Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ten ways to prevent a data breach from Breaching a Budget


Published on

All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

Ten ways to prevent a data breach from Breaching a Budget

  1. 1. Ten Ways to Prevent a Data Breach from Breaching a Budget DAVID ZETOONY With data breaches a fact of life for many companies today, the author provides a 10 point checklist, which includes steps a company can take before a breach occurs, immediately after a breach occurs, and well after a breach occurs, designed to lower the cost of responding to data security breaches. D ata breaches are now a common occurrence, with over 300 major breaches involving over 100 million consumer records reported each year. Although each breach is unique in terms of its cause, its scope, the type of business it affects, and the type of consumer information it involves, every breach shares two characteristics: (1) It is unanticipated (and therefore usually not expected in the budget) and (2) It can be extremely costly. Beside the internal cost of investigating a breach, which itself usually entails numerous hours from employees, in-house counsel, and outside counsel, where consumer notification is needed a company usually must pay the following costs: • Printing and mailing notifications; • Staffing call centers to respond to consumer questions; David Zetoony is an attorney at Bryan Cave LLP in Washington D.C. He practices antitrust and consumer protection litigation and, over the past five years, has assisted dozens of companies to respond to data security breaches, and investigations that result from data security breaches. He may be contacted at david. 449 Published in the May 2009 issue of Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC.
  2. 2. Privacy & Data Security Law Journal • Credit monitoring for affected consumers; • Legal fees for responding to government investigations, and • Litigation fees if suit is brought by consumers or regulators. Companies often pay between $50 and $79 per lost record.1 For relatively small breaches involving hundreds or thousands of records, the cost can be substantial; for large breaches involving millions of records, the total cost can be enormous. Although there are always costs in responding to a data breach, companies, especially companies responding to a data breach for the first time, often overlook simple ways to reduce and mitigate these costs. The following suggestions illustrate 10 specific ways in which companies could (but most companies don’t) lower the cost of responding to a data breach. These suggestions include steps that a company can take before a breach occurs, immediately after a breach occurs, and well after a breach occurs. BEFORE A BREACH OCCURS 1. Create a Notification Policy Most notification statutes provide that if a company creates its own policy for notifying consumers, and that policy is consistent with the law’s “timing requirements,” then a company that complies with its own policy will be “deemed” in compliance with the statute. Fashioning a corporate notification policy before a breach occurs can help avoid some of the largest costs associated with consumer notifications. For instance, a corporate policy might state that consumers will be notified by e-mail instead of by mail, alleviating thousands of dollars for printing fees, and mailing fees, if a breach occurs. In addition to the direct savings that can be achieved through the substantive provisions of a corporate breach notification policy, a breach notification policy can also have significant indirect savings by establishing a clear procedural framework. For instance, by providing instructions for how breaches will be reported internally through a company’s organizational 450 Published in the May 2009 issue of Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC.
  3. 3. Ten Ways to Prevent a Data Breach structure, and who (or which department) will be responsible for investigating a breach, the policy can prevent the loss of time and money that occurs during the first few days of an uncoordinated response to a data breach. 2. Up-to-Date Safeguards Policy The best way to save money when responding to a data breach is to not have the breach in the first place. Although most companies are required under federal law (e.g., Gramm-Leach-Bliley, the Health Insurance Portability and Accountability Act) or state law (e.g., state “safeguards” statutes) to evaluate security risks and to create a policy to address those risks, many companies do not evaluate security risks regularly. Although the frequency needed to evaluate risks varies by industry, and the type of data that a company maintains, every business should consider reevaluating its safeguards policy at least annually. Even companies that regularly review their security policy often limit that review to evaluating whether the security policy adequately addresses new technological threats, such as viruses or Malware. Often security policies neglect the fact that most breaches are not caused by a breach of the company’s information technology infrastructure. When evaluating a security policy, a company should consider the following rough breakdown of where breaches occur:2 • 40 percent laptop thefts (half stolen outside of company; half stolen while inside the company); • 20 percent human or software error; • 15 percent non-laptop theft; • 15 percent hackers; and • 10 percent employee intentional acts. AFTER A BREACH 3. Do Not Notify Consumers Unnecessarily Many companies have started notifying consumers anytime a potential 451 Published in the May 2009 issue of Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC.
  4. 4. Privacy & Data Security Law Journal breach occurs. Often the decision to issue notifications is made under the mistaken belief that companies are legally required to issue notifications after any potential breach, or under the belief that there is no downside to giving notice. Notifying consumers before a company has fully investigated a potential breach can be incredibly costly. First, the company must bear the direct cost of issuing the notification, which, as discussed above, can be substantial. Second, notifying consumers before a company has fully investigated a breach may unnecessarily alarm or confuse consumers. Consumers who mistakenly believe that their data has been breached, or that they are at risk for identity theft, are more likely to file administrative, or self-regulatory (e.g., Better Business Bureau) complaints or to initiate civil suits. Although there may be no substance to those complaints, the cost of responding to government investigations, demand letters, or complaints is almost always substantial. Deciding whether to notify consumers of an incident should be done on a case-by-case basis. In many situations, what might look like a data security breach at first may not require notifying consumers if, after a careful and thorough investigation, it becomes apparent that the security, confidentiality, and integrity of consumers’ information has not been compromised. 4. On the Fence About Notifying Consumers? Consider Asking Regulators Before Taking the Plunge After investigating a potential breach, companies often conclude that either a breach has not, in fact, occurred, or that the security and confidentiality of consumer information has not been compromised as a result of a breach. Companies often decide to issue consumer notifications nonetheless, because they fear that a state or federal regulator may see the situation differently and penalize them for having not made consumer notifications. Instead of second-guessing a reasoned decision that consumer notification is not needed, or warranted, consider voluntarily providing state or federal regulators with information concerning the potential breach and the company’s rationale for not issuing consumer notification, and inviting the regulator to offer its comments or opinions. If the regulator disagrees with your assessment and requests consumer notifications, the company is no worse off than it would have been had it issued the consumer notifica452 Published in the May 2009 issue of Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC.
  5. 5. Ten Ways to Prevent a Data Breach tions; on the other hand, the regulator’s agreement with the company’s position (or the regulator’s silence) can be a powerful defense against any future claim that the decision not to notify consumers was unreasonable. 5. Consider Informally Notifying Government Regulators Although some states require notification of regulators each time a breach occurs, most states, and most federal regulators, do not have such a requirement. Just because reporting an event is not required does not mean that it is not a good idea to consider reporting it voluntarily. Although in some cases voluntarily reporting a breach to regulators may bring unnecessary (and unwanted) attention from the government, in other cases, especially when a breach has already been publicized, it may head off government investigations or formal requests for documents and information. 6. Keep a Written Chronology of the Breach The hours and days following a breach are usually hectic and filled with sometimes conflicting information arriving from various sources. Often information that is filtering in comes in the form of internal e-mails, teleconferences, or interviews. During this process few companies keep a formal log of what the company/legal department knows (and when the company/ legal department became aware of the information). Having an in-house, or outside, counsel keep a running written chronology in anticipation of possible litigation can form the basis of what may ultimately become an incident response report, and can save countless hours reconstructing events from e-mails, handwritten notes, and follow-up interviews. GOVERNMENT INVESTIGATIONS 7. Have your Privacy Policy, Security Policy, and Safeguards Policy in One Place It is not uncommon for a company to receive a subpoena, civil investigative demand (“CID”), or nonpublic inquiry following a breach. Although the inquiry may have been triggered from the breach, regulators of453 Published in the May 2009 issue of Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC.
  6. 6. Privacy & Data Security Law Journal ten ask to see all of a company’s consumer-focused statements concerning privacy and security. Making sure that these documents are up-to-date and that past versions of these documents are easily accessible can eliminate time (and money) to find, collect, or reconstruct these policies. 8. Take a First Stab at Responding to Investigatory Demands Most companies turn to outside counsel who specialize in consumer protection when they are the target of a government investigation. Outside counsel can be invaluable in helping to respond to a CID from the Federal Trade Commission, or a subpoena from a state Attorney General. Among other things, they can provide insight concerning issues and facts that will likely be of interest to the government agency, they can draw from their experience with particular government agencies and particular government staff attorneys, and can help craft interrogatory responses and organize document productions. At the same time, outside counsel are often not the best resource to coordinate the collection of documents and information from in-house departments and corporate employees. If a company has available in-house resources, having in-house counsel take the first steps to collect documents responsive to document requests, and to draft responses to investigatory demands, and then having outside counsel explore additional sources of information, and revise written responses, can keep billable hours to a minimum, while effectively leveraging resources.3 9. Propose Alternative Documents to Satisfy Requests It is not uncommon for a subpoena or CID that was triggered from a data breach to go far a field in its request for documents and for information. Sometimes this reflects a regulator’s desire to investigate a company’s overall practices and procedures. Other times, this reflects a genuine misunderstanding of the facts or circumstances of a data breach. Before spending countless hours collecting documents or information that might not be needed, outside counsel might be able to explain informally the basic facts underlying the breach, and to propose what documents might best illustrate those facts. 454 Published in the May 2009 issue of Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC.
  7. 7. Ten Ways to Prevent a Data Breach WELL AFTER A BREACH 10. Learn the Lessons After responding to, investigating, and/or reporting a breach, it is tempting to breathe a sigh of relief and return to other matters that were put-aside in the rush to take care of the incident. A data breach provides a one-of-a-kind opportunity to test existing policies and procedures. Investing a small amount of time and money one or two months after a data breach has been successfully resolved to determine what worked, what did not work, and what could have worked better in responding to the breach can save a large amount of time and money when responding to the next breach. Notes United States Government Accountability Office, Report to Congressional Requesters: Personal Information, Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown 34 (June 2007) (citing various surveys of corporate expenditures following data breach). 2 For more detailed data showing where data breaches most often occur, see 3 As a caveat, companies that do not have experience responding to document requests issued by government agencies, or issued as part of civil litigation, may spend more money by attempting to coordinate or collect documents on their own. For instance, if documents are collected without keeping a proper chain of custody, without appropriately evaluating material for responsiveness and privilege, and without sensitivity to preserving the documents’ integrity (e.g., the metadata of electronic documents) the collection may need to be redone by outside counsel increasing, instead of reducing, a company’s overall costs. The best advice when deciding how in-house and outside counsel resources should be used is to discuss with outside counsel, at an early stage, a proposed process and procedure for collecting materials and information in order to identify potential problems or deficiencies. 1 455 Published in the May 2009 issue of Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC.