SlideShare une entreprise Scribd logo

Ten ways to prevent a data breach from Breaching a Budget

- Mark - Fullbright
- Mark - Fullbright

All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.

FormationTechnologie
1  sur  7
Télécharger pour lire hors ligne
Ten Ways to Prevent a Data Breach from Breaching a Budget DAVID ZETOONY With data breaches a fact of life for many companies today, the author provides a 10 point checklist, which includes steps a company can take before a breach occurs, immediately after a breach occurs, and well after a breach occurs, designed to lower the cost of responding to data security breaches. D ata breaches are now a common occurrence, with over 300 major breaches involving over 100 million consumer records reported each year. Although each breach is unique in terms of its cause, its scope, the type of business it affects, and the type of consumer information it involves, every breach shares two characteristics: (1) It is unanticipated (and therefore usually not expected in the budget) and (2) It can be extremely costly. Beside the internal cost of investigating a breach, which itself usually entails numerous hours from employees, in-house counsel, and outside counsel, where consumer notification is needed a company usually must pay the following costs: • Printing and mailing notifications; • Staffing call centers to respond to consumer questions; David Zetoony is an attorney at Bryan Cave LLP in Washington D.C. He practices antitrust and consumer protection litigation and, over the past five years, has assisted dozens of companies to respond to data security breaches, and investigations that result from data security breaches. He may be contacted at david. zetoony@bryancave.com. 449 Published in the May 2009 issue of Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC.
Privacy & Data Security Law Journal • Credit monitoring for affected consumers; • Legal fees for responding to government investigations, and • Litigation fees if suit is brought by consumers or regulators. Companies often pay between $50 and $79 per lost record.1 For relatively small breaches involving hundreds or thousands of records, the cost can be substantial; for large breaches involving millions of records, the total cost can be enormous. Although there are always costs in responding to a data breach, companies, especially companies responding to a data breach for the first time, often overlook simple ways to reduce and mitigate these costs. The following suggestions illustrate 10 specific ways in which companies could (but most companies don’t) lower the cost of responding to a data breach. These suggestions include steps that a company can take before a breach occurs, immediately after a breach occurs, and well after a breach occurs. BEFORE A BREACH OCCURS 1. Create a Notification Policy Most notification statutes provide that if a company creates its own policy for notifying consumers, and that policy is consistent with the law’s “timing requirements,” then a company that complies with its own policy will be “deemed” in compliance with the statute. Fashioning a corporate notification policy before a breach occurs can help avoid some of the largest costs associated with consumer notifications. For instance, a corporate policy might state that consumers will be notified by e-mail instead of by mail, alleviating thousands of dollars for printing fees, and mailing fees, if a breach occurs. In addition to the direct savings that can be achieved through the substantive provisions of a corporate breach notification policy, a breach notification policy can also have significant indirect savings by establishing a clear procedural framework. For instance, by providing instructions for how breaches will be reported internally through a company’s organizational 450 Published in the May 2009 issue of Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC.
Ten Ways to Prevent a Data Breach structure, and who (or which department) will be responsible for investigating a breach, the policy can prevent the loss of time and money that occurs during the first few days of an uncoordinated response to a data breach. 2. Up-to-Date Safeguards Policy The best way to save money when responding to a data breach is to not have the breach in the first place. Although most companies are required under federal law (e.g., Gramm-Leach-Bliley, the Health Insurance Portability and Accountability Act) or state law (e.g., state “safeguards” statutes) to evaluate security risks and to create a policy to address those risks, many companies do not evaluate security risks regularly. Although the frequency needed to evaluate risks varies by industry, and the type of data that a company maintains, every business should consider reevaluating its safeguards policy at least annually. Even companies that regularly review their security policy often limit that review to evaluating whether the security policy adequately addresses new technological threats, such as viruses or Malware. Often security policies neglect the fact that most breaches are not caused by a breach of the company’s information technology infrastructure. When evaluating a security policy, a company should consider the following rough breakdown of where breaches occur:2 • 40 percent laptop thefts (half stolen outside of company; half stolen while inside the company); • 20 percent human or software error; • 15 percent non-laptop theft; • 15 percent hackers; and • 10 percent employee intentional acts. AFTER A BREACH 3. Do Not Notify Consumers Unnecessarily Many companies have started notifying consumers anytime a potential 451 Published in the May 2009 issue of Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC.
Privacy & Data Security Law Journal breach occurs. Often the decision to issue notifications is made under the mistaken belief that companies are legally required to issue notifications after any potential breach, or under the belief that there is no downside to giving notice. Notifying consumers before a company has fully investigated a potential breach can be incredibly costly. First, the company must bear the direct cost of issuing the notification, which, as discussed above, can be substantial. Second, notifying consumers before a company has fully investigated a breach may unnecessarily alarm or confuse consumers. Consumers who mistakenly believe that their data has been breached, or that they are at risk for identity theft, are more likely to file administrative, or self-regulatory (e.g., Better Business Bureau) complaints or to initiate civil suits. Although there may be no substance to those complaints, the cost of responding to government investigations, demand letters, or complaints is almost always substantial. Deciding whether to notify consumers of an incident should be done on a case-by-case basis. In many situations, what might look like a data security breach at first may not require notifying consumers if, after a careful and thorough investigation, it becomes apparent that the security, confidentiality, and integrity of consumers’ information has not been compromised. 4. On the Fence About Notifying Consumers? Consider Asking Regulators Before Taking the Plunge After investigating a potential breach, companies often conclude that either a breach has not, in fact, occurred, or that the security and confidentiality of consumer information has not been compromised as a result of a breach. Companies often decide to issue consumer notifications nonetheless, because they fear that a state or federal regulator may see the situation differently and penalize them for having not made consumer notifications. Instead of second-guessing a reasoned decision that consumer notification is not needed, or warranted, consider voluntarily providing state or federal regulators with information concerning the potential breach and the company’s rationale for not issuing consumer notification, and inviting the regulator to offer its comments or opinions. If the regulator disagrees with your assessment and requests consumer notifications, the company is no worse off than it would have been had it issued the consumer notifica452 Published in the May 2009 issue of Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC.
Ten Ways to Prevent a Data Breach tions; on the other hand, the regulator’s agreement with the company’s position (or the regulator’s silence) can be a powerful defense against any future claim that the decision not to notify consumers was unreasonable. 5. Consider Informally Notifying Government Regulators Although some states require notification of regulators each time a breach occurs, most states, and most federal regulators, do not have such a requirement. Just because reporting an event is not required does not mean that it is not a good idea to consider reporting it voluntarily. Although in some cases voluntarily reporting a breach to regulators may bring unnecessary (and unwanted) attention from the government, in other cases, especially when a breach has already been publicized, it may head off government investigations or formal requests for documents and information. 6. Keep a Written Chronology of the Breach The hours and days following a breach are usually hectic and filled with sometimes conflicting information arriving from various sources. Often information that is filtering in comes in the form of internal e-mails, teleconferences, or interviews. During this process few companies keep a formal log of what the company/legal department knows (and when the company/ legal department became aware of the information). Having an in-house, or outside, counsel keep a running written chronology in anticipation of possible litigation can form the basis of what may ultimately become an incident response report, and can save countless hours reconstructing events from e-mails, handwritten notes, and follow-up interviews. GOVERNMENT INVESTIGATIONS 7. Have your Privacy Policy, Security Policy, and Safeguards Policy in One Place It is not uncommon for a company to receive a subpoena, civil investigative demand (“CID”), or nonpublic inquiry following a breach. Although the inquiry may have been triggered from the breach, regulators of453 Published in the May 2009 issue of Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC.
Privacy & Data Security Law Journal ten ask to see all of a company’s consumer-focused statements concerning privacy and security. Making sure that these documents are up-to-date and that past versions of these documents are easily accessible can eliminate time (and money) to find, collect, or reconstruct these policies. 8. Take a First Stab at Responding to Investigatory Demands Most companies turn to outside counsel who specialize in consumer protection when they are the target of a government investigation. Outside counsel can be invaluable in helping to respond to a CID from the Federal Trade Commission, or a subpoena from a state Attorney General. Among other things, they can provide insight concerning issues and facts that will likely be of interest to the government agency, they can draw from their experience with particular government agencies and particular government staff attorneys, and can help craft interrogatory responses and organize document productions. At the same time, outside counsel are often not the best resource to coordinate the collection of documents and information from in-house departments and corporate employees. If a company has available in-house resources, having in-house counsel take the first steps to collect documents responsive to document requests, and to draft responses to investigatory demands, and then having outside counsel explore additional sources of information, and revise written responses, can keep billable hours to a minimum, while effectively leveraging resources.3 9. Propose Alternative Documents to Satisfy Requests It is not uncommon for a subpoena or CID that was triggered from a data breach to go far a field in its request for documents and for information. Sometimes this reflects a regulator’s desire to investigate a company’s overall practices and procedures. Other times, this reflects a genuine misunderstanding of the facts or circumstances of a data breach. Before spending countless hours collecting documents or information that might not be needed, outside counsel might be able to explain informally the basic facts underlying the breach, and to propose what documents might best illustrate those facts. 454 Published in the May 2009 issue of Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC.
Ten Ways to Prevent a Data Breach WELL AFTER A BREACH 10. Learn the Lessons After responding to, investigating, and/or reporting a breach, it is tempting to breathe a sigh of relief and return to other matters that were put-aside in the rush to take care of the incident. A data breach provides a one-of-a-kind opportunity to test existing policies and procedures. Investing a small amount of time and money one or two months after a data breach has been successfully resolved to determine what worked, what did not work, and what could have worked better in responding to the breach can save a large amount of time and money when responding to the next breach. Notes United States Government Accountability Office, Report to Congressional Requesters: Personal Information, Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown 34 (June 2007) (citing various surveys of corporate expenditures following data breach). 2 For more detailed data showing where data breaches most often occur, see http://www.privacyrights.org/ar/ChronDataBreaches.htm. 3 As a caveat, companies that do not have experience responding to document requests issued by government agencies, or issued as part of civil litigation, may spend more money by attempting to coordinate or collect documents on their own. For instance, if documents are collected without keeping a proper chain of custody, without appropriately evaluating material for responsiveness and privilege, and without sensitivity to preserving the documents’ integrity (e.g., the metadata of electronic documents) the collection may need to be redone by outside counsel increasing, instead of reducing, a company’s overall costs. The best advice when deciding how in-house and outside counsel resources should be used is to discuss with outside counsel, at an early stage, a proposed process and procedure for collecting materials and information in order to identify potential problems or deficiencies. 1 455 Published in the May 2009 issue of Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC.

Recommandé

Business Peer Peer File Sharing Guide
Business Peer Peer File Sharing GuideBusiness Peer Peer File Sharing Guide
Business Peer Peer File Sharing Guide- Mark - Fullbright
 
Business COPPA 6 Steps
Business COPPA 6 StepsBusiness COPPA 6 Steps
Business COPPA 6 Steps- Mark - Fullbright
 
Safeguarding Consumers’ Financial Data 2014
Safeguarding Consumers’ Financial Data 2014Safeguarding Consumers’ Financial Data 2014
Safeguarding Consumers’ Financial Data 2014- Mark - Fullbright
 
Special Report for Retail Businesses on IDENTITY THEFT - ca
Special Report for Retail Businesses on IDENTITY THEFT - caSpecial Report for Retail Businesses on IDENTITY THEFT - ca
Special Report for Retail Businesses on IDENTITY THEFT - ca- Mark - Fullbright
 
Saskatchewan Privacy Commish investigative report reveals misdirected faxes c...
Saskatchewan Privacy Commish investigative report reveals misdirected faxes c...Saskatchewan Privacy Commish investigative report reveals misdirected faxes c...
Saskatchewan Privacy Commish investigative report reveals misdirected faxes c...- Mark - Fullbright
 
What You Should Know About Your Credit Report
What You Should Know About Your Credit ReportWhat You Should Know About Your Credit Report
What You Should Know About Your Credit Report- Mark - Fullbright
 
Child Identity Theft
Child Identity TheftChild Identity Theft
Child Identity Theft- Mark - Fullbright
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report- Mark - Fullbright
 

Recommandé

Business Peer Peer File Sharing Guide
Business Peer Peer File Sharing GuideBusiness Peer Peer File Sharing Guide
Business Peer Peer File Sharing Guide- Mark - Fullbright
 
Business COPPA 6 Steps
Business COPPA 6 StepsBusiness COPPA 6 Steps
Business COPPA 6 Steps- Mark - Fullbright
 
Safeguarding Consumers’ Financial Data 2014
Safeguarding Consumers’ Financial Data 2014Safeguarding Consumers’ Financial Data 2014
Safeguarding Consumers’ Financial Data 2014- Mark - Fullbright
 
Special Report for Retail Businesses on IDENTITY THEFT - ca
Special Report for Retail Businesses on IDENTITY THEFT - caSpecial Report for Retail Businesses on IDENTITY THEFT - ca
Special Report for Retail Businesses on IDENTITY THEFT - ca- Mark - Fullbright
 
Saskatchewan Privacy Commish investigative report reveals misdirected faxes c...
Saskatchewan Privacy Commish investigative report reveals misdirected faxes c...Saskatchewan Privacy Commish investigative report reveals misdirected faxes c...
Saskatchewan Privacy Commish investigative report reveals misdirected faxes c...- Mark - Fullbright
 
What You Should Know About Your Credit Report
What You Should Know About Your Credit ReportWhat You Should Know About Your Credit Report
What You Should Know About Your Credit Report- Mark - Fullbright
 
Child Identity Theft
Child Identity TheftChild Identity Theft
Child Identity Theft- Mark - Fullbright
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report- Mark - Fullbright
 
False Personation aka Identity Theft
False Personation aka Identity TheftFalse Personation aka Identity Theft
False Personation aka Identity Theft- Mark - Fullbright
 
Interlink Interchange Reimbursement Fees – April 2013
Interlink Interchange Reimbursement Fees – April 2013Interlink Interchange Reimbursement Fees – April 2013
Interlink Interchange Reimbursement Fees – April 2013- Mark - Fullbright
 
DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014- Mark - Fullbright
 
Business Medical Identity Theft faq Health Care Health Plan
Business Medical Identity Theft faq Health Care Health PlanBusiness Medical Identity Theft faq Health Care Health Plan
Business Medical Identity Theft faq Health Care Health Plan- Mark - Fullbright
 
Small Businesses: Tips to Avoiding Fraudulent Chargebacks
Small Businesses: Tips to Avoiding Fraudulent ChargebacksSmall Businesses: Tips to Avoiding Fraudulent Chargebacks
Small Businesses: Tips to Avoiding Fraudulent Chargebacks- Mark - Fullbright
 
Police Report Vs. Incident Report
Police Report Vs. Incident ReportPolice Report Vs. Incident Report
Police Report Vs. Incident Report- Mark - Fullbright
 
From Consumer to Citizen - Digital Media and Youth Civic Engagement
From Consumer to Citizen - Digital Media and Youth Civic EngagementFrom Consumer to Citizen - Digital Media and Youth Civic Engagement
From Consumer to Citizen - Digital Media and Youth Civic Engagement- Mark - Fullbright
 
A Basic Guide to Safe Surfing on the Internet
A Basic Guide to Safe Surfing on the InternetA Basic Guide to Safe Surfing on the Internet
A Basic Guide to Safe Surfing on the Internet- Mark - Fullbright
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard- Mark - Fullbright
 
ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019- Mark - Fullbright
 
IC3 2019 Internet Crime Report
IC3 2019 Internet Crime ReportIC3 2019 Internet Crime Report
IC3 2019 Internet Crime Report- Mark - Fullbright
 
Police, Protesters, Press, 2020
Police, Protesters, Press, 2020Police, Protesters, Press, 2020
Police, Protesters, Press, 2020- Mark - Fullbright
 
2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)- Mark - Fullbright
 
FCPA Guidance 2020
FCPA Guidance 2020FCPA Guidance 2020
FCPA Guidance 2020- Mark - Fullbright
 
Consumer Sentinel Network Data Book 2019
Consumer Sentinel Network Data Book 2019Consumer Sentinel Network Data Book 2019
Consumer Sentinel Network Data Book 2019- Mark - Fullbright
 
CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019- Mark - Fullbright
 
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...- Mark - Fullbright
 
2018 IC3 Report
2018 IC3 Report2018 IC3 Report
2018 IC3 Report- Mark - Fullbright
 
2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)- Mark - Fullbright
 
2018 Privacy & Data Security Report
2018 Privacy & Data Security Report2018 Privacy & Data Security Report
2018 Privacy & Data Security Report- Mark - Fullbright
 
Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018 Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018 - Mark - Fullbright
 
Credit Score Explainer
Credit Score ExplainerCredit Score Explainer
Credit Score Explainer- Mark - Fullbright
 

Contenu connexe

En vedette

False Personation aka Identity Theft
False Personation aka Identity TheftFalse Personation aka Identity Theft
False Personation aka Identity Theft- Mark - Fullbright
 
Interlink Interchange Reimbursement Fees – April 2013
Interlink Interchange Reimbursement Fees – April 2013Interlink Interchange Reimbursement Fees – April 2013
Interlink Interchange Reimbursement Fees – April 2013- Mark - Fullbright
 
DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014- Mark - Fullbright
 
Business Medical Identity Theft faq Health Care Health Plan
Business Medical Identity Theft faq Health Care Health PlanBusiness Medical Identity Theft faq Health Care Health Plan
Business Medical Identity Theft faq Health Care Health Plan- Mark - Fullbright
 
Small Businesses: Tips to Avoiding Fraudulent Chargebacks
Small Businesses: Tips to Avoiding Fraudulent ChargebacksSmall Businesses: Tips to Avoiding Fraudulent Chargebacks
Small Businesses: Tips to Avoiding Fraudulent Chargebacks- Mark - Fullbright
 
Police Report Vs. Incident Report
Police Report Vs. Incident ReportPolice Report Vs. Incident Report
Police Report Vs. Incident Report- Mark - Fullbright
 
From Consumer to Citizen - Digital Media and Youth Civic Engagement
From Consumer to Citizen - Digital Media and Youth Civic EngagementFrom Consumer to Citizen - Digital Media and Youth Civic Engagement
From Consumer to Citizen - Digital Media and Youth Civic Engagement- Mark - Fullbright
 
A Basic Guide to Safe Surfing on the Internet
A Basic Guide to Safe Surfing on the InternetA Basic Guide to Safe Surfing on the Internet
A Basic Guide to Safe Surfing on the Internet- Mark - Fullbright
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard- Mark - Fullbright
 

En vedette (9)

False Personation aka Identity Theft
False Personation aka Identity TheftFalse Personation aka Identity Theft
False Personation aka Identity Theft
 
Interlink Interchange Reimbursement Fees – April 2013
Interlink Interchange Reimbursement Fees – April 2013Interlink Interchange Reimbursement Fees – April 2013
Interlink Interchange Reimbursement Fees – April 2013
 
DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014
 
Business Medical Identity Theft faq Health Care Health Plan
Business Medical Identity Theft faq Health Care Health PlanBusiness Medical Identity Theft faq Health Care Health Plan
Business Medical Identity Theft faq Health Care Health Plan
 
Small Businesses: Tips to Avoiding Fraudulent Chargebacks
Small Businesses: Tips to Avoiding Fraudulent ChargebacksSmall Businesses: Tips to Avoiding Fraudulent Chargebacks
Small Businesses: Tips to Avoiding Fraudulent Chargebacks
 
Police Report Vs. Incident Report
Police Report Vs. Incident ReportPolice Report Vs. Incident Report
Police Report Vs. Incident Report
 
From Consumer to Citizen - Digital Media and Youth Civic Engagement
From Consumer to Citizen - Digital Media and Youth Civic EngagementFrom Consumer to Citizen - Digital Media and Youth Civic Engagement
From Consumer to Citizen - Digital Media and Youth Civic Engagement
 
A Basic Guide to Safe Surfing on the Internet
A Basic Guide to Safe Surfing on the InternetA Basic Guide to Safe Surfing on the Internet
A Basic Guide to Safe Surfing on the Internet
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard
 

Plus de - Mark - Fullbright

ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019- Mark - Fullbright
 
2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)- Mark - Fullbright
 
Consumer Sentinel Network Data Book 2019
Consumer Sentinel Network Data Book 2019Consumer Sentinel Network Data Book 2019
Consumer Sentinel Network Data Book 2019- Mark - Fullbright
 
CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019- Mark - Fullbright
 
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...- Mark - Fullbright
 
2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)- Mark - Fullbright
 
2018 Privacy & Data Security Report
2018 Privacy & Data Security Report2018 Privacy & Data Security Report
2018 Privacy & Data Security Report- Mark - Fullbright
 
Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018 Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018 - Mark - Fullbright
 
The Geography of Medical Identity Theft
The Geography of Medical Identity TheftThe Geography of Medical Identity Theft
The Geography of Medical Identity Theft- Mark - Fullbright
 
Consumer Sentinel Data Book 2017
Consumer Sentinel Data Book 2017Consumer Sentinel Data Book 2017
Consumer Sentinel Data Book 2017- Mark - Fullbright
 
Protecting Personal Information: A Guide for Business
Protecting Personal Information: A Guide for BusinessProtecting Personal Information: A Guide for Business
Protecting Personal Information: A Guide for Business- Mark - Fullbright
 
Data Breach Response: A Guide for Business
Data Breach Response: A Guide for BusinessData Breach Response: A Guide for Business
Data Breach Response: A Guide for Business- Mark - Fullbright
 
2017 Data Breach Investigations Report
2017 Data Breach Investigations Report2017 Data Breach Investigations Report
2017 Data Breach Investigations Report- Mark - Fullbright
 
Consumer Sentinel Network Data Book for January 2016 - December 2016
Consumer Sentinel Network Data Book for January 2016 - December 2016Consumer Sentinel Network Data Book for January 2016 - December 2016
Consumer Sentinel Network Data Book for January 2016 - December 2016- Mark - Fullbright
 
Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015- Mark - Fullbright
 

Plus de - Mark - Fullbright (20)

ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019
 
IC3 2019 Internet Crime Report
IC3 2019 Internet Crime ReportIC3 2019 Internet Crime Report
IC3 2019 Internet Crime Report
 
Police, Protesters, Press, 2020
Police, Protesters, Press, 2020Police, Protesters, Press, 2020
Police, Protesters, Press, 2020
 
2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)
 
FCPA Guidance 2020
FCPA Guidance 2020FCPA Guidance 2020
FCPA Guidance 2020
 
Consumer Sentinel Network Data Book 2019
Consumer Sentinel Network Data Book 2019Consumer Sentinel Network Data Book 2019
Consumer Sentinel Network Data Book 2019
 
CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019
 
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
 
2018 IC3 Report
2018 IC3 Report2018 IC3 Report
2018 IC3 Report
 
2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)
 
2018 Privacy & Data Security Report
2018 Privacy & Data Security Report2018 Privacy & Data Security Report
2018 Privacy & Data Security Report
 
Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018 Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018
 
Credit Score Explainer
Credit Score ExplainerCredit Score Explainer
Credit Score Explainer
 
The Geography of Medical Identity Theft
The Geography of Medical Identity TheftThe Geography of Medical Identity Theft
The Geography of Medical Identity Theft
 
Consumer Sentinel Data Book 2017
Consumer Sentinel Data Book 2017Consumer Sentinel Data Book 2017
Consumer Sentinel Data Book 2017
 
Protecting Personal Information: A Guide for Business
Protecting Personal Information: A Guide for BusinessProtecting Personal Information: A Guide for Business
Protecting Personal Information: A Guide for Business
 
Data Breach Response: A Guide for Business
Data Breach Response: A Guide for BusinessData Breach Response: A Guide for Business
Data Breach Response: A Guide for Business
 
2017 Data Breach Investigations Report
2017 Data Breach Investigations Report2017 Data Breach Investigations Report
2017 Data Breach Investigations Report
 
Consumer Sentinel Network Data Book for January 2016 - December 2016
Consumer Sentinel Network Data Book for January 2016 - December 2016Consumer Sentinel Network Data Book for January 2016 - December 2016
Consumer Sentinel Network Data Book for January 2016 - December 2016
 
Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015
 

Dernier

The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxThe byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxShobhayan Kirtania
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajanpragatimahajan3
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...anjaliyadav012327
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Pooja Nehwal
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 

Dernier (20)

The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxThe byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptx
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 

Ten ways to prevent a data breach from Breaching a Budget

  • 1. Ten Ways to Prevent a Data Breach from Breaching a Budget DAVID ZETOONY With data breaches a fact of life for many companies today, the author provides a 10 point checklist, which includes steps a company can take before a breach occurs, immediately after a breach occurs, and well after a breach occurs, designed to lower the cost of responding to data security breaches. D ata breaches are now a common occurrence, with over 300 major breaches involving over 100 million consumer records reported each year. Although each breach is unique in terms of its cause, its scope, the type of business it affects, and the type of consumer information it involves, every breach shares two characteristics: (1) It is unanticipated (and therefore usually not expected in the budget) and (2) It can be extremely costly. Beside the internal cost of investigating a breach, which itself usually entails numerous hours from employees, in-house counsel, and outside counsel, where consumer notification is needed a company usually must pay the following costs: • Printing and mailing notifications; • Staffing call centers to respond to consumer questions; David Zetoony is an attorney at Bryan Cave LLP in Washington D.C. He practices antitrust and consumer protection litigation and, over the past five years, has assisted dozens of companies to respond to data security breaches, and investigations that result from data security breaches. He may be contacted at david. zetoony@bryancave.com. 449 Published in the May 2009 issue of Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC.
  • 2. Privacy & Data Security Law Journal • Credit monitoring for affected consumers; • Legal fees for responding to government investigations, and • Litigation fees if suit is brought by consumers or regulators. Companies often pay between $50 and $79 per lost record.1 For relatively small breaches involving hundreds or thousands of records, the cost can be substantial; for large breaches involving millions of records, the total cost can be enormous. Although there are always costs in responding to a data breach, companies, especially companies responding to a data breach for the first time, often overlook simple ways to reduce and mitigate these costs. The following suggestions illustrate 10 specific ways in which companies could (but most companies don’t) lower the cost of responding to a data breach. These suggestions include steps that a company can take before a breach occurs, immediately after a breach occurs, and well after a breach occurs. BEFORE A BREACH OCCURS 1. Create a Notification Policy Most notification statutes provide that if a company creates its own policy for notifying consumers, and that policy is consistent with the law’s “timing requirements,” then a company that complies with its own policy will be “deemed” in compliance with the statute. Fashioning a corporate notification policy before a breach occurs can help avoid some of the largest costs associated with consumer notifications. For instance, a corporate policy might state that consumers will be notified by e-mail instead of by mail, alleviating thousands of dollars for printing fees, and mailing fees, if a breach occurs. In addition to the direct savings that can be achieved through the substantive provisions of a corporate breach notification policy, a breach notification policy can also have significant indirect savings by establishing a clear procedural framework. For instance, by providing instructions for how breaches will be reported internally through a company’s organizational 450 Published in the May 2009 issue of Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC.
  • 3. Ten Ways to Prevent a Data Breach structure, and who (or which department) will be responsible for investigating a breach, the policy can prevent the loss of time and money that occurs during the first few days of an uncoordinated response to a data breach. 2. Up-to-Date Safeguards Policy The best way to save money when responding to a data breach is to not have the breach in the first place. Although most companies are required under federal law (e.g., Gramm-Leach-Bliley, the Health Insurance Portability and Accountability Act) or state law (e.g., state “safeguards” statutes) to evaluate security risks and to create a policy to address those risks, many companies do not evaluate security risks regularly. Although the frequency needed to evaluate risks varies by industry, and the type of data that a company maintains, every business should consider reevaluating its safeguards policy at least annually. Even companies that regularly review their security policy often limit that review to evaluating whether the security policy adequately addresses new technological threats, such as viruses or Malware. Often security policies neglect the fact that most breaches are not caused by a breach of the company’s information technology infrastructure. When evaluating a security policy, a company should consider the following rough breakdown of where breaches occur:2 • 40 percent laptop thefts (half stolen outside of company; half stolen while inside the company); • 20 percent human or software error; • 15 percent non-laptop theft; • 15 percent hackers; and • 10 percent employee intentional acts. AFTER A BREACH 3. Do Not Notify Consumers Unnecessarily Many companies have started notifying consumers anytime a potential 451 Published in the May 2009 issue of Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC.
  • 4. Privacy & Data Security Law Journal breach occurs. Often the decision to issue notifications is made under the mistaken belief that companies are legally required to issue notifications after any potential breach, or under the belief that there is no downside to giving notice. Notifying consumers before a company has fully investigated a potential breach can be incredibly costly. First, the company must bear the direct cost of issuing the notification, which, as discussed above, can be substantial. Second, notifying consumers before a company has fully investigated a breach may unnecessarily alarm or confuse consumers. Consumers who mistakenly believe that their data has been breached, or that they are at risk for identity theft, are more likely to file administrative, or self-regulatory (e.g., Better Business Bureau) complaints or to initiate civil suits. Although there may be no substance to those complaints, the cost of responding to government investigations, demand letters, or complaints is almost always substantial. Deciding whether to notify consumers of an incident should be done on a case-by-case basis. In many situations, what might look like a data security breach at first may not require notifying consumers if, after a careful and thorough investigation, it becomes apparent that the security, confidentiality, and integrity of consumers’ information has not been compromised. 4. On the Fence About Notifying Consumers? Consider Asking Regulators Before Taking the Plunge After investigating a potential breach, companies often conclude that either a breach has not, in fact, occurred, or that the security and confidentiality of consumer information has not been compromised as a result of a breach. Companies often decide to issue consumer notifications nonetheless, because they fear that a state or federal regulator may see the situation differently and penalize them for having not made consumer notifications. Instead of second-guessing a reasoned decision that consumer notification is not needed, or warranted, consider voluntarily providing state or federal regulators with information concerning the potential breach and the company’s rationale for not issuing consumer notification, and inviting the regulator to offer its comments or opinions. If the regulator disagrees with your assessment and requests consumer notifications, the company is no worse off than it would have been had it issued the consumer notifica452 Published in the May 2009 issue of Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC.
  • 5. Ten Ways to Prevent a Data Breach tions; on the other hand, the regulator’s agreement with the company’s position (or the regulator’s silence) can be a powerful defense against any future claim that the decision not to notify consumers was unreasonable. 5. Consider Informally Notifying Government Regulators Although some states require notification of regulators each time a breach occurs, most states, and most federal regulators, do not have such a requirement. Just because reporting an event is not required does not mean that it is not a good idea to consider reporting it voluntarily. Although in some cases voluntarily reporting a breach to regulators may bring unnecessary (and unwanted) attention from the government, in other cases, especially when a breach has already been publicized, it may head off government investigations or formal requests for documents and information. 6. Keep a Written Chronology of the Breach The hours and days following a breach are usually hectic and filled with sometimes conflicting information arriving from various sources. Often information that is filtering in comes in the form of internal e-mails, teleconferences, or interviews. During this process few companies keep a formal log of what the company/legal department knows (and when the company/ legal department became aware of the information). Having an in-house, or outside, counsel keep a running written chronology in anticipation of possible litigation can form the basis of what may ultimately become an incident response report, and can save countless hours reconstructing events from e-mails, handwritten notes, and follow-up interviews. GOVERNMENT INVESTIGATIONS 7. Have your Privacy Policy, Security Policy, and Safeguards Policy in One Place It is not uncommon for a company to receive a subpoena, civil investigative demand (“CID”), or nonpublic inquiry following a breach. Although the inquiry may have been triggered from the breach, regulators of453 Published in the May 2009 issue of Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC.
  • 6. Privacy & Data Security Law Journal ten ask to see all of a company’s consumer-focused statements concerning privacy and security. Making sure that these documents are up-to-date and that past versions of these documents are easily accessible can eliminate time (and money) to find, collect, or reconstruct these policies. 8. Take a First Stab at Responding to Investigatory Demands Most companies turn to outside counsel who specialize in consumer protection when they are the target of a government investigation. Outside counsel can be invaluable in helping to respond to a CID from the Federal Trade Commission, or a subpoena from a state Attorney General. Among other things, they can provide insight concerning issues and facts that will likely be of interest to the government agency, they can draw from their experience with particular government agencies and particular government staff attorneys, and can help craft interrogatory responses and organize document productions. At the same time, outside counsel are often not the best resource to coordinate the collection of documents and information from in-house departments and corporate employees. If a company has available in-house resources, having in-house counsel take the first steps to collect documents responsive to document requests, and to draft responses to investigatory demands, and then having outside counsel explore additional sources of information, and revise written responses, can keep billable hours to a minimum, while effectively leveraging resources.3 9. Propose Alternative Documents to Satisfy Requests It is not uncommon for a subpoena or CID that was triggered from a data breach to go far a field in its request for documents and for information. Sometimes this reflects a regulator’s desire to investigate a company’s overall practices and procedures. Other times, this reflects a genuine misunderstanding of the facts or circumstances of a data breach. Before spending countless hours collecting documents or information that might not be needed, outside counsel might be able to explain informally the basic facts underlying the breach, and to propose what documents might best illustrate those facts. 454 Published in the May 2009 issue of Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC.
  • 7. Ten Ways to Prevent a Data Breach WELL AFTER A BREACH 10. Learn the Lessons After responding to, investigating, and/or reporting a breach, it is tempting to breathe a sigh of relief and return to other matters that were put-aside in the rush to take care of the incident. A data breach provides a one-of-a-kind opportunity to test existing policies and procedures. Investing a small amount of time and money one or two months after a data breach has been successfully resolved to determine what worked, what did not work, and what could have worked better in responding to the breach can save a large amount of time and money when responding to the next breach. Notes United States Government Accountability Office, Report to Congressional Requesters: Personal Information, Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown 34 (June 2007) (citing various surveys of corporate expenditures following data breach). 2 For more detailed data showing where data breaches most often occur, see http://www.privacyrights.org/ar/ChronDataBreaches.htm. 3 As a caveat, companies that do not have experience responding to document requests issued by government agencies, or issued as part of civil litigation, may spend more money by attempting to coordinate or collect documents on their own. For instance, if documents are collected without keeping a proper chain of custody, without appropriately evaluating material for responsiveness and privilege, and without sensitivity to preserving the documents’ integrity (e.g., the metadata of electronic documents) the collection may need to be redone by outside counsel increasing, instead of reducing, a company’s overall costs. The best advice when deciding how in-house and outside counsel resources should be used is to discuss with outside counsel, at an early stage, a proposed process and procedure for collecting materials and information in order to identify potential problems or deficiencies. 1 455 Published in the May 2009 issue of Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC.