Developing a Game Plan to Mitigate Loss From Data Breach
As more and more of our business and personal activity is done online, “cyberrisk” becomes more prominent and the financial risk grows for both individuals and companies. The predominant issue for many is the concern of data breach. Data breach can take many forms, but all of them involve personal information — such as credit card numbers, Social Security numbers or passwords — being released to an untrusted environment. By untrusted environment, it not only means being obtained by thieves or hackers, but also just being unsecured or lost.
As has been demonstrated on an almost daily basis, sophisticated clients have been susceptible to data breach either through inadvertence, negligence or theft. Recent examples of such include Wells Fargo & Co. being investigated by the Connecticut attorney general for potentially disclosing customers’ Social Security numbers as part of a fraud investigation when it forwarded subpoenas to customers that contained the Social Security numbers of other customers. Another example is an Israeli government contractor copying files from government computers containing personal information of more than 9 million Israelis and then posting that information in a searchable file online.
A more local example is the disappearance of three unencrypted backup tapes containing personal information of more than 1.5 million patients from Nemours, a children’s health system in Wilmington, Del. Finally, in an example of what most people think of as a data breach, hackers breached the electronic systems of Restaurant Depot and stole more than 100,000 credit and debit card numbers.
As these examples show, data breaches can be an error by a company, an act of physical theft or hacking, or the loss of equipment containing sensitive information without any knowledge of what happened. In fact, it is estimated that 30 to 40 percent of all data breaches are a result of inadvertence or negligence. Because the nature of data breaches is so varied, there is no silver bullet that can guarantee a company will not suffer a data breach. However, companies can take steps to help protect them in the case of a data breach.
Consequences of a Data Breach
There is an old saying that the cover-up is often worse than the crime. In the case of a data breach, the cover-up can often be worse for a company than the crime perpetrated against it. Forty-six states require some form of notification for data breach and various federal laws may also require notification.
Under the typical state statute, the duty to notify applies whenever there has been an unauthorized access of a system where computerized data is acquired; the security or confidentiality of personal information maintained by the entity is materially compromised; the breach involves a database of personal information about multiple individuals; and the breach causes, or the entity reasonably believes it has caused or will cause, loss or injury to an individual.
As in many cases, the devil is in the details with the application of these notification laws. First, entities that have suffered a breach may not even be aware of the breach for some time after its existence. In the example above, Nemours believed that the backup tapes went missing around Aug. 10 of last year, but only became aware of the missing tapes a month later. Similarly, when a party accidentally discloses information, such as the Social Security numbers Wells Fargo is alleged to have sent out, the entity may not catch it prior to complaints to authorities or the institution of a civil case. Entities should put systems in place to try to avoid these missteps and respond quickly once they become aware of any data breaches. An entity that unreasonably delays in providing notice will face penalties, including damages to harmed parties and fines from the state (which can be around $5,000 per violation, with certain enhanced penalties for extreme behavior).
Even when an entity is aware of a breach, it may be difficult to know what specifically was taken (or, if encrypted files are taken, what will be recovered). An entity may want to hold off on making public a breach until it concludes its investigation, but this approach may prove a costly mistake. It is understandable that a company will not want to suffer the public relations hit of admitting to a data breach, but it can be far worse financially to hold off notifying potentially harmed parties when a company has a reasonable belief of a breach. A better approach is to err on the side of disclosure and notify all potential victims of a potential breach while conducting any investigation.
It is now common practice for companies that suffer a data breach to offer affected individuals credit monitoring services. Not only is this now standard practice, but these services also help mitigate the losses that can result from a breach and may provide defenses against plaintiffs who failed to take the company up on the offer.
In order to mitigate the long-term risks and avoid facing costly litigation, companies need to be mindful of the risks associated with data breach and have a team and plan in place. In coming up with this team and plan, it is important to think of data breaches in three stages: prevention, investigation and notification.
Prevention includes encrypting files that contain personal information and closely monitoring the hardware that contains this information. A single laptop taken by an employee from work could contain personal information of thousands of individuals, so a company must be careful with how it keeps the secured information.
Investigation includes understanding the techniques to identify quickly when a breach occurred and be able to determine the extent of the breach. In addition, companies should be quick to investigate any claims by customers or other individuals of a data breach. A customer service representative who fails to pass on a complaint could constitute a reasonable belief of a breach and expose a company to severe fines.
Notification includes having the procedures in place to notify potential victims quickly and to offer whatever services are necessary to the potential victims. Unfortunately, data breaches are a part of the modern technological world and companies need to be ready to respond effectively to any data breach.
Insurance for data breach
Companies that maintain databases with personal information need to make sure they have insurance to cover losses that stem from data breach. Several insurance products exist, but several pitfalls exist that may prevent full coverage.
The first thing to consider is that a data breach will likely result in both first-party and third-party coverage. In other words, the company that was breached will suffer direct harms, as well as facing the likelihood of claims against it from third parties. As such, a company must be sure to have insurance that covers both.
For the first-party coverage, property insurance may be sufficient, but it is vital to check the definitions of property, which may not include “data.” If data is not covered, the direct losses resulting from a data breach will not be covered and, if the business interruption or extra expense coverages are related, they also may not be triggered.
Consequently, some carriers are writing manuscript policies or have specially tailored endorsements to address this risk. It would be beneficial for any in-house counsel or outside risk manager to carefully explore this coverage.
In the context of third-party coverage, it is important to recognize that an accidental or intentional breach may trigger very different coverage. For example, crime coverage (or the more specific Internet crime coverage) would insure for losses stemming from a hacker, but it likely will not protect a company where its own negligence or mistake led to the data breach.
It is important to be mindful of the risk of data breach when obtaining insurance and consider what exposure a company has. In addition, if a company is facing losses and/or claims stemming from an incident of data breach, it is important to look at all of your insurance to determine if coverage exists.
Recently, Strategic Forecasting Inc. was hacked by Anonymous, which released the information it stole. One of the bits of information was 860,160 passwords. A computer-automated password-cracking tool called Hashcat was used to see how many of the passwords it could crack. In a few hours, Hashcat was able to crack more than 80,000 of those passwords.
This is a reminder that many of us, especially attorneys, have access to sensitive information that is one password away from being made available to the public. With that in mind, it is good to remember that using long, complex, case-sensitive passwords that contain numbers and symbols is your best approach. “Password1234” may be easy to remember, but it provides limited protection. If you are struggling to remember a password, use symbols and numbers to replace letters. For example, the password “cyberrisk” could be written “(y8erR!5k.” Also, there are numerous websites where you can check your password strength, although I would recommend using a password close to your own but not your actual password so as to avoid a hacker on the other end of the site getting your information.
About the Authors:
Mark E. Gottlieb is a principal in Offit Kurman’s Philadelphia office and focuses his national practice in the areas of insurance recovery, construction litigation, white-collar crime and complex litigation. He has represented multiple individuals in high-profile criminal matters and represented public and private companies in multimillion-dollar disputes. He can reached by phone at 267-338-1318 or by e-mail at firstname.lastname@example.org.
Reprinted with permission from the January 18, 2012 editions of the Legal Intelligencer © 2012 ALM Media Properties, LLC. All Rights Reserved. Further Duplication without permission is prohibited. For information, contact 877-257-3382, email@example.com or visit www.almreprints.com.