The Risk-based Approach to Data Breach Response Meeting mounting expectations for effective, relevant solutions
Our Speakers Mark Melodia is Partner and Co-Head of the Global Data Security, Privacy & Management Group for Reed Smith. Timothy P. Ryan is managing director and Cyber Investigations Practice Leader for Kroll. Brian Lapidus is managing director and InfoSec Practice Leader for Kroll. Moderator Steven Littleson is a director in Cyber Security at Kroll.
The Data Breach Investigation before Mitigation Accuracy above Assumption In the Beginning Match Remedy to Risk
The Data Breach A broken promise.
Prepare to be Judged in Hindsight Encourage broad thinking about types of litigation and potential causes of action.» Negligence» Waste and conversion» Invasion of privacy» Breach of contract» Breach of fiduciary duty» Unjust enrichment 1» Unjust enrichment 2» Violation of the Fair Credit Reporting Act» State consumer protection statutes» Business-to-business litigation» Shareholder/Securities Litigation
Set Realistic Expectations Communications» Controlling the flow of internal communications» Crafting and directing effective external messages» Monitoring and responding to reactions to the breach Litigation» Hundreds of class action suits, fueled by tens of millions of breach letters» Most privacy class actions seek millions or billions in statutory penalties, even absent any out-of-pocket harm to consumers» Even nominal damages under common law (e.g., $1 per person for invasion of privacy) can mount quickly into millions of dollars in potential classwide liability» Not just consumer suits
Factor in the Government, Part 1: Federal Trade Commission Actions Unfair and deceptive acts in commerce Dozens of investigations, many enforcement actions Jointly with other agencies that may also have specific industry jurisdiction Multi-million dollar consent resolution amounts and agreements to change process will last for decades Settling with private class counsel without satisfying the government may be a lost opportunity
Factor in the Government, Part 2: State Attorney General Actions Often the first notified of a potential privacy or security issue Can demand that companies offer credit monitoring to resolve investigations, even if courts in private class actions do not Often obtain large resolution payments in situations where the private class action bar fails Data Security/Privacy as a politically popular consumer protection issue
Investigation before Mitigation Get out of your own way.
Top 8 Mistakes Companies Make When preparing for and responding to a data breach 1. Escalation and Employee Security Awareness 2. The Need to Preserve Evidence: Competing Interests 3. The Ability to Collect Evidence: Forensic Capabilities 4. The Ability to Demand Evidence: Third Parties 5. Log Creation and Centralization 6. Internal Conflicts: IT versus Security 7. Network Visibility and Architecture 8. Containment and Eradication Strategy
and One to Avoid: Involve the Police Goals: Enforcement versus Breach Notification Evidence Seizure, Review and Return How it is seized What the reviewer is searching for: government versus private Does the corporation get to look at it Who does Remediation Arrest Attorney-Client Privilege Control Life and Death/Only Government Can Assist
Focus on Facts Without Fear 1. How did the data breach occur? 2. What was the size of the breach? 3. What type of PII/PHI was exposed? 4. Who is the impacted population?
Case Study Situation:» Hacking incident left a retailer s network exposed for three months; credit card numbers and PINs processed during that time vulnerable» The client contacted Kroll, ready to notify 275,000 customers Kroll actions:» Reverse-engineered the code used to compromise the data and discovered two key findings: only one type of credit card had been targeted, and a bug had caused the code to stop working after 21 days Outcome:» Significant reduction in the number of impacted individuals and notifications required from 275,000 to 27,000» Reduced the client s cost to meet notification requirements by 90%
What Was the Size of the Breach? Comparison Exact Notification vs. Over-Notification Exact Notification ~ Cost Forensic Investigation $50,000.00 Notification, Call Center, ID Theft Consultation & $88,000.00 Restoration 1Bureau Credit Monitoring $50,500.00 Total $188,000.00 Over-Notification ~ Cost Forensic Investigation $50,000.00 Notification, Call Center, ID Theft $600,000.00 Consultation & Restoration $800,000.00 $300,000.00 1Bureau Credit Monitoring $450,000.00 Total $900,000 - $1,250,000.00 Bottom Line: for an investment of $50,000 in forensic investigation work, the scope of the breach was reduced by hundreds of thousands of records. Total Savings on Known Costs: $712,000 $1,062,000
In the Beginning there was Credit Monitoring
When Credit Monitoring Isn t Enough Traffic stop reveals fraudulent 8-year-old DUI charge Online tax filing rejected: SS# already used to file Stranger s hospital bill linked to name and address A $30k loan a car cosmetic surgery a summons 4 years to resolve
You Need New Tools for New Threats Name address DATE OF BIRTH MARITAL STATUS gender race ethnicity national origin Grade Point Average drivers license number personal income bank account and routing numbers credit or debit card number financial account number username PASSWORD government-issued identification number insurance numbers warrants for arrest personal medical data
If this data is exposed Name, address, date of birth Credit card numbers Bank account numbers alternative monitoring can: Search for additional addresses associated with that person Crawl Internet monitoring sites where criminals buy and sell financial details Scan for short-term, pay-day or cash advance loans where no credit check is required
Match Remedy to Risk Real need, real solution.
Published Guidance from the CA AG California Office of Privacy Protection advises organizations:» If you are considering offering notice recipients credit monitoring or another identity theft assistance service as a mitigation, make sure it is relevant to the situation.» Credit monitoring is not helpful for breaches of account numbers only.
Published Guidance from the IL AG Illinois Attorney General advises organizations to:» determine when to offer credit monitoring and when to contract for an alternative form of monitoring.» explore their options because credit monitoring may not be appropriate in all breach situations.
Wise Investments Here Known Costs» Legal Counsel» Forensic Investigation» PII/PHI Identification» Notification» Call Center» Monitoring» Preventative Services Help Control Costs Here Unknown Costs» Brand Damage» Customer Churn» Settlement Fees» Fines» Business Transactions: IPO, Mergers & Acquisitions
It Works struck the claim for damages already reasonably compensated the affected The judge ruled in our favor on all points.
Take-Aways How did the data breach occur? How was data accessed? Can you confirm data was, in fact, exposed? To whom was the data potentially exposed? Can you confirm what was done with the data? What was the size of the breach? Has the incident been contained? How many records have been impacted? What response efforts can you afford based upon the size of the breach? What type of PII/PHI was exposed? Can you confirm what PII/PHI was compromised? What constitutes a record for the purpose of notification? Was other data compromised that could lead to risk of identity theft or other harm? Who was the impacted population? Who are the victims? What is the relationship of the insured with the breach victims? What is the relationship of the victims to one another? Where are the victims located?
Questions: Mark S. Melodia Phone (609) 520-6015» mmelodia@reedsmith.com» Please visit the Reed Smith Global Regulatory Enforcement Blog at globalregulatoryenforcementlawblog.com Tim Ryan Phone (212) 833-3461» TPRyan@kroll.com Brian Lapidus Phone (615) 577-6770» Blapidus@kroll.com» Find out more at Krollcybersecurity.com or» Kroll.com
Thank you.