[BreachExchange] How a Massachusetts Decision to Publish Data Breach Info Will Affect Big Law

[Audrey McNeil]

http://www.corpcounsel.com/id=1202776704505/How-a-Massachusetts-Decision-to-
Publish-Data-Breach-Info-Will-Affect-Big-Law?mcode=
120261707&curindex=0&curpage=ALL

The Massachusetts Office of Consumer Affairs and Business Regulation last
week announced that the agency will make information regarding data
breaches affecting the state’s residents going back to 2007 available
online for public viewing.

Updates to the state’s Public Records Law signed into effect last June by
Governor Charlie Baker gave the agency authority to make information of
“significant interest” public. Consumer Affairs Undersecretary John
Chapman, who heads the agency, said in a statement that “the Data Breach
Notification Archive is a public record that the public and media have
every right to view.”

At present, the Data Breach Notification Archive made public by the
decision includes all 10 of the agency’s annual reports, with each
compiling information on the breached organization; date of the breach;
number of state residents affected; and type of breach. Prior to the
announcement, Massachusetts data breach information was available only by
filing a specific public records request with the agency.

Most states require that companies and organizations file notice of data
breaches affecting state residents with the offices of their respective
attorneys general in addition to notifying affected parties, but do not
publish specific data breach information broadly. But Massachusetts is by
no means the first state to make its data breach records public.
California’s data breach notification laws allow public access to both the
data breach notification information received by the state’s attorney
general and the letter that is sent by a compromised government or business
entity to residents affected by its breach. Washington and Oregon both
updated their data breach laws in 2015 and 2016, respectively, to include
requirements for public access for breaches that affect over a certain
number of residents.

Bess Hinson, an associate at Nelson Mullins in the Privacy and Information
Security practice group, said the Massachusetts’ public archive could make
companies vulnerable to scrutiny from plaintiffs’ attorneys looking for
opportunities for litigation.

“It heightens the litigation risks,” Hinson said. “It changes how we
describe the risks to our clients.”

Chris Dore, a partner at Edelson, said that public data breach databases
may indeed help law firms conduct background research on potential data
security violations on behalf of consumers, especially in trying to
demonstrate patterns of data security negligence, but are not likely to
significantly change the firm’s litigation strategy.

Mauricio Paez, partner at Jones Day, found the potential increase of
plaintiff-side ligation against companies to be less pressing because
recent Supreme Court rulings regarding standing in data breach cases have
set a high bar for demonstrating potential or immediate harm caused by
breaches.

“For those breaches that are candidates for private claims by the
plaintiffs bar, those tend to be the very large breaches, and those are
made public anyway because they’re highly publicized,” Paez noted.

Hinson said that the more pressing concern for companies in the trend
towards public disclosure of data breaches is one of reputation, which can
in turn affect the value of a company, especially going into any expected
mergers and acquisitions. While companies may assume they can avoid public
scrutiny, attorneys would be well served to warn corporate clients of the
risks of trying to conceal data breaches from consumers.

“We have to make it apparent to the company that you can try to fly under
the radar, but this information is online now. Whether or not you put a
notice on your website or tweet about it, it is online and it is publicly
available,” she cautioned.

A potential hiccup in the agency’s decision to make Massachusetts’ data
breach notification archive public is its apparent conflict with the
state’s data breach notification law, which prohibits companies from
notifying affected state residents of the nature of data breaches.
Massachusetts is currently the only state with such a provision in its data
breach notification laws.

Paez noted that attorneys are currently required to file information with
the Massachusetts attorney general’s office describing the nature of the
breach. But because that information will be made publicly available under
this new policy, the attorney may inevitably violate the current data
breach notification law. “That’s not well reconciled,” he said.

Paez further suggested that the Office of Consumer Affairs and Business
Regulation may want to reconsider what information they provide about the
nature of data breaches in order to comply with the current law.

“As they make this information readily available, they may try to think
about the ways that they can make available the details of the incident,”
Paez suggested.

Will Daugherty, counsel at BakerHostetler, said the spirit of the data
breach notification law was likely intended to protect companies from
having to disclose information that would allow potential cyberattackers to
mimic successful breach tactics. But that reasoning falls flat when you
consider what information companies typically provide in their data breach
reporting to the state.

“In practice, when companies describe the nature of the incident, they are
not providing details that would allow a potential hacker to copy-cat,”
Daugherty said.

Daugherty and Paez both suggested that the Massachusetts legislature may
also want to consider making changes to the data breach notification law to
bring it into alignment with the Office of Consumer Affairs and Business
Regulation’s new transparency policy.

In the mean time, Daugherty said attorneys filing data breach notifications
may want to take caution in the information they provide about the nature
of breaches. “There’s some gray area in the law about how much detail is
required in these regulatory notices. Organizations may err on providing
less detail in these notices,” Daugherty said.

“What makes sense is to look at the data breach notification law and to see
if that should be revised so that it could include a description to
individuals about the nature of the breach,” Paez said, adding that most
states already require companies to disclose information to consumers about
the nature of data breaches.

Daugherty, Paez, Hinson, and Dore all suggested that other states are very
likely to adopt similar transparency policies around their data breach
notifications in coming years, especially in light of the multitude of high
profile data breaches in the last year.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170113/7e1e8770/attachment.html>