Corporate Life or Death: Data Breach Triage

When disaster strikes and victims flood into an emergency room, doctors conduct triage to determine the severity of injuries and who gets treatment first. Companies can similarly prepare for the inevitable data breach by building a cross-disciplined incident team trained to assess the damage, stop the bleeding, and respond appropriately to regulatory bodies and customers.

Despite the all-too-common occurrence of lost consumer data, surprisingly few companies have effective policies in place for dealing with those losses after the fact. Outside the financial sector, where regulations on data loss are strictest, post-breach data loss plans are rare. In fact, according to experts who have helped clients deal with the repercussions of lost data, many companies do exactly the wrong thing first in rushing to notify customers.

According to W. Scott Blackmer, a Utah-based attorney who has worked in technology law since the early 1980s, very few companies are prepared to deal with a loss of sensitive data. Blackmer has helped a number of clients, including some very large companies, handle both legal and policy issues after an unexpected data breach.

One of Blackmer's top recommendations to clients is to put together a team ahead of time to formulate contingency plans. "It doesn't mean you have to meet every month," he says, "but just like you have a disaster recovery plan, there should be contingency plans for dealing with a loss of sensitive data." That sort of incident team, Blackmer says, "is just coming into vogue; most organizations don't have them yet."

Blackmer has helped several very large companies through the type of security breaches that "hit the press and resulted in FTC and state investigations, and affected hundreds of thousands of people each over many states and several countries." In each case, he says, the company had various employees who were responsible for information security, privacy, customer relations, and government relations, but "had never put a team together that could come into being immediately when there was an incident."

Make the team cross-disciplinary, Blackmer suggests; typically, you'll want to include someone from very senior management, such as the CIO, CTO, or chief legal officer, along with representatives from customer relations, compliance, and human resources (since it's often employee data—or employees—that are involved). Someone representing compliance is especially important if you're a financial institution, since you need to be concerned with handling the situation in a way that complies with guidelines from your regulatory bodies.

Post-incident, Blackmer says, each breached company followed his advice and created a team. One client, he says, then suffered a second security incident, although not as widespread as the first, which it was able to deal with "noticeably faster and more economically, and with less stumbling from a public relations point of view."

"A well-managed company would have this charted out and a set of policies and procedures in advance," confirms David Weise, a financial services attorney with Tyler Cooper & Alcorn, a law firm based in Hartford, CT. "Time often is of the essence; you can't be making this up after the fact." Weise has worked with a number of financial institutions, which are highly regulated and must have in place policies and procedures for dealing with data loss.

Initial steps are to immediately figure out the nature of the breach, how extensive it was, and how much information was lost, Weise advises. "Where do you think the information is right now? Is it with the bad guys, or is it buried in a landfill?"

Because of strict regulation, Weise contends that the financial sector is leading the way in how to deal with data loss. By law, every financial institution he works with or is aware of, Weise says, from large to very small, has a plan for how to deal with loss of confidential data. "Bank regulators," he says, "were really ahead of the game compared to the rest of the nation" in writing rules for both privacy and data security issues.

Finally, any plan must be flexible, Weise says, since you can't possibly anticipate any situation. "What you do afterward is largely dependent on how the breach happened, what the nature of the information is, and what you can do to remedy the situation. There's no one size fits all answer."

Don't rush to notify customers

Here's where companies make a common mistake. According to Mark Fajfar, an attorney with law firm Fried, Frank, Harris, Shriver & Jacobson, rushing to provide notice to the public is the wrong initial response. Fajfar, who speaks and writes frequently on information security issues, is special counsel with the firm's Washington, DC office.

"There's now a knee-jerk reaction to provide notice to consumers [any time] that their information may have been accessed," Fajfar says. But at least some regulators, including the FTC, "are now saying that you don't necessarily have to provide notice if there's no realistic expectation that some sort of crime has been committed," he explains. For example, say your data center loses track of a backup tape. You don't necessarily need to send notice to customers, Fajfar says, until you have some indication that the tape might have been stolen.

Instead, your first reaction should be to contain the leak, Fajfar says, rather than to notify everyone immediately. In fact, if criminal behavior is involved and there's pending law enforcement action, authorities may not want you sending out public notices while the initial investigation is underway.

And don't worry about notifying stockholders. There's nothing specific to data security breaches under SEC rules, for example. Reporting guidelines there are driven by whether there's a likelihood of a material loss to the company, based on the company's total capitalization and annual revenues, Blackmer says. Few publicly traded companies are unfortunate to suffer a data breach so large that immediate financial loss is obvious. "Usually, these things will not be quantifiable to that degree," he says. "In your next quarterly filing, you might have to say something about the incident, if it's already started to have an economic impact on, or if it threatens to."

Staunch the bleeding

Instead of rushing to make a public announcement, focus first on the breach itself, the experts stress—how it happened, what sort of data was involved, and whether it was a one-time incident or might be ongoing.

"Our very first comment [to clients]," Fajfar says, "is to make sure you fully know everything that has been breached." Of course, that's seldom easy to determine. Say someone seems to have stolen some passwords and login IDs and is accessing your system—once you discover the breach, how do you know you've found all of the stolen IDs? Or perhaps you've had a break-in or have otherwise lost a notebook computer. Before rushing to judgment on a single laptop, make sure it's not the only missing item.

Bring in outside experts

Precisely because it's so difficult initially to determine the source of a breach, Blackmer says, "I advise clients right at the outset to bring in outside forensic experts." Early on, you may still be trying to determine if the breach was an accident or intentional—if it involved a careless misstep or stolen goods.

Although your IT security staff may view a move to bring in outsiders as a vote of no-confidence, Blackmer says, it's actually just good sense. Although large organizations may have highly qualified forensic experts in-house, "the problem is [that] you don't know if any of [your internal staff] are compromised," he points out.

Also, from a potential litigation standpoint, by bringing in an outside forensic expert who's acting under the direction of your legal counsel, whether in-house or outside, there is a chance that you can protect some of the results of your investigation under attorney-client privilege, Blackmer points out. "In most cases that's not going to make a difference," he says, "but in some cases where [the breach]…leads to class action litigation, that can make a difference."

Another reason to bring in computer forensic experts right away is because once you call the authorities, you may lose any computers involved in the incident. Law enforcement agencies, Blackmer says, "have a bad habit of coming in and taking your computers away, which can be a little tough on your ongoing business operations." To avoid that, have the forensic experts immediately make images of any affected hard drives.

If the breach appears to be a targeted data theft, companies are often tempted to shut down systems immediately in a rush to stop the leak. From a forensic point of view, that's probably the wrong approach, Blackmer says, because you may lose some evidence that won't be retrievable after you restart systems.

The jurisdiction dilemma

Once you know the kind of data involved and have an idea of how significant the loss might be, Blackmer says, make a decision quickly about notifying the authorities. Unlike going public, this is an area where you don't want to delay. "For forensic reasons," he says, "it's good to do this in order to stop further breaches, or to stop someone on the inside from compromising you further." Also, Blackmer points out, a number of state laws impose a time limit on reporting the incident to authorities, in some cases 24 or 48 hours.

Many states have a defined trigger for when you have to give notice about a data loss in any area that's considered protected—that includes social security numbers, driver licenses, financial information, payment card information, and health information. That trigger may be the point at which you've determined there's "a substantial risk" that the information will be used for harmful purchases. Your incident team can research ahead of time how your state requires that you respond, but it's likely your customers are from many other states as well. That makes things difficult, since state and sometimes local laws differ greatly in how soon, if at all, both authorities and affected consumers must be notified regarding an incident.

Typically, Blackmer says, that issue is a huge concern initially, but is soon displaced by the sheer complexity of varying state laws. "What I've seen happen time and again with major data breaches," he says, "is that… lawyers scramble to figure out what the exact requirements are in each of the affected jurisdictions, and within a number of hours, everyone gives up, throws up their hands, and says 'This is crazy; we can't respond differently from one jurisdiction to another. We're not going to give notice to our California residents and not our New York residents. We're not going to notify the city of New York but not the California attorney general's office.' "

What often results, Blackmer says, is a decision to respond based on the strictest requirements that might apply from any jurisdiction. That's not just because of concerns with legal liability. Companies are also keenly attuned to customer and employee perceptions of bias or favoritism. "[They] don't want to say, we gave notice to our California [customers], but we didn't give you notice right away because we weren't required to."

Brace yourself to communicate with customers

With all of the previous steps completed, it's finally time for the painful and usually costly step of notifying customers, if that's the action you decide to take.

At this point, you need to make an informed decision about what sort of customer notification you want to do—if any at all. If you don't go public with the loss, Blackmer says, "There's a real risk—and you're gambling with this—that you won't end up catching the bad guys… and that employees or consumers will be hurt." Also, not coming clean early looks bad after the fact, when the truth does come out, as it usually does. On the other hand, if the data was simply inadvertently lost and turns up several days or weeks later, you may end up looking incompetent and disorganized, at best, if you then re-notify customers that there was no data loss after all.

Whatever you method you choose to notify customers, brace yourself. Determine ahead of time how you'll handle questions, and be prepared for lots of inquiries. Blackmer recommends a Web site dedicated to explaining the incident, as well as a toll-free number. "People will have anxiety," Blackmer says. "They'll want more information, and they'll call you." One company he worked with brought in outside help and set up a call center that worked from a prepared script. The data loss announcement had gone out to some 250,000 to 300,000 individuals; on the first day, the company had 30,000 calls, and that pace continued for several days.

Blackmer's general advice to clients regarding notification is this: "If there's any substantial amount of sensitive personal data lost or stolen, announce it." Chances are you won't really stand out, he says, since such notices have become so common. And you've done the right thing by customers if personal data is eventually misused.

Meanwhile, any federal laws dealing with how companies should treat data loss, including notification of consumers, remains a ways away. Despite proposed federal legislation in both the House and Senate, nothing has yet come out of Congress, which is consumed lately with larger issues and has now adjourned for the election recess. "I haven't seen any indication that [legislation] is going to move forward anytime soon," Fajfar says. "Maybe next summer… but I wouldn't hold my breath. It's one of those real devil-in-the-details kinds of things."