This is Part II of a two-part series. Read Part I here.
The implications of a data breach can impact a company or law firm for years as I discussed in Part I. Consumer trust and firm reputation are at stake, not to mention potential consumer class action suits and business partner litigation, 20 years of monitoring by the Federal Trade Commission (FTC), and costly compliance tasks. I continue our interview with IDShield’s senior product manager, Jennifer Stueckler, this time exploring the legal role’s in a data breach.
Dave Coffey (DC): Tell us a little more about the in-house scenario for an attack?
Jennifer Stueckler (JS): When a corporation has a data breach, legal is more frequently becoming the “quarterback” of response efforts for response plan, laws, and communication. For cyber threats and protection, executives and firm leaders need to understand:
- There is no “one size fits all” approach to dealing with cyber security.
- Cyber threats are broad and include: attacks, hacking, ransomware, phishing schemes, and more.
- Theft, employee mistakes, insider misconduct, and third-party provider mismanagement all lead to breaches.
DC: In the Logicforce Cyber Security Scorecard, of the 200 firms surveyed, 80% are not vetting those third-party provider’s data security practices. The report goes on to say that 63% of breaches are connected to those third parties. What steps should be taken when you learn of a breach?
JS: The first 72 hours are critical because decisions and actions taken in response can have a profound impact on your legal exposure. Accordingly, one of (if not the), first call should be to ascertain experienced legal counsel and the following steps should be taken:
- Conduct an investigation to provide legal advice, such that the results will be protected from later discovery by applicable privilege.
- Obtain advice on legal obligations for the investigation of data security breach.
- Analysis and investigation are necessary for providing legal advice on the scope and reasons for breach.
- Ascertain the appropriate notification laws.
DC: Can you tell us a bit more about the notification laws?
JS: 49 states and territories have enacted separate notification laws and only Alabama and South Dakota do not have notification requirements. Different state mandates impact requirements when an event occurs and states are still making incremental changes. A few recent examples:
- New Mexico’s first notification law includes biometric data as personal identifiable information (PII) and notifications must be done within 45 days of discovery.
- Tennessee clarified a recent amendment that notification was not necessary if breached data was encrypted.
- Virginia amended its law to include a requirement for notification by the Attorney General to the Department of Taxation (in the wake of W-2 breaches).
DC: The Logicforce report noted that 77% of law firms don’t carry cyber insurance. In addition, 60% do not have anyone tasked with security and compliance and those firms do not plan to fill that role. Any additional advice for firms or companies facing a breach?
JS: While no one can completely protect against identity theft (because of a data breach), if your firm is hit with a breach, an important component of your response is providing identity theft protection for your clients. To ensure clients are as protected as possible, your identity theft plan should include these three key areas:
- Monitoring: Keep an eye on information in the places it is most likely to show up during identity theft.
- Consultation: Have experts on hand to answer any questions, provide information on identity theft trends, and provide tips to stay safe.
- Restoration: In the case of identity theft, have true experts who are ready and capable to completely resolve the theft and get the client’s identity back to its pre-theft status.
Thank you, Jennifer for sharing this valuable information. The top takeaways regardless of whether you are a consumer, a firm, or a company facing a breach are as follows:
- Respond quickly and aggressively.
- Structure your response effectively.
- Be on the defensive, don’t be a defeatist.
- Avoid creating a bad record or manage your public relations.
- Manage expectations and prepare for what’s next.