Planning & Managing a Data Breach

By: Elizabeth C. Rogers, Greenberg Traurig, LLP.

A data breach occurs when sensitive, protected, and/or confidential information is stolen, accessed, or used without authorization. The information may include an individual’s personally identifiable information (PII), protected health information (PHI), cardholder data, or a business’s trade secret or other confidential information.

WHEN A DATA BREACH OCCURS, WHETHER BY NEGLIGENT or malicious acts of employees or third parties, the response must be comprehensive and prompt. The development of a data breach avoidance plan is recommended in order to minimize risk. Such a plan will identify data content and implement management policies and employee training programs, as well as create an incident response team and a 48-hour action plan. A data breach response plan more specifically addresses measures to take in the event of a breach, including the responsibilities of a data breach response team and all obligations that might arise as required by federal or state law, or otherwise. The costs to businesses that suffer a data breach are substantial and include expenses incurred for detection and notification, economic losses due to loss of customer trust, class action lawsuits, and penalties imposed by regulators. Notification to affected customers must comply with the rules of the states where they live and/or operate.

A data breach may arise under a variety of circumstances, such as:

• Employee or contractor negligence (e.g., lost laptops with unsecured sensitive data)
• Malicious insider behavior (e.g., disgruntled or dishonest employees who wrongfully take sensitive or confidential data for unauthorized purposes, or post such sensitive or confidential information to the Internet)
• External cybercriminal behavior, including organized crime rings seeking to profit from exploiting the breached data, or so-called hacktivists, who act for political reasons

Regardless of the cause of a data breach, the response must be prompt and effective.

This article discusses how organizations should both plan for and manage a data breach, including best practices for creating data breach avoidance and response plans, the benefits of such plans, and the importance of promptly notifying individuals affected by a data breach.

Benefits of Data Breach Avoidance and Response Plans

It is crucial to have data breach avoidance and response plans in place long before a breach actually occurs. Such plans may help a business minimize security vulnerabilities, thus making a breach less likely, and may also:

• Lower the cost of a data breach
• Reduce the risk of litigation
• Minimize regulatory scrutiny

Lowers the Cost of a Data Breach

The costs of a data breach are not trivial. In its 10th annual benchmark study, the 2015 Cost of Data Breach Study: United States, Ponemon Institute examined the impact of data breaches incurred by 62 U.S. companies in 16 industry sectors. According to the study, malicious or criminal attacks (rather than negligence or system glitches) continue to be the main cause of data breaches, with the average total cost of a breach increasing 11%, from $5.9 million in 2014 to $6.5 million in 2015. Lost business costs have also increased, from $3.32 million in 2014 to $3.72 million in 2015. Creating data breach avoidance and response plans, and updating or adjusting such plans when necessary, may help businesses to mitigate these costs or to avoid them altogether.

Reduces the Risk of Litigation

A number of state data breach statutes either explicitly allow for a private right of action or have been interpreted as such by the courts. See, e.g., In re Target Corp. Customer Data Sec. Breach Litig., 66 F. Supp. 3d 1154 (D. Minn. 2014). This creates the opportunity for class action lawsuits, which typically allege that a business failed to provide timely notice of a breach, as required by the relevant state laws. Such lawsuits may also allege a number of other claims, such as breach of fiduciary duty, negligence, breach of an express or implied contract, unjust enrichment, invasion of privacy, and unfair and deceptive business practices. For a more detailed discussion on state data breach statutes, see State Statutory Laws Regarding Data Breaches. Having a robust data breach avoidance and response policy—including developing and maintaining adequate policies and procedures for safeguarding personal information, staying abreast of the current legal landscape, revising or updating data security policies and procedures as necessary, and promptly notifying individuals affected by a breach—can help minimize the occurrence and negative consequences of data breaches and thus the risk of litigation.

Minimizes Regulatory Scrutiny

The Federal Trade Commission (FTC) has brought a number of enforcement actions against companies in connection with data breaches—not only for failing to stop a breach, but for failing to put in place adequate measures to avoid breaches (even if no actual breach occurred). In 2014 alone, the FTC brought cases against Snapchat, Inc.; Fandango, LLC; and Credit Karma, Inc. (in connection with their mobile apps); GMR Transcription Services; GeneLink, Inc. and foru International Corp.; Wyndham Worldwide Corp. and three of its subsidiaries; and Verizon. The Third Circuit has upheld the FTC’s authority to regulate cybersecurity under the “unfairness” prong of Section 5 of the FTC Act, 15 U.S.C. § 45(a). See FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015).

Various other federal regulators have been active in the cybersecurity space as well, such as the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), the U.S. Department of Health and Human Services Office for Civil Rights (OCR), the Food and Drug Administration (FDA), and the Federal Communications Commission (FCC). In addition, state attorneys general have the authority to enforce state statutes, and recently they have focused their attention on doing so. For example, state attorneys general have been active in breaches involving Target Corp.; Neiman Marcus Group LTD; Michaels Stores, Inc.; Home Depot, Inc.; JPMorgan Chase & Co.; TD Bank; and Zappos.com.

Given regulators’ increased focus on the cybersecurity practices of companies within their jurisdiction and the heightened risk of cyberattacks, it is crucial to have effective data breach avoidance and response plans that are regularly tested and updated to account for changes in the cybersecurity landscape. Such proactive measures may reflect favorably on businesses in the event of regulatory scrutiny, giving them valuable negotiating leverage with both state and federal regulators.

Creating a Data Breach Avoidance Plan

The chances are increasingly high that at least one data security incident will affect every organization at some point in time. In order to be prepared for the inevitable, a business should proactively develop both:

• A data breach avoidance plan
• A data breach response plan

A data breach avoidance plan can help a business minimize vulnerabilities and prevent circumstances that lead to data loss, significant regulatory fines, litigation expenses, and brand damage. As part of a comprehensive data breach avoidance plan, a business should:

• Create a data map
• Assess and document the laws, regulations, and industry standards that apply to each piece of data
• Categorize the data based on its sensitivity and the impact to the business in the event of a breach
• Implement appropriate data security safeguards
• Adhere to any data security representations in privacy policies or other consumer-facing statements
• Assess relationships with third-party vendors
• Consider purchasing cyber insurance

Each of these issues is discussed in further detail below.

Create a Data Map

The first step in creating an effective data breach avoidance plan is to create a data map of all the data collected by an organization. The data map should contain detailed information about each piece of data, including:

• The type of data
• From whom the data is collected (and why)
• How the data is collected and inputted
• How and where the data is stored
• Who can access the data, and how (and where those persons are located)
• The purposes for which the data is used
• Whether and how the data may be altered or manipulated, by whom, and for what purpose
• Whether and how the data may be transmitted
• How the data is secured
• How long the data is retained
• How the data is disposed of or destroyed
• Any backups to the data
• Logs or documentation pertaining to the data

Data maps are typically created by privacy or compliance professionals who are proficient with the use of Visio (or similar diagramming software), with input from lead stakeholders in an organization. They illustrate how information flows through the organization and are a critical starting point for ensuring compliance with applicable privacy laws and regulations.

Assess and Document Relevant Laws, Regulations, and Industry Standards

Once an organization has created a data map, it should next assess and document which laws, regulations, and industry standards apply to each piece of data. The organization should then put policies and procedures in place to ensure compliance with such laws, regulations, and standards.

Categorize the Data

After creating a data map, an organization should next create a Data Classification System that categorizes the data based on its sensitivity and the legal impact to the organization in the event of a breach. Examples of data classification include:

• Confidential or sensitive data (also referred to as restricted or regulatory data). High risk data that is protected by federal or state privacy laws or regulations or confidentiality agreements (e.g., PII, PHI, payment card information) generally receives the highest level of security controls.
• Internal or private data (e.g., contracts, proprietary information). Lower risk data that is not required to be protected by any laws, regulations, or binding agreements, but that an organization nonetheless wishes to protect, generally receives a reasonable level of security controls.
• Public data (e.g., press releases, marketing materials, job descriptions). Low risk data that is publicly available generally receives the lowest level of security controls.

Data classification will aid an organization in assigning the proper security controls to each category of data and will provide the skeletal framework, so to speak, for the rest of an effective data breach avoidance plan.

Implement Data Security Safeguards

Many organizations only focus on servers and databases when it comes to data security safeguards. However, much of the confidential and sensitive data that an organization maintains is in the form of paper and/or is stored in open areas that are densely populated with all levels of employees. It is therefore critical that a company establish an information security and privacy framework that involves the same degree of protection for both physical and electronic data.

This framework should be set forth in written policies and procedures. The organization should internally review and update such policies and procedures as necessary and retain a third-party consultant for periodic assessments. All changes should be thoroughly documented.

Data protection and management measures may include:

• Encryption of sensitive data and other security measures such as firewalls, network segmentation, and strict password requirements
• Monitoring systems (e.g., telephone and e-mail/Internet use monitoring, video surveillance systems)
• A Bring Your Own Device (BYOD) policy that addresses whether, and under what circumstances, employees may use their own devices (such as laptops, iPads, smartphones, or other mobile devices) for work purposes
• A records retention/destruction policy
• Employee training manuals and programs that specifically address data protection measures and identifying and reporting breaches, pursuant to the organization’s internal policies and procedures

Note that many state data breach notification laws contain exemptions for encryption, while others affirmatively require encryption in defined circumstances.

Adhere to Any Data Security Representations

Companies often make representations pertaining to data security in written privacy policies, terms of service, and other consumer-facing and/or end-user-oriented statements. If your client has made such a representation, it must ensure that all data is protected and handled in accordance with that representation. Failure to do so may lead to an enforcement action by the Federal Trade Commission (FTC) and/or regulatory scrutiny.

To ensure compliance, the client’s information security professionals should work closely with its privacy or compliance officers to regularly audit security-related representations (e.g., twice a year, or more frequently if new products or services are introduced). Your client should also take care to avoid using vague language and overstating the actual level of data security in its privacy policy or other consumer-facing statements.

Assess Relationships with Third-Party Vendors

An organization may be vicariously liable for data breaches affecting third-party vendors, contractors, and consultants who collect, store, use, or access the business’s data. It is therefore critical to assess your client’s existing relationships with third-party vendors, to conduct due diligence of potential vendors’ data security and privacy practices, and to include appropriate protections in any contractual agreement.

For existing third-party vendors, determine whether the relevant contracts address:

• Data protection requirements
• Notification requirements in the event of an actual or suspected breach
• Indemnity provisions or other exclusions or limitations of liability
• The right to access or audit the third-party’s security measures onsite (or, alternatively, whether the third party is required to conduct and submit an annual security assessment)

For future dealings with third-party vendors, your client should consider a rigorous due diligence program that includes a thorough review of the third party’s information security and privacy policies, practices, and procedures. Lax security and privacy practices may raise a red flag and persuade the client to choose a different vendor.

If your client decides to proceed with a particular vendor, you should ensure that essential and appropriate contractual terms (such as those listed above) are included in the agreement. The client may also wish to require the third party’s participation in an annual security awareness training program that it conducts (or one that is equivalent).

Consider Purchasing Cyber Insurance

A final important element of a data breach avoidance plan is the consideration of insurance. Your client should determine whether and to what extent its existing insurance policies cover data breaches or other cybersecurity incidents and consider purchasing cyber insurance (if not already owned). Note that cyber policies and premiums vary widely among insurers. If your client decides to purchase cyber insurance, it should be prepared to negotiate for coverage that adequately accounts for the cyber risks faced by the organization.

Creating a Data Breach Response Plan

In addition to a data breach avoidance plan, an organization should also create a data breach response plan that thoroughly details how the organization will respond to a data breach and the requisite timelines. For many businesses, having a data breach response plan is part of business continuity planning, disaster recovery planning, and/or risk management.

The response plan should be prepared by the internal and external stakeholders who will be involved in the ultimate response efforts according to the organization’s RACI chart (i.e., who is Responsible, Accountable, Consulting, or Informed), including executives and managers of departments that will play a key role in response efforts. The response plan should also be reviewed by one or more members of the board of directors.

Broadly speaking, the data breach response plan should include the categories of data that the business has a duty to protect, the roles and responsibilities of the data breach response team, an internal and external communication plan, the detailed steps required by applicable state and federal laws that require notification, and other obligations that would apply in the case of a breach.

To create a comprehensive data breach response plan, a business should:

• Assemble a data breach response team
• Outline the steps that each team member should take in the event of a breach
• Consider which roles might be considered key witnesses in any litigation or regulatory proceeding
• Compile a list of outside vendors that may need to be consulted in the event of a breach
• Test the response plan on a regular basis and make adjustments as necessary
• Assess and document, post-breach, the effectiveness of the response plan and any mitigation efforts

Each of these issues is discussed in further detail below.

Assemble a Response Team

The business should assemble a data breach response team tasked with ensuring an efficient and effective response in accordance with the plan. The data breach response plan should clearly define the roles and responsibilities of each team member. The data breach response team should include the following individuals:

• An incident lead
• IT representatives
• Legal and privacy representatives
• Public relations representatives
• HR representatives
• Customer service representatives

Incident lead. The incident lead should have extensive familiarity with the organization’s network and system security, such as the chief information security officer, and should be tasked with the following responsibilities:

• Managing and coordinating the overall response/mitigation efforts
• Acting as an intermediary between business executives and other team members, keeping all parties apprised of the progress of incident-declaration and mitigation efforts and any important issues or setbacks
• Identifying key tasks and managing timelines and documentation of all response/mitigation efforts
• Outlining the budget and the resources required to respond to a given data breach
• Conducting a post-breach review of response/mitigation efforts to determine whether the response was effective and efficient and to determine what, if any, adjustments should be made to the organization’s data security policies and procedures

IT representatives. The IT representatives should identify the root causes of the breach and secure the system, including securing machines, taking infected machines offline, and preserving evidence. These individuals may also work with a forensics firm to identify the compromised data and delete any data-compromising tools.

Legal and privacy representatives. The legal and privacy representatives should assist in directing the data breach response and notification efforts and help minimize the risk of litigation and penalties. These individuals should be tasked with the following responsibilities:

• Determining how and when to notify the affected individuals, the media, law enforcement and government agencies, and other necessary parties
• Coordinating with outside counsel
• Serving as a resource for data breach notification requirements and other legal obligations under applicable federal and state laws
• Identifying what aspects of the response/mitigation efforts should be protected by the attorney-client privilege (e.g., documents and telephone conferences)

Public relations representatives. The public relations representatives should be tasked with the following responsibilities:

• Identifying the sequence of steps for communicating news of the data breach (and being prepared to triage any premature information leaks regarding the breach)
• Serving as the central coordinator for all communication efforts to ensure accuracy and consistency (e.g., by establishing and/or overseeing a website or consumer hotline)
• Tracking media coverage and devising a strategy to respond to any negative press

HR representatives. The HR representatives should direct employees to forward questions received from the public regarding the data breach to the company’s public relations or communications department.

Customer service representatives. The customer service representatives should staff a data breach hotline or respond to website inquiries from customers and/or employees.

Outline Steps That Each Team Member Should Take Following a Breach

The business should outline steps for the relevant team members to take following the report of a suspected data breach, including the following critical actions:

• Taking all necessary steps to immediately secure the data and contain damages
• Identifying the scope and extent of the breach
• Executing a security incident declaration
• Determining what laws or regulations are applicable
• Notifying all necessary internal and external parties within the time periods prescribed by the relevant state data breach notification laws

Determine Which Roles Might Be Considered Key Witnesses

The business should determine which roles would likely be considered key witnesses in any state or federal regulatory proceedings or litigation. The individuals who occupy these roles will need to be appropriately prepared to speak on the company’s behalf and know the protocol for responding to questions.

Compile a List of Outside Vendors

The business should compile a list of outside vendors or entities that the organization may need to immediately engage in the event of a breach. Such vendors or entities may include:

• Computer forensics experts
• Outside counsel
• Call center services
• Fraud or credit monitoring services
• Credit restoration services
• Law enforcement and government agencies

Your client should carefully consider whether to provide fraud or credit monitoring services to victims of a data breach. However, such actions may potentially weigh in favor of standing in a class action lawsuit. See Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015). Note also that some states (e.g., Connecticut and California) require companies to provide free credit monitoring services to data breach victims in specific circumstances.

Test the Response Plan Regularly

The business should test the response plan on a regular and frequent basis (e.g., tabletop exercises or drills with key stakeholders on at least an annual, if not quarterly, basis) and make adjustments as necessary.

Assess and Document the Effectiveness of the Plan Post-Breach

The business should assess and document the effectiveness of the response plan and any mitigation efforts post-breach and determine what, if any, changes should be made to the response plan to be better prepared for future breaches.

Ensure the Data Breach Avoidance and Response Plans Remain Current

Avoiding and responding to a data breach does not end with the creation of data breach avoidance and response plans. Rather, businesses must continuously ensure that the plans remain current by evaluating and updating IT security processes, employee security awareness, and representatives on the data breach response team. Businesses should also monitor and stay abreast of any changes in state and federal laws related to data breach notification requirements or other legal obligations.

Managing a Data Breach

After a data breach, it is imperative for a business to act quickly and decisively to regain security of the data, preserve evidence, and protect its reputation with customers. As an initial step, where a business has designated a response team, that team should be notified immediately, and the response plan activated. In particular, it is critical (whether the business has a formal response plan or not) to:

• Notify the representatives on the data breach response team (where applicable)
• Immediately secure the data and systems to stop the breach
• Identify the scope of the breach, the compromised data, and the affected individuals
• Determine which state and/or federal laws apply to the handling of the data breach and notification of the affected individuals
• Notify the affected individuals
• Manage communications as to the data breach and the steps taken to investigate and respond to the breach

Notifying the Affected Individuals

The United States does not have a uniform data breach notification law. Therefore, in the event of a data breach, businesses must rely on an amalgamation of state-by-state requirements, and in some instances, federal industry-specific requirements. Mishandling notifications can lead to severe consequences such as fines, reputational damage that leads to the loss of customer loyalty and potential revenue, and regulatory scrutiny and/or enforcement actions.

A total of 47 states, plus the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands, have statutes governing data breach notification requirements (Alabama, New Mexico, and South Dakota do not). While data breach notification statutes vary by state, most states generally require a business to send a letter to each data breach victim in the state where the victim resides.

A useful way to streamline the notification process is to draft a general breach notification that covers the requirements common to most state’s laws. The letter can then be tailored to follow the individual notification rules of each particular state to which it is sent, as well as to include the relevant requirements under applicable federal laws, such as the Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Elizabeth C. Rogers is a shareholder in Greenberg Traurig’s Cybersecurity, Privacy, and Crisis Management practice group. Formerly, she served as the first Chief Privacy Officer in Texas state government. Her practice includes supporting breach responses, privacy risk assessments, and technology transactions across industry.

To find this article in Lexis Practice Advisor, follow this research path:

RESEARCH PATH: Intellectual Property & Technology > Privacy and Data Security > Planning for & Managing a Data Breach > Practice Notes > Planning for & Managing a Data Breach

Related Content