Five key measures to consider in responding to a data breach in the United States
July 2018 | SPECIAL REPORT: WHITE-COLLAR CRIME
Financier Worldwide Magazine
July 2018 Issue
In addition to taking steps to prevent and detect a data breach or other cyber security incident, companies are now expected, if not required, to have plans to respond quickly and thoroughly to the incident. While every data breach will present unique issues best addressed by a combination of experienced legal counsel, forensic investigators, public relations specialists and other subject matter experts, a company doing business in the US should consider, at a minimum, the following five basic measures in formulating and executing its incident response.
Size up and stop the bleeding
Immediately upon discovering a potential data breach, the company should engage its internal information technology (IT) resources – and, depending on the circumstances, retain outside forensic investigators – to assess the scope of the breach, to contain it, and to restore the security and integrity of the company’s systems as expeditiously as possible.
By moving quickly to plug any vulnerability or ongoing exfiltration of data, the company reduces the potential harm to itself and third parties – and, to that extent, also mitigates its potential liability under US law. In addition, the nature of the breach response may be scrutinised by regulators, litigants and other constituents as rigorously as the extent of proactive measures the company adopted to prevent and detect such incidents in the first place.
Learn the facts and preserve the evidence
Both for its own diagnostic and defence needs as well as to address the expectations of regulators, law enforcement, shareholders and customers, the company should promptly commence a fact-finding investigation to piece together a coherent and accurate explanation of what happened.
Moving quickly is especially important in the cyber security space because electronic evidence, such as data logs, can be fleeting. If not immediately and properly preserved, IP logs and other critical data could prove impossible to recover later in a forensically sound way, or at all. Moreover, when confronted with a potentially ongoing intrusion by an unauthorised person, such as an external hacker or a rogue employee, electronic evidence might be deliberately erased and anti-forensic tools might be in use to cover the intruder’s tracks.
In light of the ease with which such evidence can be – purposefully or inadvertently – altered, tainted or deleted, it often will be advisable to engage forensic investigators who have the training, experience and tools to collect and analyse electronic evidence quickly and in a forensically sound manner. Gathering the facts in this way also is important because the findings of the investigation will inform the company’s assessment of its disclosure and notification obligations, and will form the basis of any public messaging about the incident.
Evaluate disclosure and notification obligations
The company should promptly evaluate, with the assistance of legal counsel, whether it is required to provide disclosure or notification regarding the data breach to affected third parties (including individuals whose personal information was potentially compromised), investors and the public, regulators and law enforcement, and the company’s insurance carrier.
First, with respect to notifications to affected individuals, in contrast with the European Union’s General Data Protection Regulation, there is no uniform consumer data breach notification statute in the US. Instead, the US landscape is defined by a patchwork of federal and state laws that impose overlapping and inconsistent notification requirements that vary depending on the particulars of the laws implicated. Typically, under the data breach notification statutes in most states, the residency of the individuals whose personal information was compromised determines which laws are triggered. As a result, one breach in a single location often will implicate the laws of multiple states and therefore necessitate a multi-state analysis of the company’s notification obligations.
Across the data breach notification statutes of many states, protected personal information is typically defined to include an individual’s name plus one or more pieces of identifying information, such as a social security number, driver’s licence number or bank account number, along with any required access code. However, some states protect information that others do not, such as an individual’s email address and password. Further complicating the analysis, some states exclude encrypted data from the definition of protected information, while other states do not.
In this regard, the company should work closely with counsel and forensic investigators to identify both the data that were potentially compromised and the residency of the associated individuals, in order to determine which laws, if any, cover the data in question. The state data breach notification statutes do not have a consistent standard for even the threshold questions of what constitutes a breach, or when a company’s notification obligations are triggered by a possible breach. Many states define a breach as the unauthorised ‘acquisition’ of protected information, and provide that notification is required if the company reasonably believes that such acquisition has occurred. Several other states, however, set forth a lower threshold by requiring notification if the company reasonably believes that protected information was merely ‘accessed’ by an unauthorised person. Depending on the circumstances surrounding the incident and the clarity of the relevant facts, determining whether the incident requires notification may be a straightforward exercise. Where the facts are unclear or otherwise ambiguous, however, evaluating whether the company has a reasonable belief that protected information was accessed or acquired can involve a highly fact-dependent inquiry that the company, legal counsel and forensic investigators will need to work together to analyse.
Assuming the company concludes that notification is required in one or more states, it must keep in mind that the timing, form and content of any notifications varies across the states. Moreover, given the inconsistencies between state laws, the company may determine that it is obligated to provide notifications to affected individuals in some, but not all, of the states implicated. Under such circumstances, the company should consider whether to voluntarily notify all affected individuals, in all relevant states, in as uniform a manner as possible under the various laws. By doing so, the company can potentially mitigate reputational risk that might otherwise flow from selectively disclosing the incident or providing different disclosures to residents of different states.
In addition, a number of US federal statutes impose specific notification obligations on businesses in particular industries – including banking, healthcare and defence contracting. Close care should be given to these federal requirements.
Second, with respect to disclosure to the public, the company should consider whether it is required to – or simply should in its discretion – disclose the incident to investors. The importance of timely public disclosure of cyber security incidents by US-listed companies was recently highlighted in a first-of-its-kind order by the Securities and Exchange Commission (SEC) relating to Yahoo!’s failure to disclose a large-scale data breach. In that order, based on its finding of violations of the US securities laws, the SEC imposed a $35m fine for Yahoo!’s two-year delay in disclosing the breach.
Third, certain state data breach notification laws and industry-specific federal statutes require disclosure to US agencies and law enforcement. Even where such disclosure is not legally mandated, the company should consider whether voluntary disclosure would be in its best interests and, in any event, expected by its constituents under the circumstances at hand.
Fourth, with respect to insurance, the company should review its policies to determine whether cyber incidents might be covered and, if so, provide any required notice to its carrier.
Formulate a unified and consistent public relations message
No matter how confident the company may be in its current understanding of the situation, the facts are bound to evolve as the investigation progresses and more information becomes available. For that reason, in preparing any external statements about the incident, the company should aim to strike the delicate balance between saying enough to describe the situation to the satisfaction of the target audience without providing so many details (especially about aspects that may not be conclusively determined) that the company increases the possibility that it will later need to issue corrective statements based on subsequently learned information.
Equally importantly, the company should ensure that it speaks in one voice. To that end, it should consider designating a single point person for external communications and, depending on the magnitude of the breach, engaging an outside public relations firm.
Preserve attorney-client privilege
As an overarching consideration, the company should consider structuring its breach response in a way that maximises the protection under US law of the attorney-client privilege and work product doctrine. To do so, a lawyer should be designated as early as possible to direct and oversee the company’s response, including the collection of relevant facts and the evaluation of notification obligations. The lawyer should engage and direct any forensic investigators and other consultants, and the company’s internal IT staff should be instructed to work at the direction of, and report to, the lawyer.
By having a lawyer direct the response, the company will be able to more persuasively argue in the future that any disclosures to third parties (such as civil litigants) concerning the investigation and the company’s response should be precluded. While the company might elect down the road not to assert privilege over these matters, taking steps at the outset to preserve this option is generally advisable.
As the number and sophistication of cyber security risks continue to grow, it is virtually inevitable that every company will, at some point, become the victim of a data breach or other cyber security incident. When that happens, a company with a well-crafted response plan in place will be better positioned to mitigate the fallout than a company that has thought extensively about prevention and detection but less so about the response to an actual incident.
Paul C. Curnin and Nicholas S. Goldin are partners and Matthew C. Penny is an associate at Simpson Thacher & Bartlett LLP. Mr Curnin can be contacted on +1 (212) 455 2519 or by email: firstname.lastname@example.org. Mr Goldin can be contacted on +1 (212) 455 3685 or by email: email@example.com. Mr Penny can be contacted on +1 (212) 455 2152 or by email: firstname.lastname@example.org.
© Financier Worldwide
Paul C. Curnin, Nicholas S. Goldin and Matthew C. Penny
Simpson Thacher & Bartlett LLP