Privacy events and data breaches can be crippling. It can take substantial time and investigation to determine the cause of the breach, and by then, the trails left by perpetrators can be long gone. What should companies do if they have encountered a privacy or data breach? Axis’s guide helps businesses and corporations pick up the pieces and respond quickly to regain trust and retain clients and customers.
Identify the Worst of the Damage. In the first few hours after a data breach is discovered, it is critical to identify what has been breached and what data has been compromised. Negligent employees clicking on mal-ware links are the top causes of data breaches in the United States. Panicking will not be effective. Instead, following a few critical steps can help mitigate the amount of damage caused by a security breach. First, as many details about the security breach must be identified and acquired as soon as possible. This includes identifying the date, time, and how the breach was discovered, and when response efforts began. The premises around the area the data breach occurred should be secured to preserve evidence, and affected machines should be taken offline (but not turned off). No probing or testing should take place until a forensics team arrives. In identifying the worst of the damage, employee should be interviewed, and protocols should be reviewed to determine whether human error was responsible for any portion of the damage.
Assemble a Team and Prepare a Plan. Studies statistically show that organizations that address data breaches with a team in place (usually executives with decision-making authority, IT staff, and a legal team) can reduce the cost of a data breach by more than 1/3. In addition to the foregoing, a forensic data vendor may be required to survey and collect data relating to the origin and source of the breach so as to aid law enforcement investigations. The company’s IT staff can help work with security vendors to investigate the source of the data breach and whether employee negligence was involved. Adding on a PR team can also help deal with any potentially negative publicity resulting from the security breach. A communications or PR team can determine the best crisis management tactic to employ and implement, handle information leaks regarding a breach, and track media coverage to quickly respond to any negative press, if needed.
Notify Customers. Nearly all states have laws that require customer notification in the event personal data is lost, stolen, or inadvertently disclosed, and these laws may expand to a national level soon. Many states require companies to notify their customers of any data breach. Other states require notification when harm to potential victims is likely. Even if the law does not require it, businesses should strongly consider the advantages of giving notice to customers whose information was compromised.
In addition to state laws, the federal Gramm-Leach-Bliley Act (or GLB), 15 U.S.C. §§6801-6810 requires the adoption of procedures to safeguard customer data. As part of a security plan, financial companies should notify customers when there has been unauthorized access to customer data if, after an investigation, the financial institution determines that customer data has been or is likely to be misused.
Data breaches involving medical information also prompt notice under federal law and regulations. The Health Information Technology for Clinical Health Act (HITECH), Section 13402, requires the Department of Health and Human Services (HHS) to issue rules defining how and when consumers are to be notified of a breach of protected health information. In some cases, notice is required to consumers and HHS. Media notice is also required for some breach incidents, and incidents involving more than 500 individuals are posted by the HHS.
Type of Notification. If a business chooses to inform customers about a security breach, it should:
- Describe the nature of the incident;
- Inform them what has been done to address the problem; and
- Advise them on what the company will do in the future to further reduce the chance of future security breaches
Many states also have laws addressing the timeline of when notifications need to be provided, meaning that it is critical for disclosures to be made, with notification letters written, printed, mailed, and call centers set up to handle customers/client inquiries. Some states also require specific content that must be included in notification letters.
Notify Law Enforcement and Other Authorities. If a breach occurs, it is important that the business alert appropriate law enforcement officials immediately so they can investigate the incident. This could include local police, state authorities, or even the FBI. Corporations should notify their legal counsel immediately so that the business is prepared to contact law enforcement officials quickly. Businesses should also notify their payment processing companies, given how important it is for compromised accounts to be closed to prevent further fraud. Because businesses can be liable for any resulting fraud, immediate notification to payment card companies and even the three credit reporting agencies is important.
Providing Customers and Clients with Notification, Resources, and Support. If a breach occurs, businesses should contact consumers and clients and notify them to monitor their accounts, credit cards, and credit reports for signs of identity theft. Some businesses go a further step and pay for credit monitoring services for affected customers for a period of time (i.e., a few months). Clients and customers should also be told to file police reports and notify consumer reporting agencies if they suspect they are the victims of identity theft or fraud. Making a public statement to the media will also bring the security event to light and mitigate any accusations of concealment or deception of consumers.
Preparations for Response. Businesses should also be prepared to respond to inquiries by consumers, clients, law enforcement, the press, and others. For major data breaches, this can involve thousands of calls a day. Furthermore, mail/email written notifications to consumers will require planning, budgetary considerations, and a similarly well-prepared response team.
Axis Legal Counsel’s Privacy & Data Security practice represents clients with numerous privacy and data security matters, including security breaches, unauthorized access, privacy violations, and threats by insiders, outsiders, and hackers. Axisprovides a wide variety of legal services to corporate clients, including crisis management, general corporate legal services, business litigation, director/officer representation, technology/internet law, and others. For information on retaining Axis Legal Counsel, contact firstname.lastname@example.org or call (213) 403-0130 for a confidential consultation about your legal issue.