THE ROBE REPORT: Responding to data security breaches

Listen to this article

By Karl Robe, Rebecca Grassl Bradley and Andy Schlidt

Data security breaches present a crisis situation faced by a growing number of companies and organizations both small and large, with no end in sight.

Organizational inattention to information security leaves businesses and their customers vulnerable to privacy violations, fraud, financial loss and reputational harm. Therefore, companies cannot blindly rely on their information technology staff or third-party contractors to secure sensitive data.

Ultimately, company leaders bear the responsibility to recognize the risks and take steps to prevent data loss or theft by implementing a comprehensive information security program, which includes incident response plans to minimize the adverse affects of a breach on the company and its customers.

While some studies indicate consumers are becoming numb to data breaches because responsible companies are paying for any financial effects legislative and regulatory bodies are becoming increasingly concerned with the solvency of companies, shareholder impact, identity theft and many other issues associated with data breaches.

Consider the case of a prominent health insurer, which in a publicized announcement recently paid $1.5 million to settle violations of HIPAA’s Privacy and Security Rules, arising from the theft of unencrypted hard drives containing protected health information of over 1 million individuals.

No industry, however, is immune to data security breaches, especially when companies or their vendors collect and store credit card data, medical records, financial records, or personally identifiable information.

A study released by the Ponemon Institute in conjunction with Symantec sheds further light on the costs and causes of data breaches:

• Costs to notify victims of a breach increased in this year’s study from approximately $510,000 to $560,000. A key factor is the increase in laws and regulations governing data breach notification.
• Negligence remains the most common threat. The number of breaches caused by negligence edged up one point to 41 percent and averaged $196 per record, up 27 percent from 2009. This steady trend reflects the ongoing challenge of ensuring employee and partner compliance with security policies.
• Encryption and other technologies are gaining ground as post-breach prevention, but training and awareness programs remain the most popular. Sixty-three percent of respondents use training and awareness programs after data breaches, down four points from 2009. Encryption is the second most implemented preventive measure as a result of a data breach, utilized by 61 percent. Both encryption and data loss prevention solutions have increased 17 percent since 2008.
• Malicious or criminal attacks are the most expensive and are on the rise. In this year’s study, 31 percent of all cases involved a malicious or criminal act, up seven points from 2009, and averaged $318 per record, up 43 percent from 2009.

How to respond to a data breach

Upon becoming aware that a data breach has occurred, the affected company must act quickly to contain the breach, which requires an understanding of its origin and cause.

Consider whether law enforcement should be notified, with consideration given to contacting the FBI or the U.S. Secret Service rather than a local police department that may not have requisite resources to investigate the breach.

Forensic analysts may be retained to investigate and remediate the breach while preserving data that may be crucial for law enforcement to pursue the hackers who committed the breach.

Public relations professionals may be retained to handle media communications, particularly if the company is required by law to publicly report the data breach.

Insurance policies should be reviewed to determine whether coverage may exist for damages incurred by the company directly or by third parties as a result of the data breach.

Finally, the company’s contracts with affected customers and contractors should be reviewed to ascertain the company’s obligations to report the breach to those parties and indemnify them for any losses.

Many states have enacted data breach notification statutes that require companies to report incidents where personal information has been released without authorization. Analyzing which state laws may apply can be tricky because the laws are not uniform.

Many statutes impose time frames within which reports must be made. Notifications should be coordinated with law enforcement to avoid adversely affecting any investigation.

Karl Robe counsels attorneys and executives on communications strategies. Contact him at Karl James & Co. LLC by emailing [email protected].

Rebecca Grassl Bradley and Andrew Schlidt are attorneys and co-chairs of the Technology Law practice at Whyte Hirschboeck Dudek SC, Milwaukee. Bradley can be reached at [email protected] and Schlidt can be reached at [email protected].