When and how much to tell the public following a data breach is an increasingly common theme and point of criticism, but advisors seem to agree that, in most cases, notifications are the best practice.
“Every situation and business model is different but if you decide you should of must [notify customers] it’s best to go public as soon as you can—when you have an appropriate amount of information,” John Mullen, partner at Lewis Brisbois and chair of the firm’s Data Privacy & Network Security Practice, told Advisen. “Get out in front of the news. You want to seem as forthcoming and honest for several reasons.”
Among the reasons, said Mullen and his peers, are those pertaining to legal, litigation and reputational ramifications—as well as contractual obligations.
“There is no one right way or time to disclose a data breach,” added Jim McCullagh, a partner at Perkins Coie’s litigation practice and co-chair of the firm’s Privacy & Security practice. “Companies in this situation are often dealing with imperfect information and breaches can come in many forms–from a misdirected email to a lost of stolen employee laptop, or a criminal intrusion into a company’s network–but regardless of the breach, the company must place a high priority in identifying the facts of the breach and alert customers of any resulting risk.”
It appears as though many companies have released information in stages—first telling the public it is aware of the breach and then periodically notifying customers when additional information is known.
International beauty-supply retailer Sally Beauty Supply said in early March that it was investigating a possible breach. Shortly thereafter Sally Beauty told the public its investigation of the hacking revealed less than 25,000 records with payment card data were accessed. However, a recent release from the company said the data breach is worse than originally thought.
Sally Beauty added it “will not speculate on the scope of our recent data security incident until the forensic review progresses because experience with such incidents at other retailers has taught that it is difficult to ascertain the extent of a data breach incident until the required forensic review is complete.”
Target has followed a similar notification pattern during its higher-profile data breach—one that has landed it in front of Congress to, in part, address some blame it did not notify customers promptly. It also faces a multitude of class-action lawsuits alleging the same.
The idea of data-breach notifications may seem easy to a layperson or regulator, but the practice is not as easy it appears.
“Over-notification or premature notification may do more harm than good as it can and cause unnecessary alarm in customers, or begin to desensitize them to the importance of reading notices,” McCullagh said.
Roberta Anderson, partner in K&L Gates’ Pittsburgh office, told Advisen the risks of nondisclosure “far outweighs any associated with going public” when it is appropriate to do so.
Companies can face legal action, fines and penalties and additional punitive class-actions. And they can lose their insurance. A number of policies contain exclusions, denying coverage to companies that intentionally fail to disclose the loss of personal information in violation of laws or regulations, she explained.
Because cyber insurance is written on a claims-made basis, corporations can face additional problems with policy periods if they delay notifications.
Companies storing health information must adhere to federal mandates under HIPAA. Almost all companies are likely to face state law when personal information is compromised. Forty-six states have security breach notification laws—each with varying definitions of personal information and different notification requirements.
According to Ed Goodman, chief privacy officer at IDT911, “Some breach notification laws are silent as to the number of days that constitutes a ‘reasonable investigation.’ However it uses language such as ‘promptly determine’ and without ‘unreasonable delay.’”
He said that, based on statutory articulated timeframes in other state jurisdictions and federal requirements, “30-45 days appear to be the number.” Only four 4 states give a specific timeline for notification: 45 days—or as soon as practicable.
“In the case of some of the large retail breaches, there is a possibility that law enforcement (FBI, Secret Service, etc.) asked for a delay in notification, which is permissible under state breach laws,” Goodman added.
Still, many companies “do not notice when they should,” Mullen said. Why? “Because they don’t think they’ll get caught.”
According to a survey by ThreatTrack Security, almost 6 in 10 malware analysts said they’ve investigated or handled a data breach that was never disclosed by their company.
Anderson said companies may think the breach is contained, or fear the regulator or reputational repercussions.
“Companies who do this face a potentially embarrassing and incriminating future,” she said.
Several proposed data-breach notification bills are floating around Washington D.C. Over the last several years these proposed laws have fizzled and died without the support to carry them through. But today, these bills appear to have additional momentum and backing.
Sandra L. Kennedy, president of the Retail Industry Leaders Association, recently told the Senate Homeland Security and Governmental Affairs Committee that the RILA “supports federal data-breach notification legislation that is practical, proportional and sets a single national standard that replaces the patchwork of state laws in place today.”
The Federal Trade Commission clearly wants to be the authority. It told the Senate committee the need for a breach notification law has never been greater, and it asks congress to “allow the FTC to seek civil penalties for all data security and breach notice violations in appropriate circumstances.”
The U.S. Securities and Exchange Commission expressed its belief it plays an important role in cybersecurity, issuing guidance to companies on disclosure obligations. However, a recent roundtable discussion did not come up with a consensus on when companies should report data breaches.
“There is no doubt that the SEC must play a role in this area,” said Commissioner Luis A. Aguilar. “What is less clear is what that role should be.”
Chad Hemenway is Managing Editor of Advisen News. He has more than 15 years of journalist experience at a variety of online, daily, and weekly publications. He has covered P&C insurance news since 2007, and he has experience writing about all P&C lines as well as regulation and litigation. Chad won a Jesse H. Neal Award for Best Single Article in 2014 for his coverage of the insurance implications of traumatic brain injuries and Best News Coverage in 2013 for coverage of Superstorm Sandy. Contact Chad at 212.897.4824 or [email protected].
