Data Breach Anatomy

Alan Charles Raul

202-736-8477

Prevent and Prepare

Know your risks in advance
Identify your team
Develop ensure privacy and information security policies
Be familiar with state and federal requirements
Incorporate and update industry best practices and standards
Ensure that senior management engaged
Train employees
Build culture of privacy and security

Discover and Investigate

Assessment
– Has a breach occurred?
– Who is affected?
– Is sending notice required?
– Is regulatory notification needed?
– What are the published privacy policies of the institution?
– What corrective action is needed?
– Assessment report
Investigation
– Who investigates and timing of investigation
– Computer forensics
– Data collection
– Interviews
– Breaches caused by a third party
– Investigative committee


Develop Your Compliance Strategy

What are your values and objectives?
What are the risks of over-notifying?
– Consumers or employees?
– Media attention
What are the risks of under-notifying?
– Lawsuit exposure
Inside or outside guidance?
Balance need for speed and accuracy
Notify once, completely
– Avoid perception of cover-up or escalating crisis

Notify and Comply

Notices
– Decide whether you need to notify
– Timing of sending notice
– Method of sending notice
– Who receives notice
– Notice to other data owners
– Notice sent to regulators, AGs, Consumer Protection agencies
– Notice to credit bureaus

Notification to AGs

Duty to provide notice to State Attorneys General
– New York: requires notice to the state Attorney General, the Consumer Protection Board, and the state Office of Cyber Security and Critical Infrastructure
– New Jersey: CyberCrimes section of state police
– North Carolina: consumer protection agency notice
– New Hampshire & Hawaii not yet effective
– Did you call California?

Notifications to Credit Bureaus

National Credit Bureaus
– Required under several state laws
– Often a marketing opportunity for the credit bureaus
– Expect a hard sell on the need to provide credit monitoring
– Can you expect / require confidentiality from the credit bureaus regarding these notices?
– Consider pre-breach negotiation with bureaus to avoid delay

Notice to Consumers

Contents of notice vague in many state statutes
Federal interagency guidance is valuable:
– Be clear and conspicuous
– Describe incident in general terms and the type of customer information at issue
– Generally describe efforts to prevent further unauthorized access
– Include a telephone number that customers can call for further information
– Remind customers of the need to remain vigilant over the next 12-24 months
– Suggest prompt reporting of suspected identity theft to the institution
– Recommend account statements review and reporting of suspicious activity
– Describe fraud alerts and explain process
– Recommend periodically obtaining and reviewing credit reports
– Explain how to obtain credit reports free of charge; and
– Provide information about the availability of the FTC’s online guidance and
encourage reporting identity theft to the FTC
No litigation yet on adequacy of notice


Recover and Reassure

Dedicated customer service phone line
– Train CSRs on appropriate responses to inquiries
Offering credit monitoring services
– Costs/benefits
Implement and update security measures
– Lessons learned
Do not rest on your laurels
– Engage in ongoing monitoring and testing of your security measures
– Consider regular audits, perhaps by an independent third party

The Information Law and Privacy Practice of Sidley Austin LLP offers clients an inter-disciplinary, international group of lawyers focusing on the complex national and international issues of data protection and cyber law. The group includes regulatory compliance lawyers, litigators, financial institution practitioners, health care lawyers, EU specialists, IT licensing and marketing counsel, intellectual property, and white collar lawyers. For more information, please visit www.sidley.com/cyberlaw, or contact Alan Charles Raul, 202.736.8477, .

This Data Breach Incident Response Planning Tool has been prepared by SIDLEY AUSTIN LLP for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers.

Sidley Austin LLP, a Delaware limited liability partnership, operates in affiliation with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership, Sidley Austin (UK) LLP, a Delaware limited liability partnership (through which the London office operates), and Sidley Austin, a New York general partnership (through which the Hong Kong office operates). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley or the firm.

Attorney Advertising. For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000. Prior results described herein do not guarantee a similar outcome.

Sidley Austin llp 4