By: Hooman Yavi
Handling a data breach is undoubtedly a delicate matter. Oftentimes over-reliance on templates and inexperienced counsel can lead to mistakes in how a company notifies affected individuals.
Although nobody will be happy to learn that their personal information has been compromised, companies can overcome some of the pitfalls and backlashes of mishandling a breach by focusing on the process and content of the notification.
Process: Investigate & Communicate
In deciding when to disclose the data breach, companies must carefully balance the need to conduct a thorough investigation against the public and regulatory demand that they notify affected individuals as soon as possible.
To ensure that communications with the public and regulators are complete, accurate, and compliant, companies should first determine what happened, who was affected, and what information was breached. Before making any disclosures, the company must be certain that forthcoming forensic evidence will not contradict or change their answers, but rather support and corroborate them.
Timing of the disclosure must also satisfy State Data Breach Notification Laws. For instance, in California, companies must make the disclosure “in the most expedient time possible and without unreasonable delay.” Cal. Civ. Code § 1798.82(a). A notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. But as soon as the agency determines that it will not compromise the investigation, disclosure must be promptly made. Companies can, however, buy more time if they can demonstrate a need to take measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
Once experts and law enforcement agencies have analyzed the breach and gathered consistent and reliable answers about what happened, who was affected, and what information was breached, the company must decide how to disclose its answers.
Individuals affected by a data breach will immediately be put on high alert upon learning of the breach, and an unofficial, unfamiliar medium of communication may confuse and irritate them, or it may invite phishing copycats that would further tarnish the company’s reputation. Companies should instead use their existing and official communications channels to disclose any information relating to the breach, and to provide those affected by the breach with clear steps for how they can protect themselves.
Additional training and resources may also be required to support the individuals affected by the breach who have questions or need help. Companies must be prepared to allocate resources towards training their staff on responding to calls and answering online inquiries, as the influx of information requests often increases significantly in the aftermath of a data breach.
Content: Communication and Transparency
As previously mentioned, the central elements of a disclosure should answer questions about what happened, who was affected, and what data was breached. A successful communication will also include information about how the affected individual can take steps to protect themselves.
To satisfy regulatory requirements, companies must also ensure that the notifications they provide comply with state data breach notification laws. For instance, the California data breach notification law (Cal. Civ. Code § 1798.82) requires the following:
- The notification must be written in plain language.
- It must be titled “Notice of Data Breach” and include headings:
- “What Happened”
- “What Information was Involved”
- “What We Are Doing”
- “What You Can Do”
- “For More Information”
- The format of the notice must be designed to call attention to the nature and significance of the information it contains.
- The title and heading must be clearly and conspicuously displayed.
- The text of the notification cannot be in a font smaller than 10-point type.
- The text of the notification must include the following pieces of information:
- The name and contact information of the reporting company
- A list of all types of personal information that are subject of a breach
- The date, or estimated date or date range, of the breach
- Whether notification was delayed as a result of a law enforcement investigation
- A general description of the breach
- A toll-free telephone number and address of major credit reporting agencies if the breach exposed a social security number, driver’s license, or CA ID card number
- If the breach exposed social security numbers, driver’s license numbers, or CA ID card number, the company must make an offer to provide appropriate ID theft prevention and mitigation services for no less than 1 year, with additional instructions on how to take advantage of the offer.
After the notification has been sent, although companies can avoid answering questions from the public about their security program, regulators expect as much detailed information as possible, with a focus on any security failures that allowed the incident to occur, and whether the organization had adequate safeguards in place to protect personal information.
Regulatory information requests are often technical. Nevertheless, companies should ensure that adequate counsel review every document and written response to protect from further liability.
Even the most prudent and sensible handling of a data breach disclosure can have a deep and long-lasting impact on a company’s relationship with its clients, regulators, and the public at large.
To rebuild trust, companies must take appropriate accountability for the data breach, focus their efforts on preventative measures that improve their security programs, implement and maintain new systems, conduct risk assessments and stress analysis, and improve policies and procedures for dealing with breaches.
Through careful facilitation, companies can ensure that if a data breach occurs that they will be able to avoid the negative backlash often associated with mishandling the notification and disclosure process and can quickly recover and rebuild in its aftermath.
Please call us if you have questions about this legal alert, or if your company is faced with a data breach.