Lessons Learned from the Trenches: A Roadmap for Successfully Navigating a Large-Scale Data Breach

Sussman_Heather Dunlap_Sabrinaby Heather Egan Sussman and Sabrina E. Dunlap

Practice Tips

Data breaches dominate world news, with retailers reporting incidents affecting millions of customers.  Representing a company facing a massive breach is not for the inexperienced or faint of heart.  While each incident brings a new set of facts and challenges, this roadmap can help guide any business to successfully navigate a large-scale breach in way that meets legal requirements and mitigates the risk of harm.

Prepare in advance by developing an effective incident response plan.

When the report of a breach first comes in, time is of the essence.  Some breach notification laws have surprisingly short reporting deadlines.  E.g., Conn. Ins. Dept. Bulletin IC-25 (August 18, 2010) (notice within five days); 9 V.S.A. § 2435(3)(B)(i) (2012) (notice within 14 days); M.G.L. c. 93H § 3(b) (2007) (notice “as soon as practicable and without unreasonable delay”).  Companies can contract with business partners for even shorter notice periods.  By preparing and testing an effective response plan in advance, companies can best position themselves to respond quickly when faced with a breach to meet required reporting deadlines, including under applicable insurance policies.

Evaluate notification obligations as early as possible. 

Once the response team is in place, it is critical to determine the type of information involved and any notification obligations.  Forty-six states and the District of Columbia have breach notification laws and an increasing number of countries around the world are following suit.  Such laws require a company to notify affected residents – and, in some cases, particular regulators – in the event a resident’s “personal information” has been compromised.  In the U.S., these laws typically define “personal information” to include a natural person’s name plus some other data element that can be used to commit identity theft or financial harm (the elements vary by state).  Elsewhere, the definition of “personal information” can be much broader.

Breach notification laws also often dictate notice content, such as a description of what occurred and the type of personal information involved.  Massachusetts is the only U.S. state to expressly prohibit including details of the breach in the consumer notice letter.  See M.G.L. c. 93H § 3(b).

Conduct the investigation under privilege.

Upon receiving the initial report of a suspected breach, the company must investigate and remediate the incident.  Companies should conduct the investigation under privilege to protect process and findings.  Companies also should consider retaining outside counsel experienced in managing the moving parts of a complex breach scenario, while protecting the company in any resulting litigation or government enforcement action.

Cooperate with law enforcement, but require subpoenas for information.

In some cases, the company will learn of an incident from law enforcement (such as the FBI).  There are benefits to working cooperatively with these agencies, including receiving government assistance and law enforcement back-up.  Before turning over information to law enforcement, however, companies should insist on a subpoena.  This can shield against claims that the company further breached the privacy of affected individuals by turning over information without authorization.  Keep in mind, however, that informal discussions between the company’s forensics teams and law enforcement can circumvent established protocols and waive privilege protections.

Control the information flow.

Upon receiving a report of an incident, the company must mobilize the incident response team and get to the root of the problem before sharing information with outsiders.  Because facts are still unfolding, however, releasing information too early can result in confusion, reputational harm, and compromise litigation strategy.

As a result, it is important to control information flow from the outset by coordinating all communications through one lead person responsible for tracking incoming requests and outgoing responses.  That lead should work with legal counsel to protect confidentiality and privilege.

In some cases, it may be preferable to get in front of a story so the business can shape the narrative.  Depending on the jurisdiction involved, it may be best to notify regulators before addressing the media.  Most companies will need to rely on internal communications teams to manage this strategy.  Public relations firms usually are reserved for the largest incidents expected to receive substantial scrutiny.

Spend wisely on digital forensic firms.

Not every incident requires hiring a digital forensic firm.  These firms are most appropriate in specific cases, such as when the incident presents a high litigation risk, when the incident has an unknown cause or effect, or when the incident involves the company’s network and the IT department is not able or appropriate to respond.

Forensic firms also can help to determine at a granular level what systems were accessed during the incident and thus help define the scope of the breach.  (For example, the forensic investigator might establish that the hacker infiltrated the network perimeter, but not the database containing sensitive information.)  They also know how to remediate incidents and secure the network perimeter against further intrusion.  This can be critical in cybersecurity incidents where hackers create “back doors” through which they can later return to steal more data.

Payment card breaches present special issues.

Where the breach involves payment card information, merchants also must address reporting requirements under the Payment Card Industry (PCI) rules.  When an incident occurs, the merchant generally is required to notify the card brands, who notify the issuing banks, who notify affected consumers.  PCI rules also may require that the business hire a “preferred forensic investigator” (PFI) to determine whether the merchant violated the Payment Card Industry Data Security Standards and related rules.  Because the PFI’s findings can lead to substantial fines, a merchant should consider retaining under privilege an independent forensics firm to monitor the PFI’s investigation and preserve the merchant’s ability to challenge the PFI’s findings and resulting fines.

Balance speed with precision.

Not every breach will involve a tidy, sortable spreadsheet containing the names and mailing addresses of affected individuals.  When it is not possible to determine quickly who is affected and where they live, a company must balance the need to promptly notify against the concern for avoiding customer confusion and resulting harm.  Companies caught in this Catch-22 should consider invoking the “substitute notification” option available under some breach notification laws that permits a company in certain circumstances to post notice of the incident on a website or other permitted location in lieu of sending individual notices.  This option carries risks, however, including unnecessarily alarming customers not affected by the breach and may be most appropriate when paired with some other limiting data point, for example, that the incident impacts shoppers at a particular store during a particular period of time, rather than all customers everywhere at any time.

If law enforcement instructs the company to delay notifications pending the investigation, memorialize the directive to defend against any claims of needless reporting delay.

Engage regulators proactively, but stand firm where legal merits warrant.

After receiving notice of a breach, regulators likely will contact the company to request more information.  In the U.S., state Attorneys General Offices (AGO) often will work together in one consolidated review of the breach.  The multi-state process has clear benefits to the AGOs because it streamlines costs and can achieve efficiencies.  Companies are wise to consider how best to capitalize on the efficiencies of this process, while still advancing legal arguments and defenses available in each state.  Companies should not hesitate to stand firm, however, when authorities take unsupported or unreasonable settlement positions.

Conduct a post-incident review.

There are many lessons to be learned through effective post-incident review.  Following any incident, a company should perform a careful root cause analysis and assess what changes should be made in light of the experience. Public companies also must consider whether the incident triggers further disclosure requirements.

Watch the evolving regulatory landscape. 

On February 4, 2014, U.S. Senators Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introduced the Personal Data Protection and Breach Accountability Act, which seeks to establish a federal breach notification standard and impose minimum data security requirements for businesses, like the approach taken in Massachusetts.  See 201 C.M.R. 17.00, et seq. (2007)

Similar past proposals from federal legislators have not gained traction, but with the recent spate of highly publicized breaches, a proposal may soon become law.  Familiarity with the regulatory landscape is vital when advising clients responding to complex data security breaches.

Heather Egan Sussman is a partner at McDermott Will & Emery LLP. Heather co-chairs the Global Privacy & Data Protection Affinity Group and is a recognized leader in her field.

Sabrina E. Dunlap is an associate in the law firm of McDermott Will & Emery LLP, focusing on privacy and data security and employment law. Sabrina is a Certified Information Privacy Professional (CIPP) and an active member of the International Association of Privacy Professionals.


Protecting Children Online: New Compliance Obligations for Digital Marketing to Children

by Julia Jacobson and Heather Egan Sussman

 Heads Up

Heather_Sussman Jacobson_JuliaParents worry not only about what their children are seeing and doing online, but also what personal information others, including businesses, are collecting about their children and what they are doing with the information collected.  With or without a child’s knowledge, a website, mobile app or social media platform can collect all kinds of personal information: age, sex, height, weight, locations, friends’ names, favorite toys and purchasing histories.  To protect the privacy of children online, the federal government enacted in 1998 the Children’s Online Privacy Protection Act (“COPPA,” 15 U.S.C. §§ 6501-6508).  Effective July 1, 2013, new compliance obligations under COPPA will affect nearly all online service providers that collect personal information about children.

COPPA restricts how and what owners and operators of websites, social media plug-ins, mobile applications, advertising networks and other “Online Service Providers” can collect from children under age 13 without parental permission.  The Federal Trade Commission (FTC) is responsible for enforcing COPPA and, in April 2000, implemented regulations known as the COPPA Rule (16 C.F.R. Part 312).  In recognition of the increased use of mobile devices, social media and other evolving digital technologies, the FTC announced in 2010 its intent to update the COPPA Rule.  After two years and several rounds of public comments, the FTC amended the COPPA Rule (available at http://www.ftc.gov/os/2012/12/121219copparulefrn.pdf), and those amendments take effect this July.

To assist online service providers in understanding their new compliance obligations under COPPA, the FTC released “Complying With COPPA: Frequently Asked Questions” (the FAQs are available at http://business.ftc.gov/documents/Complying-with-COPPA-Frequently-Asked-Questions).  These 93 questions and answers provide helpful guidance to attorneys representing online service providers.

Attorneys and businesses should be aware of the following notable changes to the COPPA Rule:

  • The definition of “personal information” is expanded to include: geo-location information that can identify street, city and state;  photo,  audio and video files that contain a child’s voice or image; screen or user names (if used for user-to-user contact); and persistent identifiers (e.g., a customer information held in a cookie, an IP address, a unique mobile device ID, etc.) that can be used to identify a user over time and across different websites or online services.  The FAQs warn Online Service Providers that, if they continue to collect or use these new categories of personal information or associate new information with previously-collected personal information in these categories, the parental consent requirement will be triggered;
  • An Online Service Provider may be held liable for collection of personal information by a third party if the third party is acting on behalf of the Online Service Provider or if the collection of personal information otherwise benefits the Online Service Provider;
  • An Online Service Provider with “actual knowledge” that it is collecting personal information from users of another website or service directed to children (e.g., a social media plug-in or an ad network) now may be held liable under COPPA;
  • The factors for determining whether a website or online service is “directed to children” are clarified in Section D of the FAQs but “directed to children” remains a highly fact-specific inquiry;
  • An age-screening safe harbor for websites or online services that do not target children as their primary audience is available;
  • Parental notification and privacy policy/notice requirements with respect to collection of personal information from children are streamlined; and
  • The acceptable methods for obtaining verified parental consent are expanded.

Unfortunately, some important issues remain unaddressed by the amended COPPA Rule and FAQs.  Most glaringly, the FAQs offer no guidance on how the FTC will consider and weigh the various factors in determining whether an Online Service Provider is directed to children and subject to a strict liability standard for COPPA compliance.  Another issue about which the FAQs offer little guidance is how an Online Service Provider seeking to qualify for the “age screen safe harbor” can demonstrate that children under 13 are not its primary target audience.  The FAQs indicate only that an operator should carefully analyze the intended, actual and likely audience for its site and/or services and that the FTC will consider “competent and reliable empirical evidence” supporting the analysis.

Although the FTC has indicated that it will delay enforcement of the amended COPPA Rule, ignoring the changes is not advisable.  In the past five years, the FTC has investigated numerous violations of COPPA and imposed million-dollar fines on COPPA violators, including a $3M fine against Playdom (a Disney subsidiary) in 2011.  To ensure compliance with the amended COPPA Rule and avoid substantial monetary penalties, Online Service Providers need to evaluate now their data collection activities with respect to children, including third-party activities on and through their website or online service as well as their activities on third-party website or online service.

Heather Egan Sussman is a partner at McDermott Will & Emery LLP. Heather co-chairs the Global Privacy & Data Protection Affinity Group and is a recognized leader in her field. 

Julia Jacobson is a partner at McDermott Will & Emery LLP. Julia focuses her practice on data privacy and security, advertising and promotions, and licensing.