When a data breach or ransomware attack occurs, the question for the victimized organizations and their attorneys is always how best to respond.
Do state laws apply? Do Federal laws apply?
Arguably, all of them may apply to differing extents and with different consequences for any organization. Each source of law may also provide causes of action to varying degrees for an organization’s compromised customers.
Depending on the geographic location of customers, Federal law and the laws of any number of US states or territories must be examined to determine whether a notifiable data breach has occurred. Most laws require a first initial and first name and last name, as well as a credit card number or Social Security number to have been the subject of the data breach—but mileage varies.
It is complex, and it is made more complex by the fact that the US judicial system is as patchwork as its regulatory system. For attorneys analyzing the fact-pattern of a client’s data breach incident, the possibility of a negligence lawsuit or class action suit arising under Federal law versus the laws of those myriad states where compromised customers might reside is dizzying.
Counselling clients to implement a few Best Practices prior to a data breach will go a long way toward easing the path forward following an incident.
Best Practices In Responding to Data Breaches
Regardless of whether data is compromised due to a ransomware attack or an employee’s clicking of a link in a phishing email, there are some best practices that organizations can implement to avoid or mitigate damage.
Develop an Incident Response Plan
Employees and other internal actors should know who to contact in the event of a ransomware attack. Decision-makers should know what agencies need to be notified.
How employees communicate with each other after such an attack—via email or via telephone—is also very important when data systems have been compromised.
Data Minimization
When information needs to be shared, always share the least amount of information possible. Review possible ways in which your organization or client can segregate important information so that, if it is compromised, further information cannot necessarily be accessed.
When collecting information, de-identify or anonymize it as much as possible. Under many laws, information that has been scrubbed does not constitute “personal information” for the purpose of triggering notification and other obligations.
Review Third Party Vendor Contracts
A significant percentage of data breaches infiltrate through a vendor target. It is critical that written vendor agreements contain terms that require them to comply with applicable privacy and data security laws.
Vendors should make representations and warranties that they have adequate physical, technical, and administrative security measures in place and that, in case of a breach, your company will be indemnified. Vendors can also be required to maintain cyber insurance and to name your company or client in such policies.
Employee Training
Ensure that employees are properly trained to avoid compromise initially, to avoid falling prey to phishing emails and other methods of attack, and to follow your incident response plan when compromise does occur.
Obtain Cyber Insurance
Targeted insurance coverage is crucial as most general insurance policies now exclude data breaches and cyber events from coverage.
Conclusion
Responding to a ransomware attack or other confidential data breach in the appropriate manner will reduce legal liability.
Avoiding that liability with proactive plan implementation and employee training, however, is the first and best line of defence.
Mackrell International gathered a diverse panel of US Data-Privacy experts who reviewed the patchwork of data-privacy legislation across the country and the challenges that pose.
The panel included Tracy Marshall from Keller & Heckman, Stephanie O. Sparks from Hoge Fenton, Sherwin Yoder from Carmody Torrance, and Carrie O’Brien from Gust Rosenfeld.
The full Mackrell International webinar titled “The Patchwork of US Data Privacy Laws” can be viewed on our YouTube Channel. https://youtu.be/La2wUDmA8rk