Data Breach Anatomy
Alan Charles Raul
202-736-8477
Prevent and Prepare
Know your risks in advanceIdentify your team
Develop ensure privacy and information security policies
Be familiar with state and federal requirements
Incorporate and update industry best practices and standards
Ensure that senior management engaged
Train employees
Build culture of privacy and security
Discover and Investigate
Assessment– Has a breach occurred?
– Who is affected?
– Is sending notice required?
– Is regulatory notification needed?
– What are the published privacy policies of the institution?
– What corrective action is needed?
– Assessment report
Investigation
– Who investigates and timing of investigation
– Computer forensics
– Data collection
– Interviews
– Breaches caused by a third party
– Investigative committee
Develop Your Compliance Strategy
What are the risks of over-notifying?
– Consumers or employees?
– Media attention
What are the risks of under-notifying?
– Lawsuit exposure
Inside or outside guidance?
Balance need for speed and accuracy
Notify once, completely
– Avoid perception of cover-up or escalating crisis
Notify and Comply
Notices– Decide whether you need to notify
– Timing of sending notice
– Method of sending notice
– Who receives notice
– Notice to other data owners
– Notice sent to regulators, AGs, Consumer Protection agencies
– Notice to credit bureaus
Notification to AGs
Duty to provide notice to State Attorneys General– New York: requires notice to the state Attorney General, the Consumer Protection Board, and the state Office of Cyber Security and Critical Infrastructure
– New Jersey: CyberCrimes section of state police
– North Carolina: consumer protection agency notice
– New Hampshire & Hawaii not yet effective
– Did you call California?
Notifications to Credit Bureaus
National Credit Bureaus– Required under several state laws
– Often a marketing opportunity for the credit bureaus
– Expect a hard sell on the need to provide credit monitoring
– Can you expect / require confidentiality from the credit bureaus regarding these notices?
– Consider pre-breach negotiation with bureaus to avoid delay
Notice to Consumers
Contents of notice vague in many state statutesFederal interagency guidance is valuable:
– Be clear and conspicuous
– Describe incident in general terms and the type of customer information at issue
– Generally describe efforts to prevent further unauthorized access
– Include a telephone number that customers can call for further information
– Remind customers of the need to remain vigilant over the next 12-24 months
– Suggest prompt reporting of suspected identity theft to the institution
– Recommend account statements review and reporting of suspicious activity
– Describe fraud alerts and explain process
– Recommend periodically obtaining and reviewing credit reports
– Explain how to obtain credit reports free of charge; and
– Provide information about the availability of the FTC’s online guidance and
encourage reporting identity theft to the FTC
No litigation yet on adequacy of notice
Recover and Reassure
– Train CSRs on appropriate responses to inquiries
Offering credit monitoring services
– Costs/benefits
Implement and update security measures
– Lessons learned
Do not rest on your laurels
– Engage in ongoing monitoring and testing of your security measures
– Consider regular audits, perhaps by an independent third party
The Information Law and Privacy Practice of Sidley Austin LLP offers clients an inter-disciplinary, international group of lawyers focusing on the complex national and international issues of data protection and cyber law. The group includes regulatory compliance lawyers, litigators, financial institution practitioners, health care lawyers, EU specialists, IT licensing and marketing counsel, intellectual property, and white collar lawyers. For more information, please visit www.sidley.com/cyberlaw, or contact Alan Charles Raul, 202.736.8477, .
This Data Breach Incident Response Planning Tool has been prepared by SIDLEY AUSTIN LLP for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers.
Sidley Austin LLP, a Delaware limited liability partnership, operates in affiliation with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership, Sidley Austin (UK) LLP, a Delaware limited liability partnership (through which the London office operates), and Sidley Austin, a New York general partnership (through which the Hong Kong office operates). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley or the firm.
Attorney Advertising. For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000. Prior results described herein do not guarantee a similar outcome.
Sidley Austin llp 4