“Live Blog”: Data Breach War Room / Breach Preparation

As mentioned, I am a panelist at today’s “Data Breach War Room / Breach Preparation” at iTechLaw’s 2016 World Technology Conference in Miami.  I will be “live blogging” the key lessons from today’s workshop.  My co-panelists, Meg Strickler, Jon Neiditz and Mark Mermelstein, will have the chance to review this content, but until they do, I am solely responsible for its content.   Here goes:

  • Most participants agree: react immediately to news of a data  breach.  True, but:
    • be careful to preserve privilege — easier done with outside counsel (or with well trained in-house counsel).
    • Figure out what happened, but make sure your investigative activity doesn’t do more harm than good; ask: do I have the right resources to investigate and investigate it right?   (For instance, will I damage evidence?)
  • It is best to not be thinking about how to respond to a data breach for the first time when you first learn of the breach — have a plan in place that includes an integrated, cross-functional team.
  • In a data breach, response time is key and may be shorter than you think.
  •          What do you do immediately?
  •           How do you contain the damage?
  • Question: review state notification laws or notify customers?
    • On the one hand: Yes, state law is important…but being proactive and notifying all customers early can avoid unhappy folks and possibly litigation.
    • On the other: there is law (Neiman Marcus, PF Chang) that suggests that the time customers spend reviewing statements after a notice is actually an injury-in-fact.
    • Back to the first hand: yes, there is some risk (and it is evolving), but you may head off litigation.
    • Leads us back to plans: you cannot rely on your old/aging policies and procedures. Have to update your plans in light of legal, technological and social developments.
  • Know your cyber policy and know what it will cover:
    • Likely not able to cover lost intellectual property
    • Will cover costs of forensics, outside counsel, PR folks, etc
  • PII and IP: Need to know what is valuable, what make up the intellectual crown jewels:
    • Personally Identifiable Information
    • core Intellectual Property assets
  • Remember that most breach analysis, law and popular culture focuses on PII. However, cybersecurity should ensure that the intellectual property crown jewels are safe, available for use, too.
  • Should you disclose to law enforcement?
    • When obligated, obviously yes.  For instance, you may have obligations under SEC rules or those of a non-U.S. government.
    • But, whether to voluntarily disclose hinges on whether law enforcement will be helpful or provide any tangible benefit (counsel can often help you find those members of law enforcement who are best, smartest and quickest?)  How can they help:
      • Prosecution is unlikely, especially where the data and wrongdoer is out of the jurisdiction — and even worse if the wrongdoer is in a country like China where process will likely not be effective.
      • But they may be able to help “do deals” with bad actors
      • May have inside knowledge about the attack vector/provide real time or nuanced intelligence.
      • Net-net: unless required, call law enforcement when they are useful to you. Don’t just “check the box” – make a strategic decision.
  • Plan to deal with cyber whistle blowers; they may complain about disclosure and/or the quality  of the investigation.
  • Breaches are not a single thing; breaches are different kinds of incidents.
    • For instance, there is a qualitative difference between breached numbers that can be changed (credit card numbers) vs those that cannot (social security numbers).   The latter is worse, more typically covered by law and more usable in identity theft (and insurable).  With the latter, it may be worth being slower in disclosing in order to do a full investigation) rather than be proactive.  Why?  Because there is nothing that can be done.  Remember: while speed may help reduce remediation costs…every US social security number is out there (the U.S. has a “broken system of identity management”).
    • There are breaches that involve the theft of the intellectual crown jewels are likely not insurable, but can do fundamental damage to the company.
  • Relatively few employers are being sued by workers for data breaches. But there are other key consequences.
  • Worth noting that data breaches are becoming a part of our culture.  There is evidence that customers, employees, etc are punishing companies less in the marketplace.
  • While suing in the US and/or using law enforcement is of dubious effect for data removed from the country, it may be helpful building a case.for future action.
  • Establish plans (or SOPs) and establish key relationships with counsel, coaches and LEOs.   Threat sharing and collaboration is useful.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s