I recently spoke on a cybersecurity panel and fielded the same questions people usually want to know from lawyers when it comes to data breaches. What are the damages? What does an "average" data breach cost? How can I avoid being sued? All fair questions, but answered many times over on our blog and others. But it made me think of what companies often do not get about breach response management and what goes into the effort and those numbers -- especially if you want to come out on the other side and do right by your customers. I thought to share some things that might be helpful for companies still trying to properly grasp what data breach will mean for them. Until you go through one, it really is hard to know.
1. Forty Eight. That is the number of states with their own "data breach law" on the books. In addition, so do the District of Columbia, Guam, Puerto Rico and the Virgin Islands. Currently, only Alabama and South Dakota do not have such laws. These state laws are similar in many ways, but different enough to require a company to take the time and money to properly assess their obligations in each and every one of these states when they have a valid breach. (And this is before you add in any requirements under federal regulations, such as HIPAA.) Some state laws require notice to the individual and to law enforcement, while some require media notice. Some laws require notice to be done in a particular format, font and include mandated language in every letter. Some states provide exceptions to breach notification (i.e., encrypted data), but only under certain criteria. Companies that conduct business in each U.S. state potentially trigger every state's requirement when a breach occurs. Thus, companies have to have a plan, budget and staffing to respond to each state's requirements. Any plan should account for litigation and resolving regulatory issues with those states, like Target just did for $18.5 million. Naturally, the financial payouts get all the attention and cause companies to be concerned. However, companies often never have any idea of the time and effort needed to just figure out how to meet each jurisdiction's requirements and then carry them out under the various deadlines -- all while keeping the lights on and making widgets.
2. Is it even a "breach?" Each of those 48 state laws and other regulations has a definition for what qualifies as a "breach" or other triggering event. I often tell clients to never use the "b word" until we tell them to. Under the law, a company with a "breach" may have countless obligations, each with their own timeline, expense and other risks. A security incident or errant disclosure is often not a breach. While information may have been compromised or shared without authorization, such activity may not rise to the level of a breach under any applicable law. After addressing any incident and mitigating any harms resulting from an incident, a company would be well served to work with counsel on determining what laws apply and how. Investing such time wisely and arriving at the proper determination will have a significant impact on a company's time, resources, reputation and customers.
This is always a good time to reiterate that critical difference between whether you HAVE to do something and whether you SHOULD do something. Just because a "breach" may not exist under the law doesn't mean you still shouldn't consider taking the same steps as if it were required by law. Data breach response management is as much the art of relationship management, customer service and just plain doing the right thing, as it is about the law and compliance.
3. Breach response management is a business of its own. Breach response management is more than having your IT department "figure out what happened" and then talking to your in-house counsel. Proper response management involves analyzing the incident, mitigating any harms resulting from the incident, communicating to parties at risk, and taking steps to keep the incident from recurring. Such work rarely happens with only internal resources. Incident response teams often include external forensics experts, public relations personnel, legal counsel, and call center operations companies to manage your notice process. I have yet to find a company that has such designated personnel and funding set aside to do nothing but manage a breach. Companies should have an incident response plan, which includes identifying outside team members in advance of any incident that can assist when (not if) data breach occurs. Lastly, data breach response is a marathon, not a sprint. Some responses can take months, if not years.
4. Seek counsel. With absolutely no shame, I will say, at a minimum, you should secure experienced data breach counsel and preferably before anything happens. Sometimes the breach response (or lack thereof) is worse than the breach itself. Companies make some of the biggest mistakes in the first 24-72 hours after an incident has been discovered. I call this time period the "red zone." Wasting that valuable time trying to first find counsel instead of actually working with one helps to increase the likelihood of mistakes being made. Ideally, you are already working with counsel on a proactive approach to information security, through building a data governance program which not only drives general compliance, but provides you a better chance of surviving a breach. Every breach and its related risks are unique. Having experienced counsel early on in the process is critical to properly ensuring a compliant, yet timely response to properly service customers and satisfy your legal obligations.
5. Get insurance. Any reasonable business leader reading this has been tabulating the costs of each and every point I have made. I totally get it. Unfortunately, I have seen many companies take the "I will just pay when something happens" approach rather than invest in proactive data governance efforts to reduce data breach risks. One of those administrative safeguards is securing insurance for data-related incidents, or "cyber insurance." Carriers are providing diverse and scalable policies to help shoulder the financial burden of data breach response. Indeed, these policies are now covering many of the incident response team members I described earlier (counsel, forensics, etc.), in addition to providing defense to liability resulting from lawsuits and regulatory actions or investigations. Companies never hesitate to purchase general liability insurance or fire/flood insurance. Companies see such policies as common sense protection against all things that can hamper, if not stop their business operations. However, companies will often balk at cyber insurance. I think this is for several reasons. One, they don't think a breach is going to happen to them. Second, they don't understand the coverages available or that a reasonable policy can bring so much more help than just lawyers to defend your company.
I also think companies still operate under the assumption that such insurance is too expensive. Costs have come down considerably over the years. Regardless, there is reluctance to invest. To this reluctance, I will simply offer up the same reason you would buy fire or flood insurance. Companies want such insurance to protect and compensate the business for time and opportunities lost when the building goes up in flames or are flooded. Is the time lost due to WannaCry ransomware encrypting all your databases or a denial of service attack keeping Sony offline for days any less valuable? I could argue the harm is even worse with a security incident when associated with reputational harm or embarrassment resulting from the disclosure of sensitive information. A business disruption is a business disruption.
Data breach is here to stay. As with anything in life, until you've experienced a breach and managed a response to it, it is hard to appreciate the impact on your business and the helpless feelings it can generate. What companies can do is start planning and investing for the inevitable. Until you fully understand the risks to your information and your related legal obligations, you cannot begin to implement a plan to manage and minimize those risks. It is not if, but when.