Home Depot Inc., Target, Wendys, Anthem Inc. and JPMorgan Chase & Co. have
filed 8-Ks following a data breach.

However, not every company that experiences a data breach reports it in an
8-K or even in a press release. According to a recent Identity Theft
Resource Centerreport, there were 781 data breaches tracked in 2015 and
many more that went undiscovered. The vast majority of these didn't receive
8-K treatment.

What accounts for the disparity between number of incidents and lack of 8-K
filings?

According to Caponi, the lack of filings can be attributed to the
relatively new territory of cyberattacks and breaches. There is “no case
law, judgements, or administrative rulings” that define what is material
for a data breach disclosure, he said.

But the lack of filings may be changing. As more and more companies
experience data breaches, enforcement agencies will issue guidance covering
data breach reporting, Caponi said.

Going forward, the “trend will be to more disclosures occurring in 8-Ks,”
Caponi said. With more and more disclosures, the SEC will eventually issue
more guidance and “that will morph into a rule,” he said.

Crafting the Message

Before a data breach occurs, companies should already be prepared with an
incident response plan that lays out who should take the reigns of the
corporate message.

Incident response plans should outline “how to roll out information to law
enforcement, shareholders, affected customers and regulatory agencies,”
Caponi said.

According to Tanya Forsheit, co-chairman of the Privacy & Data Security
group at Frankfurt Kurnit Klein & Selz in Los Angeles, “a good incident
response plan will spell out which team” is responsible for the data breach
reporting. “There is going to be a product manager type who oversees the
whole response and keeps the trains running on time,” she said.

The plan will include people in the company's press department, information
technology department and external consultants that will help contain the
breach, Forsheit said.

Sotto said that in addition to the response plan, one of the first calls a
company should make is to outside counsel to “work with them to obtain an
forensic investigator under privilege.” The outside counsel will be able to
“understand the nature and scope of the compromise” and draw conclusions
that will help when regulatory agencies come knocking, she said.

A clear and concise incident response plan may help companies make a
disclosure that sheds light on the data breach without sharing too much
information.

According to Caponi, the response plan will help companies be “ahead of the
curve.” The plan helps paint a picture with the company as “the victim” and
shows that they are handling the situation appropriately, he said.

Who to Trust?

After a data breach, companies will face a barrage of inquiries from the
press, consumers, directors and most importantly federal and state
regulators. The increased focus may influence how much information is
shared and to whom it is shared with.

Lawyers differ on which regulators to trust and how open companies should
be with their information.

Sotto said it is important to provide information to both state and federal
regulators to “to help them understand what happened and frame the issue
before the media does that for you.” The regulators are “imminently
rational” with how they use a company's data and won't make improper
disclosures, she said.

Caponi, said however, that companies should be hesitant sharing all their
information with regulators. Although companies should comply with
reasonable information requests from regulators, they shouldn't give over
all their information wholesale, he said. Certain federal regulators, such
as the “Federal Trade Commission, the SEC and the Federal Communications
Commission are not viewed as a friend of businesses” he said.

Instead, companies should turn to the “Federal Bureau of Investigation and
the Department of Homeland Security to help deal” with the post-data breach
threats, Caponi said. Law enforcement is a “tremendous resource” and “acts
as a clearinghouse for information before victims are re-victimized.”

When it comes to disclosures, “companies should make sure that it doesn't
impede law enforcement investigations, or impede internal investigations,”
he said. Law enforcement is trying to stop future attacks, and an improper
disclosure could tip off the nefarious actors, Caponi said.

Transparency Builds Trust

There are a number of different disclosure methods, but according to Sotto,
no matter who you share the information with “transparency is the right way
to go.” Companies must report “ sufficient, accurate and materially
complete information without spilling their guts on paper,” she said.

“Losing dollars matters, of course, but losing future dollars and lack of
trust” because you either lied or withheld information from the public or
regulators “hurts even more,” Sotto said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160708/15dc37ef/attachment.html>