When a company learns that it may have been victimized by a data breach two of the toughest decisions that arise are if and when to notify the public that personal information may have been compromised.
Notifying the public about a data breach poses significant compliance risks for companies. Report a data breach before all the facts are in and prepare to cope with unnecessary costs or the possibility of disseminating misinformation, but report too late and the reputational and legal repercussions could be far worse.
The best plans of action materialize long before a breach even occurs. “Organizations need to be mindful of these events happening, because what we've found over time is that it's more a matter of when they happen, as opposed to if they happen,” says Brian Lapidus, senior vice president for Kroll Advisory Solutions.
Before the need to notify the public of a data breach ever arises, the first line of defense is to have in place a proactive incident response plan. That plan ought to include the designation of a team of individuals who should be notified following an incident, and who are aware of their respective roles and responsibilities in the event of a potential data breach.
This team should include members of the company's internal departments, as well as outside privacy counsel to help determine whether or when data breach notification is necessary. “It's very important to not assemble that team for the first time in an actual crisis,” says Emily Stapf, a director in PwC's forensic technology solutions practice. It's needs to be in place ahead of time, she says.
Scenario planning can also help prepare a company for how to respond to a data breach. “A lot of our clients have done mock breaches so that they can understand and be ready when a security event occurs,” says Lisa Sotto, partner and head of the global privacy and data security practice at law firm Hunton & Williams.
Before deciding whether or when to notify the public of a data breach, companies must first navigate their way through a complex maze of different—and often conflicting—federal and state data breach notification laws. In 2003, California passed the nation's first data breach notification law, a move that has since been followed by 46 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands. The only states that do not currently have data notification laws are Alabama, Kentucky, New Mexico, and South Dakota.
While the nuances of each law differ, many states do not require notification if there is no reasonable likelihood of harm to consumers. Where sensitive data has been compromised, the general rule is to provide proper notification without unreasonable delay.
Some states provide a firm deadline for notifying the public after a breach. California, for example, requires notification within five days. Vermont, the most recent state to adopt a deadline, requires notification to the public within 45 days. The HITECH Act, a federal breach notification law, requires notification within 60 days of discovery.
“A lot of our clients have done mock breaches so that they can understand and be ready when a security event occurs.”
—Lisa Sotto,
Partner, Head of Global Privacy & Data Security Practice,
Hunton & Williams
Most legal advisers, however, don't recommend waiting around for 45 or 60 days before notifying the public that a breach has occurred. “The practical reality is a completely different story,” says Sotto, who has helped companies investigate more than 1,000 breaches. “These events differ dramatically and, therefore, the timing differs dramatically.”
If you know exactly what happened, what data was compromised, the individuals affected, and the culprit involved, then you can cull a list and send notification immediately, says Sotto. At the other end of the spectrum are the complex cyber attacks that could require months of investigation to discern the extent of the breach and the customers or business partners affected.
“In some cases, you may never get a full picture of the population at risk,” says Sotto. She cites an example of a breach that has been ongoing for years: “we have had as many as 80 forensic specialists on sight doing enormous amounts of forensic work,” she says.
Depending on the extent of the breach, engaging law enforcement can buy time before breach notification is necessary. “Law enforcement could put the brakes on the timing if they need to be involved [in the investigation] and collect evidence first,” says Stapf.
But even while an investigation is ongoing, companies need to start on remediating the security problems immediately. “That's very important, particularly in preparing for the inevitable regulatory response,” stresses Stapf.
Regulators tend to come down hard on repeat offenders. For example, the Federal Trade Commission filed a lawsuit last month against global hospitality company Wyndham Worldwide Corp. and three of its subsidiaries for alleged data security failures that led to three data breaches at Wyndham hotels in less than two years.
According to the FTC's complaint, even after faulty security led to one breach, “Wyndham still failed to remedy known security vulnerabilities, failed to employ reasonable measures to detect unauthorized access, and failed to follow proper incident response procedures.”
Premature vs. Late Notification
A common mistake companies make is to report an incident too quickly, resulting in unnecessary costs when a company has to revise its initial reports. In fact, according to a recent data breach study conducted by the Ponemon Institute, companies that notified customers of a data breach too quickly without a thorough assessment paid an average of $33 more per record.
STUDY FINDINGS
Below are some key findings from the Ponemon Institute survey:
The cost of data breach declined. For the first time in seven years, both the organizational cost of data breach and the cost per lost or stolen record have declined. The organizational cost has declined from $7.2 million to $5.5 million and the cost per record has declined from $214 to $194. We define a record as information that identifies an individual whose information has been compromised in a data breach. This decline suggests that organizations represented in this study have improved their performance in both preparing for and responding to a data breach. As the findings reveal, more organizations are using data loss prevention technologies, fewer records are being lost in these breaches and there is less customer churn.
More customers remain loyal following the data breach. For the first time, fewer customers are abandoning companies that have a data breach. However, certain industries are more susceptible to customer churn, which causes their data breach costs to be higher than the average. Taking steps to keep customers loyal and repair any damage to reputation and brand can help reduce the cost of a data breach.
Negligent insiders and malicious attacks are the main causes of data breach. Thirty nine percent of organizations say that negligence was the root cause of the data breaches. For the first time, malicious or criminal attacks account for more than a third of the total breaches reported in this study. Since 2007, they also have been the most costly breaches. Accordingly, organizations need to focus on processes, policies and technologies that address threats from the malicious insider or hacker.
Lost business costs declined sharply from $4.54 million in 2010 to $3.01 million in 2011. These costs refer to abnormal turnover of customers (a higher than average loss of customers for the industry or organization), increased customer acquisition activities, reputation losses and diminished goodwill. During the seven years we studied this aspect of a data breach, the highest cost for lost business was $4.59 million in 2008 and the lowest was $2.34 million in 2005.
Certain organizational factors reduce the overall cost. If the organization has a chief information security officer with overall responsibility for enterprise data protection the average cost of a data breach can be reduced as much as $80 per compromised record. Outside consultants assisting with the breach response also can save as much as $41 per record. When considering the average number of records lost or stolen, all of these factors can provide significant and positive financial benefits.
Specific attributes or factors of the data breach also can increase the overall cost. For example, in this year's study organizations that had their first ever data breach spent on average $37 more per record. Or, those that responded and notified customers too quickly without a thorough assessment of the data breach also paid an average of $33 more per record. Data breaches caused by third parties or a lost or stolen device increased the cost by $26 and $22, respectively.
Detection and escalation costs declined but notification costs increased. Detection and escalation costs declined from approximately in $460,000 in 2010 to $433,000 in 2011. These costs refer to activities that enable a company to detect the breach and whether it occurred in storage or in motion. This suggests that organizations in 2011 study had the appropriate processes and technologies to execute these activities. Notification refers to the steps taken to report the breach of protected information to appropriate personnel within a specified time period. The costs to notify victims of the breach increased in this year's study from approximately $510,000 to $560,000. A key factor is the increase in laws and regulations governing data breach notification.
Source: The Ponemon Institute.
In one example, a large retail chain in its desire to be “incredibly diligent” and “really earnest,” says Sotto, tweeted, e-mailed, and Facebooked all of its customers within 48 hours of discovering a data breach, even though the breach affected a very small portion of their customers. “That's an example of over-zealous notification,” she says.
Worse still, and potentially more costly, are the cases where companies wait too long to tell individuals that their personal information was stolen. There is no shortage of recent cases where a company waited months to report a breach, “and the scrutiny that they faced because of that is fairly significant,” says Lapidus.
For example, managed healthcare company WellPoint last year was forced to pay a $100,000 fine for failing to notify the Indiana attorney general's office in violation of state law of a security breach that potentially exposed the personal information of 32,000 members. As part of the settlement, Wellpoint must also pay up to $50,000 to each affected member for waiting three months to issue notification of the breach.
There is also reputational risk at stake. In one recent example, U.S. Senator Bob Casey issued a letter in June that took payment processing company Global Payments to task for its lackadaisical approach after a breach of financial information potentially affected 1.5 million people. “The breach was discovered in early March 2012, but a public announcement by Global Payments was not made until nearly a month later,” Casey wrote.
Crafting the Letter
After a breach has occurred deciding what to say can be as difficult as deciding when to say it. Many states now have content requirements for data notification that direct the company how to craft a notification letter. Some states are stricter than others; Massachusetts' data privacy law—known to be the nation's most far-reaching regulation to protect consumers' privacy—mandates that any notification to consumers cannot disclose the nature of the breach, or the number of people affected by the breach. What is allowed is notification about the consumer's right to obtain a police report, how to request a security freeze, and any fees required to be paid to any of the consumer reporting agencies.
The notification letter should inform recipients about the facts of the case (if allowed), what data was lost or exposed, what the company has done to remediate the breach, and what steps individuals can take to protect their data, including providing the number of a call center. As an additional precaution, many times companies will offer free credit monitoring services.
Security experts say most companies will be victimized by a data breach of some form. Those that are lucky will have a small incident that could even serve as a learning tool. “A small data security incident has a silver lining,” Sotto says, “because it allows companies to practice their incident response plan with respect to a smaller, less-significant event and figure out where their vulnerabilities are and how they can strengthen their process.”
No comments yet