By David White / AlixPartners LLP
Responding to data breaches can be a tricky business. If not managed correctly, corporate liability can easily be exponentially compounded. The key to successfully managing any complex crisis lies in the planning. It’s important to develop a carefully laid-out process long before the fire alarms start ringing. Once they do, there’s usually not much space for thinking of creative solutions. That’s why we map out our escape routes and post them on the wall for all to see.
Data breach planning is no different. Once counsel gets that call saying there’s been a security event, many moving pieces must be carefully and strategically orchestrated. These include notifying insurance carriers, engaging outside counsel and forensic experts, managing the internal IT response team, notifying board members and executives and overseeing public relations damage control with the media, just to name a few. For breaches involving customer or employee personally identifiable information (PII), counsel must also determine the company’s obligation to notify government regulators and the individuals whose data was stolen, often referred to as the “data subjects.” This task may seem fairly simple on its face, but it’s often the most complex part of post-incident breach response – especially for companies with global footprints.
One of the unique aspects of data privacy laws is that they typically get triggered not by the storage location of the data – though that’s sometimes part of the equation – but by the residence of the person to whom the data pertains. This is equally true both domestically—among the various U.S. state laws—and internationally. The reason behind it is that data is highly mobile and governing bodies want to protect the privacy rights of their citizens regardless of where the data itself may be stored. Otherwise, data controllers would move data from more restrictive locations to less restrictive ones and thwart all protections. The end result for those responding to data breaches is that even a relatively small set of data can trigger the laws of a large number of jurisdictions.
Unless a privacy assessment has been conducted in advance, counsel may have to wait until a forensic investigation is completed before it can determine which jurisdictions are implicated. Such an investigation includes listing all of the countries and all of the states where the data subjects reside. Then, for each, a legal assessment must be performed to determine which jurisdictions have notification requirements and whether those requirements have in fact been triggered.
For example, there’s significant deviation both domestically and internationally as to what kinds of data constitute personally identifiable information. Most jurisdictions include in their definitions people’s names combined with at least one of the following: home addresses, national identification numbers or account numbers. Others, but not all, include email addresses, IP addresses and international mobile equipment identity numbers (IMEIs). Therefore, it’s important to determine the specific content of the actual data breached in order to assess whether the definitions of any specific jurisdictions apply.
Even when a definition does apply, notice requirements still might not be triggered. Although not the norm, a few jurisdictions in Southeast Asia have territorial limits to their breach notice requirements. In those locations, notices may only be required for breaches that occur within the jurisdictions or for breaches that relate to activities conducted in the jurisdiction or that specifically target that jurisdiction’s citizens.
More commonly, jurisdictions worldwide typically have individual threshold limits that must be reached before notice requirements trigger. For example, notices may have to be sent to data subjects only when more than 10,000 records were exposed. Or regulator notification may be required only when a certain record type is involved, such as financial or health records. Some jurisdictions may require that both regulators and data subjects be notified; and in others, only one or the other. The required content and form of notices also vary greatly – from public notice in a newspaper, to emails, to written letters.
Those are just a few of the many issues that need consideration in order to tackle breach-notice requirements. Combine them with all the other issues involved and the benefits of advanced planning should be obvious. This is especially true because time will also be working against you: the initial forensic analysis will likely take several weeks, and the legal analysis will likely take even longer. Yet, at the same time, the clock will be ticking against the timeliness requirement stipulated by most notification regulations.
For example, in April New Mexico became the 48th state to enact a data breach notification law – leaving Alabama and South Dakota as the two states that lack requirements. Under that law, notice must be made to the attorney general, New Mexico residents and consumer reporting agencies within 45 calendar days of discovery of a security breach – if over 1,000 residents are impacted. However, the notice requirement is waived if an investigation determines that the event does not give rise to a significant risk of identity theft or fraud. This essentially leaves companies with less than 45 days to complete their full investigation and impact assessment, unless they have taken steps to plan for such an event in advance.
This is one more reason why those who are prepared will fare the best. Including breach response planning in your routine privacy assessments, and understanding your potential notice requirements before a breach occurs, will save you a lot of headache pills when your breach day comes.
David White is a director at AlixPartners LLP, where he advises clients on information governance, information security and electronic discovery. He can be reached at firstname.lastname@example.org.