2. Topics For Discussion
• Why do you need a response plan?
• What is a “data security breach”?
• Responding to a data security breach
• State requirements and legislative update
• Regulatory enforcement and litigation
3. 2012 Statistics
• According to Verizon’s 2013 Data Breach
Investigations Reports, in 2012, there were 621
confirmed data breaches and 47,000 reported
security incidents.
– 92% perpetrated by outsiders.
– 76% caused by exploiting weak or stolen passwords.
4. Cost Of A Data Security Breach
• In 2011, data breaches cost organizations an
average of $5.5 million.
– $222 per record
– Includes direct costs (communications, investigations,
legal) and indirect costs (lost business, public
relations)
– Compare to costs of having preventative measures in
place such as privacy and security policies, training
and encrypting sensitive information
5. Types of Data Security Breaches
• Devices are lost or stolen.
• Insider or employee misuse.
• Unintended disclosure.
• Security patches are not installed.
• Malware.
• Hacking.
6. What Is The Objective?
Fill In The Gap
• Protection
• Compliance
• Audits
• Criminal prosecution
• Civil prosecution
How to Manage the Data Security Breach
7. Why Do You Need A
Response Plan?
Thoughtful and Prepared Reaction
Better Decision Making
Minimized Risk and Loss
8. What Is A
Data Security Breach?
• Alabama, Kentucky, New Mexico and South
Dakota are the only states that do not have a
data security breach notification statute.
• California statute served as a model for later
state statutes.
– State involvement began in California, after series of
breaches received national attention.
– Passed in 2002, went into effect in mid-2003.
9. What Is A
Data Security Breach?
• “Any person or business that conducts business in
California, and that owns or licenses computerized
data that includes personal information, shall
disclose any breach of security of the system
following discovery or notification of the breach in
the security of the data to any resident of California
whose unencrypted personal information was, or is
reasonably believed to have been, acquired by an
unauthorized person.” See Cal. Civ. Code §
1798.29.
10. What Is A
Data Security Breach?
• “Personal information”
– First name or initial and last name with one or more of
the following (when either name or data element is
not encrypted):
• Social security number;
• Driver’s license number;
• Credit card or debit card number; or
• Financial account number with information such as PINs,
passwords or authorization codes.
11. What Is A
Data Security Breach?
• Some states have expanded the definition of
“personal information” to include:
• Medical information or health insurance information
(California);
• Biometric data (Indiana);
• Mother’s maiden name, birth/death/marriage certificate and
electronic signature (North Dakota).
12. What Is A
Data Security Breach?
• “Breach of the security of the system”
– Some states expressly require notice of unauthorized
access to non-computerized data
• New York: “lost or stolen computer or other device
containing information” or “information has been downloaded
or copied”
• Hawaii and North Carolina: data includes “personal
information in any form (whether computerized, paper, or
otherwise)”
13. What Is A
Data Security Breach?
• Generally, only need “reasonable” belief the information has
been acquired by unauthorized person to trigger notification
requirements
– Certain states require risk or harm
• Arkansas: no notice if “no reasonable likelihood of harm to
customers”
• Michigan: no notice if “not likely to cause substantial loss or
injury to, or result in identity theft”
14. What Is A
Data Security Breach?
• Distinguish between entity that “owns or
licenses” data and entity that “maintains” data
– Data owner has ultimate responsibility to notify
consumers of a breach
– Non-owners required to notify owners
15. Collect Relevant
Documents and Information
• Data location lists
• Confidentiality agreements
• Customer contracts
• Third-party vendor contracts
• Privacy policy
• Information security policy
• Ethics policy
• Litigation hold template
• Contact list
16. Create A First Response Team
• Information technology (computer & technology
resources)
• Information security (physical security & access)
• Human resources (private employee information
– health & medical, payroll, tax, retirement)
• Legal counsel (in-house and/or outside counsel)
• Compliance
• Business heads (consumer information)
• Public relations/investor relations
17. Assign Tasks To Members
Of The First Response Team
• Establish a point person
• Identify key personnel for each task
• Prioritize and assign tasks
• Calculate timelines and set deadlines
• Communicate with management
• Establish attorney-client privilege for investigation
and communications
Project Management Is Critical
18. Determine The Nature
And Scope Of The Breach
• Investigate facts
• Interview witnesses
• Determine type of information that may have been
compromised
• Identify and assess potential kinds of liability
• Identify individuals potentially at risk and determine
state or country of residence
Preserve Company’s Assets, Reputation and Integrity
19. Understand Data Breach
Notice Laws
• State laws:
– What constitutes personal information?
– When is a notice required?
– Who must be notified? (e.g.,State Attorney General)
– Timing?
– What information must be included in the notice?
– Method of delivering notice?
– Other state specific requirements?
• Applicable industry-specific laws
• Applicable international laws
20. Determine Appropriate Notices
• Consumers
• Employees
• Law enforcement (Federal/State)
• Federal regulatory agencies
• State agencies
• Consumer reporting agencies
• Third-party vendors
• Insurers
• Media
21. Prepare State Law Notices
• General description of the incident
• Type of information that may have been
compromised
• Steps to protect information from further
unauthorized access
• Contact information (e.g., email address; 1-800
number)
• Advice to affected individuals (e.g., credit
reporting, review account activity)
22. Prepare State Law Notices
• Delivery method (e.g., certified letters, e-
mail, website)
• Timing of notices
• Tailor notices based on recipient
• Use single fact description for all notices
25. State Laws - California
• Applies to any business that “owns or licenses”
or “maintains” computerized data that includes
“personal information”
• Requires notices to California resident if
“unencrypted” personal information “was, or is
reasonably believed to have been, acquired by
an unauthorized person”
26. State Laws - California
• Personal information” includes:
– “Medical information”: an individual’s medical history,
mental or physical condition, or medical treatment or
diagnosis by a health care professional
– “Health insurance information”: an individual’s health
insurance policy number or subscriber identification
number, any unique identifier used by a health insurer
to identify the individual, or any information in an
individual’s application and claims history, including
any appeal records
27. State Laws - Massachusetts
• Applies to information regardless of physical
form (includes paper)
– “Unencrypted data or, encrypted electronic data and
the confidential process or key”
– Data encrypted at “128-bit or higher algorithmic
process” is not a security breach, unless the
encryption key is also lost
28. State Laws - Massachusetts
• Requires notice “as soon as practicable and
without unreasonable delay”
• Requires business that owns or licenses data to
notify:
– Attorney general
– Director of consumer affairs and business regulation
• Director shall identify and report to any relevant consumer
reporting agencies and state agencies
– Affected Massachusetts resident
29. State Laws - Massachusetts
• State statute also requires the department of
consumer affairs to adopt data security
regulations: “Standards for the Protection of
Personal Information of Residents of the
Commonwealth of Massachusetts”
• Regulations went into effect on March 1, 2010
30. State Regulations - Massachusetts
• Applies to entities that “own or license personal
information” of a Massachusetts resident
– Explicitly includes personal information “in connection
with employment”
• Requires entities to develop, implement and
maintain a written data security program
– Must take into account an entity’s size, nature of its
business, type of records it maintains and risk of
identity theft posed by entity’s operations
– Must include certain administrative, technical and
physical safeguards
31. State Regulations - Massachusetts
• Requires entities to take steps to select and
retain third-party service providers that are
capable of appropriately safeguarding personal
information
• Requires entities to impose contractual
obligations on their third-party service providers
to safeguard personal information
32. Prepare Answers To Inquiries
• Draft FAQ’s with responses
• Establish hotline
• Assign group of contact employees
• Train employees to respond to inquiries
• Develop clear escalation path for difficult
questions
• Track questions and answers
33. Prepare Press Release
• Include the following information:
– Facts surrounding the incident
– Actions to prevent further unauthorized access
– Steps to prevent future data security breaches
– Contact Information for questions
• Review by legal counsel
34. Consider Offering
Assistance To Affected Individuals
• Free credit reporting
• Free credit monitoring with alerts
• ID theft insurance
• Access to fraud resolution specialists
• Toll-free hotline
35. Regulatory Update
• California’s Right to Know Act of 2013 (AB 1291):
– Would require businesses that collect consumer
information to provide customers with the names and
addresses of all data brokers, advertisers and others
who were granted access to the information, as well
as details regarding the data that was disclosed.
– Businesses would have 30 days to answer a request
for the information.
36. Regulatory Update
• California’s Right to Know Act of 2013 (AB 1291):
– Applies to businesses who “retain” personal data or
disclose the information to a third party.
– Defines “retain” to mean “store or otherwise hold
personal information” whether the information is
collected or obtained directly from the consumer or
any third party.
37. Regulatory Update
• California’s Right to Know Act of 2013 (AB 1291):
– Faced opposition by companies such as Google and
Facebook.
– Assemblywoman Bonnie Lowenthal delayed action on
the bill by turning it into a two-year bill.
– Lowenthal plans to spend the remainder of the year
educating her colleagues about the importance of the
proposed legislation.
– Assembly will consider AB 1291 again in 2014.
41. Enforcement Actions
• Federal Trade Commission – Section 5 of FTC Act
– Enforce privacy policies and challenge data security
practices that cause substantial consumer injury
• State Attorney General – State Notification Statutes
– Connecticut: “Failure to comply . . . shall constitute an
unfair trade practice . . .”
– Virginia: “The Attorney General may bring an action to
address violations.” Moreover, “nothing in this section
shall limit an individual from recovering direct economic
damages”.
• Litigation in federal or state courts
42. Litigation
Typical Claims By Plaintiffs
• Plaintiffs (consumers or employees) typically
allege the following causes of action:
– Common law claims of negligence, breach of
contract, breach of implied covenant or breach of
fiduciary duty
– Claims for violations of state consumer protection
statutes – deceptive/unfair trade practices acts
43. Litigation
Plaintiffs Lack Standing
• Certain courts have dismissed data breach cases on
ground of standing.
– Hinton v. Heartland Payment Sys., Inc., Civ. A. No. 09-594, 2009
U.S. Dist. LEXIS 20675 (D.N.J. March 16, 2009):
• Increased risk of fraud and identity theft do not constitute “actual or
imminent injury in fact” and “amount to nothing more than mere
speculation.
– Amburgy v. Express Scripts, Inc., Civ. A. No. 09-705, 2009 U.S.
Dist. LEXIS 109100 (E.D. Miss. Nov. 23, 2009):
• “Plaintiff does not claim that his personal information has in fact
been stolen and/or his identity compromised.”
• “For plaintiff to suffer the injury and harm he alleges here, many ‘ifs’
would have to come to pass.”
44. Litigation
Plaintiffs Have Standing
• However, “[t]he recent trend in ‘lost data cases,’ . . . seems to
be in favor of finding subject matter jurisdiction.” (i.e.,
standing). McLoughlin v. People’s United Bank, Inc., Civ. A.
No. 08-944, 2009 U.S. Dist. LEXIS 78065, at *12 (D. Conn.
Aug. 31, 2009).
– Pisciotta v. Old Nat’l. Bancorp., 499 F.3d 629 (7th Cir.
2007) (injury in fact satisfied by “threat of future harm” or
“increasing the risk of future harm”);
– Ruiz v. Gap, Inc., 622 F. Supp. 2d 908 (N.D. Cal. 2009)
(increased risk of identity theft constituted sufficient “injury
in fact” for purposes of standing);
– Caudle v. Towers, Perrin, Forster & Crosby, 580 F. Supp.
2d 273 (S.D.N.Y. 2008).
45. Litigation
Plaintiffs Cannot Prove Damages
• Pisciotta v. Old Nat’l. Bancorp.: customers sought
compensation for past and future credit monitoring
services, after hacker obtained access to their personal
information through bank website
– Seventh Circuit affirmed district decision granting defendant
bank’s motion for judgment on the pleadings and dismissed
claims for negligence and breach of contract
– Exposure to identity theft or increased risk of identity theft,
without more, does not constitute “compensable injury” or “a
harm that the law is prepared to remedy”
– Credit monitoring costs do not constitute “compensable
damages”
46. Litigation
Plaintiffs Cannot Prove Damages
• Ruiz v. Gap, Inc.: laptop computer stolen, which
contained approximately 750,000 Gap job applications
(including name and social security no.)
– Court granted defendant’s motion for summary judgment and
dismissed claims for negligence and breach of contract
– “At a minimum, Ruiz would be required to present evidence
establishing a significant exposure of his personal information”
– “Because Ruiz has not been a victim of identity theft, he can
present no evidence of appreciable and actual damage as a
result of the theft”
– “Ruiz cannot show he was actually damaged by pointing to his
fear of future identity theft”
47. Litigation
Unusual Court Rulings
• Caudle v. Towers, Perrin, Forster & Crosby: laptop
computer stolen from employer’s pension consultant,
which contained personal information (including name
and social security no. of employees)
– Employee named employer’s pension consultant as a
defendant, but did not include employer
– Court granted defendant’s motion for summary judgment
and dismissed claims for negligence and breach of
fiduciary duty
– Court denied motion with respect to claim that plaintiff was
third-party beneficiary between defendant and plaintiff’s
employer
48. Litigation
Unusual Court Rulings
• Rowe v. UniCare Life & Health Ins. Co., Civ. A. No. 09-
2286, 2010 U.S. Dist. LEXIS 1579 (N.D. Ill. Jan. 5,
2010): personal information of plaintiff was temporarily
accessible to the public on defendants’ Internet Website
– In deciding motion to dismiss, Court found that plaintiff satisfied
minimal pleading standard and allowed claims to proceed
– But, the Court stated that claims may ultimately be dismissed if
plaintiff cannot show a basis for damages other than alleged
increased risk of future harm such as identity theft
– Plaintiff may prevail “only if he can show that he suffered from
some present injury beyond the mere exposure of his
information to the public.”
49. Avoid Future Data
Security Breaches
• Limit access to personally identifiable information
• Encryption
• Establish privacy compliance program
• Train and test employees
• Periodic audits
• Update and revise procedures
• Enhance technology to strengthen security and reduce
risk
• Credential third party vendors