[BreachExchange] Information Governance Insights: The Data Breach Response: Who Will You Tell?

[Destry Winant]

http://www.metrocorpcounsel.com/articles/34844/information-governance-insights-data-breach-response-who-will-you-tell

Responding to data breaches can be a tricky business. If not managed
correctly, corporate liability can easily be exponentially compounded.
The key to successfully managing any complex crisis lies in the
planning. It’s important to develop a carefully laid-out process long
before the fire alarms start ringing. Once they do, there’s usually
not much space for thinking of creative solutions. That’s why we map
out our escape routes and post them on the wall for all to see.

Data breach planning is no different. Once counsel gets that call
saying there’s been a security event, many moving pieces must be
carefully and strategically orchestrated. These include notifying
insurance carriers, engaging outside counsel and forensic experts,
managing the internal IT response team, notifying board members and
executives and overseeing public relations damage control with the
media, just to name a few. For breaches involving customer or employee
personally identifiable information (PII), counsel must also determine
the company’s obligation to notify government regulators and the
individuals whose data was stolen, often referred to as the “data
subjects.” This task may seem fairly simple on its face, but it’s
often the most complex part of post-incident breach response –
especially for companies with global footprints.

One of the unique aspects of data privacy laws is that they typically
get triggered not by the storage location of the data – though that’s
sometimes part of the equation – but by the residence of the person to
whom the data pertains. This is equally true both domestically—among
the various U.S. state laws—and internationally. The reason behind it
is that data is highly mobile and governing bodies want to protect the
privacy rights of their citizens regardless of where the data itself
may be stored. Otherwise, data controllers would move data from more
restrictive locations to less restrictive ones and thwart all
protections. The end result for those responding to data breaches is
that even a relatively small set of data can trigger the laws of a
large number of jurisdictions.

Unless a privacy assessment has been conducted in advance, counsel may
have to wait until a forensic investigation is completed before it can
determine which jurisdictions are implicated. Such an investigation
includes listing all of the countries and all of the states where the
data subjects reside. Then, for each, a legal assessment must be
performed to determine which jurisdictions have notification
requirements and whether those requirements have in fact been
triggered.

For example, there’s significant deviation both domestically and
internationally as to what kinds of data constitute personally
identifiable information. Most jurisdictions include in their
definitions people’s names combined with at least one of the
following: home addresses, national identification numbers or account
numbers. Others, but not all, include email addresses, IP addresses
and international mobile equipment identity numbers (IMEIs).
Therefore, it’s important to determine the specific content of the
actual data breached in order to assess whether the definitions of any
specific jurisdictions apply.

Even when a definition does apply, notice requirements still might not
be triggered. Although not the norm, a few jurisdictions in Southeast
Asia have territorial limits to their breach notice requirements. In
those locations, notices may only be required for breaches that occur
within the jurisdictions or for breaches that relate to activities
conducted in the jurisdiction or that specifically target that
jurisdiction’s citizens.

More commonly, jurisdictions worldwide typically have individual
threshold limits that must be reached before notice requirements
trigger. For example, notices may have to be sent to data subjects
only when more than 10,000 records were exposed. Or regulator
notification may be required only when a certain record type is
involved, such as financial or health records. Some jurisdictions may
require that both regulators and data subjects be notified; and in
others, only one or the other. The required content and form of
notices also vary greatly – from public notice in a newspaper, to
emails, to written letters.

Those are just a few of the many issues that need consideration in
order to tackle breach-notice requirements. Combine them with all the
other issues involved and the benefits of advanced planning should be
obvious. This is especially true because time will also be working
against you: the initial forensic analysis will likely take several
weeks, and the legal analysis will likely take even longer. Yet, at
the same time, the clock will be ticking against the timeliness
requirement stipulated by most notification regulations.

For example, in April New Mexico became the 48th state to enact a data
breach notification law – leaving Alabama and South Dakota as the two
states that lack requirements. Under that law, notice must be made to
the attorney general, New Mexico residents and consumer reporting
agencies within 45 calendar days of discovery of a security breach –
if over 1,000 residents are impacted. However, the notice requirement
is waived if an investigation determines that the event does not give
rise to a significant risk of identity theft or fraud. This
essentially leaves companies with less than 45 days to complete their
full investigation and impact assessment, unless they have taken steps
to plan for such an event in advance.

This is one more reason why those who are prepared will fare the best.
Including breach response planning in your routine privacy
assessments, and understanding your potential notice requirements
before a breach occurs, will save you a lot of headache pills when
your breach day comes.