Prepare for the Worst: Best Practices for Responding to Cybersecurity Breaches

Are You at Risk of a Cybersecurity Breach?

Do you:

  • Have a website or a mobile application?
  • Own, collect, store, or process sensitive data?
  • Use smartphones, email, social media, cloud based services or laptops?

You are at risk of cybersecurity breach!

You Need a Cybersecurity Program!

  • Do you have in place security policies and procedures reasonably designed to protect your system and sensitive data?
  • Reasonable security-protecting procedures will help minimize risk of liability to third parties and regulatory penalties.
  • A cybersecurity program should address what to do in the event of a breach.
  • The key to handling a security incident well is to prepare for it.

What if I Don’t Want to Spend the Money on a Cybersecurity Program?

  • It is far more expensive to deal with a breach than it is to take steps to put a cybersecurity program in place.
  • Must respond to a breach.
  • Could lose profits through disruption in operations.
  • Could be subject to civil or regulatory action relating to the breach.

Potential Liability for Security Breaches
Examples of Some Private Rights of Action.

  • Negligence.
  • Breach of contract.
  • Breach of fiduciary duty.
  • Invasion of privacy.
  • Conversion.
  • Unjust enrichment.
  • Class actions.
  • Waste of corporate assets.
  • Abuse of control.
  • Shareholder derivative suits.

Examples of Regulatory Action.

  • FTC enforcement actions due to inadequate data privacy and security measures.
  • HHS enforcement actions against entities covered by HIPAA who fail to comply with privacy and security rules.
  • Security and Exchange Commission can take action for failure to fully or timely disclose a material data breach.
  • State enforcement actions can overlap with federal enforcement actions relating to the same security breach.

Will a Cybersecurity Program Completely Insulate Me from a Breach?

  • No!
  • STILL at risk of breach!
  • No security program is invincible.

What Do I Do if There Has Been a Breach?

  • If you have a cybersecurity program in place, look there first for guidance.
  • Stop continuing breaches by calling in a tech expert if necessary.
  • Assess the extent of the breach by beginning an investigation immediately.
  • Promptly coordinate a response to the breach.

Response to a Breach
Identify regulatory requirements affecting your response to the breach.

  • Release of some sensitive information may trigger notice obligations.
  • State law, depending on residency of affected parties.
  • Federal law, depending on whether information is regulated (e.g., HIPAA).
  • Most states’ disclosure obligations are triggered when a company knows or reasonably believes that personal information was acquired by unauthorized third parties.
  • Disclosures are to be made without unreasonable delay.

Michigan Data Breach Notification Law

  • Notice of “breach” must be given to a Michigan resident if (i) that resident’s unredacted and unencrypted “Personal Information” was accessed by an unauthorized person, or (ii) the resident’s “Personal Information” was accessed in encrypted form by a person with unauthorized access to the encryption key.
  • No notification required if the company determines that the breach has not or is not likely to cause substantial loss or injury to, or result in identity theft.
  • “Breach” = the unauthorized access and acquisition of data that compromises the security or confidentiality of “Personal Information” maintained by a covered entity as part of a database of “Personal Information” regarding multiple individuals.
  • In determining whether a breach has occurred, the covered entity must act with the care an ordinarily prudent entity in a similar position would exercise under similar circumstances.
  • “Personal Information” = first name or first initial and last name linked to one or more of the following regarding a Michigan resident –
  • SSN.
  • Driver’s License or Michigan ID card number.
  • Financial account number, or credit/debit card number in connection with any required code that would permit access to the resident’s financial accounts.
  • Entities covered by this law (“covered entity”) = any individual, partnership, corporation, LLC, association, or other legal entity, or any department, board, commission, office, agency, authority, or other unit of state government of Michigan that owns or licenses data including personal information of a Michigan resident.
  • The statute provides directives regarding –
  • The method of notice required.
  • The content of the notice.
  • The timing of notification (generally, without unreasonable delay).
  • Whether notice must be provided to consumer reporting agencies.
  • Whether notice requirements under another statute (e.g., HIPAA) replace the state requirements.
  • Methods of notice –
  • Written notice to recipient’s postal address.
  • Electronic notice if (i) the recipient has consented to receive electronic notice; (ii) the covered entity has an existing business relationship with the recipient that includes periodic electronic communications such that the covered entity reasonably believes that it has the recipient’s current email address; or (iii) the covered entity conducts its business primarily through internet account transactions or on the internet.

Methods of notice –

  • Telephonic notice if (i) the notice is not given by use of a recorded message; (ii) the recipient has consented to receive notice by telephone, or if the covered entity also provides notice by the above methods if the notice by telephone does not result in a live conversation between the covered entity and the recipient within 3 business days after the initial attempt to provide telephonic notice.

Substitute method of notice –

  • If the covered entity demonstrates that the cost of providing notice would exceed $250,000 or that notice would have to be provided to more than 500,000 Michigan residents –
  • Email notice if the covered entity has email addresses for the recipients;
  • Conspicuous posting on the covered entity’s website; and
  • Notification to major statewide media, which must include a telephone number or website address a person may use to obtain additional information.

Content of notice –

  • Written in a clear and conspicuous manner.
  • Describe the breach in general terms.
  • Describe the type of personal information that is the subject of the unauthorized access or use.
  • Generally describe what the covered entity has done to protect data from further security breaches –
  • Include a phone number where the recipient can obtain assistance or additional information.
  • Remind recipients of the need to remain vigilant for incidents of fraud and identity theft.
  • Notice of a security breach that has not occurred that is given with intent to defraud is a misdemeanor punishable by up to 30 days imprisonment and $250 per violation.
  • Covered entities which fail to provide notice may be ordered to pay a cure fine of up to $250 for each failure, not to exceed $750,000 per security breach.
  • These penalties do not affect the availability of civil remedies under state or federal law.

Tread Carefully in Communications

  • Comply with legal disclosure obligations.
  • Avoid waiving privilege of confidential communications.
  • Manage litigation risks.
  • Develop a communications strategy.
  • Internal, to stakeholders, employees, etc.
  • Public, including press releases and notices to customers.

Third Party Involvement in Data Breach Response

  • Evaluate which third parties to bring in to assist.
  • Forensic investigator.
  • Law enforcement.
  • Insurance agent (to see whether breach is covered).
  • Public relations team.
  • Legal counsel.