Our member firms are pleased to share insights and practical advice on what companies need to know and do in response to the recent Equifax data breach. 

  • When you discover that your data (that of your company and/or that of your clients) has been breached, what are the 3-5 critical steps to take immediately to comply with regulations of your jurisdiction?
     
For further assistance on this matter, or to get in touch with one of our TerraLex Members, contact TerraLex Chief Business Development and Marketing Officer, Tim Shannon
 
Firm: Lapointe Rosenstein Marchand Melancon
Jurisdiction: Quebec, Canadacanada
Author: Christopher Deehy, Partner
 
In Canada, most provinces are governed by the Federal Personal Information Protection and Electronic Documents Act (PIPEDA).  Certain provinces such as Alberta and Quebec have also adopted privacy legislation.
 
Organizations governed by PIPEDA should take the following steps in the event that they are victims of a privacy breach:
  • Perform a preliminary assessment and containment. The removal, movement or segregation of exposed information or files should be made and the necessary steps to prevent further unauthorized access and disclosure must be taken. Documents or copies must be retrieved and requests made to the recipients to delete affected emails, correspondence and records.
     
  • A preliminary report must be prepared. It must contain information such as the name of the individuals who may have caused the breach, potential witnesses who may have information related to it and list the affected parties who may have been victims.
     
  • As soon as possible, a full assessment of the breach should be made. This should include a list of individuals affected and the sources of the breach.
     
  • Notification both within the organization and to those individuals or institutions who have been affected by the breach.
     
  • A breach report must be filed with the Office of the Privacy Commissioner and the Treasury Board of Canada Secretary.
The guidelines for privacy breaches including checklists and sample letters to be sent to affected individuals or organizations can be found on the Government of Canada website.

Firm: Higgs & Johnson
Jurisdiction: Cayman Islandscayman
Author: Gaela Fitzgibbons, Of Counsel
 
There are currently no general requirements to notify any authority or any other person of a data breach in the Cayman Islands.  However, on 27 March 2017 the Cayman Islands Legislative Assembly enacted the Data Protection Law 2017 (DPL) which is expected to come into effect in January 2019.  The DPL will contain breach notification requirements, requiring notification to the individual and to the Cayman Information Commissioner (IC) and will impose civil penalties on data controllers for failure to respond adequately post breach. In light of this regulatory development, our advice to clients operating in the Cayman Islands is to adopt procedures now that comply with the pending DPL.  Critical steps post breach under the DPL will be to: (1) notify individuals that there has been a breach in the security of their personal data, describing the nature, consequence and measures taken to address the breach within 5 days; (2) notify the IC similarly within 5 days; and (3) remedy the breach as soon as possible.

Firm: PETERKA & PARTNERS
Jurisdiction: Czech Republic czech
Author: Pavel Jakab, Partner and Adela Krbcova, Partner
 
Currently, only the Czech Act on Electronic Communications expressly stipulates duties related to data breaches of the companies providing a publicly available electronic communications service (telecommunication companies). In the event of a breach of protection of the personal data of a natural person, the telecommunication company must:
  • Notify this fact to the Czech Office for Personal Data Protection ("Office") without undue delay. Such a notification must contain (a) a description of the consequences of the breach of protection and (b) the technical protection measures the company has adopted, or proposes to adopt;
     
  • Notify this fact to the individual concerned and to the Office, if the breach of protection of the personal data of a customer might have a particularly serious impact on the privacy of a natural person, or if a company failed to take measures to remedy this situation and which would have been sufficient to protect the personal data at risk, in accordance with an assessment by the Office. In this notification, the company must also indicate (a) the nature of the breach of personal data protection, (b) recommendations for the implementation of interventions to mitigate the impact of the breach of personal data protection and (c) the contact information location;
     
  • Maintain a list of breaches of personal data protection, for the purposes of reviewing compliance with obligations above, including information on the circumstances of the breach, its impacts and measures adopted to remedy the situation. 
The other companies are obliged to:
  • Prevent damages under the Czech Civil Code (currently there is no notification duty towards the Office);
     
  • From 25 May 2018 under the GDPR fulfil basically the same duties related to data breaches as telecommunication companies now, including notification duty towards the Office and data subjects.  
Firm:  Waselius & Wist
Jurisdiction: Finlandfinland
Author: Bernt Juthström, Partner
 
Telecoms operators and other entities which process identification data (including personal data) or location data must notify their subscribers and users about violations of information security of their services, and about threats thereto, if such violation or threat may compromise the protection of the subscribers' or users' personal data. According to the supervisory authority, the notification must be published on the company's website, and where possible, sent by email to the subscribers or users affected. If the entity subject to a data breach is a telecoms operator and the breach is deemed significant, the Finnish Communications Regulatory Authority ("FICORA") shall also be notified within 24 hours of the breach.  If the affected entity is a credit institution, investment firm, fund management company or another entity supervised by the Finnish Financial Supervisory Authority ("FFSA"), data breaches must also be notified to the FFSA. The notifications to FICORA and the FFSA may be done by email and/or by using the reporting tool/template on the respective authorities' website.

Firm: SKW Schwarz
Jurisdiction: Munich/Bavaria and Frankfurt/Hesse, Germanymunich
Author: Dr. Volker Wodianka, Partner
  • Verify whether the EU General Data Protection Regulation (GDPR) applies to your company (provision of products or services directed to european data subjects, Art. 3 No. 2 a) GDPR)
     
  • If yes: As a company not established in the Union, Inform your EU representative (Art. 27 GDPR) about the breach
     
  • Check whether there is data breach notification requirement (not later than 72 hours after becoming aware) and therefore decide whether the personal data breach is likely to result in a risk to the rights and freedoms of natural persons (Art. 33 GDPR)
     
  • Make a documentation of the personal data breach, its effects and the remedial action taken and notify the personal data breach to the supervisory authority competent in accordance with Art. 55 GDPR.
Firm: Eugene F. Collins
Jurisdiction: Irelandireland
Author: David Hackett, Managing Partner
 
Where there has been a data breach - the following steps are critical in terms of ensuring compliance with Irish legislation:  
  • Give immediate consideration to directly informing those individuals whose data has been compromised in the breach.  This allows the people involved to take steps quickly to protect themselves.  Depending on the data involved you should also notify the Gardai (police) and financial institutions/banks and any other relevant third parties.
     
  • Assess any technological measures that you can take (e.g. remote destruction of data) which would minimize the effects of the breach on the individuals concerned.
     
  • The default position should be that notification of the breach is made to the Irish Regulator - being the Office of the Data Protection Commissioner. Depending on the specific circumstances of the breach - this may not always be necessary - but the starting point should be that a notification should be made within two working days of becoming aware of the breach.   Note that important changes to this area and mandatory breach reporting requirements will apply in Ireland under GDPR which comes into effect on 25 May 2018.
     
  • Depending on which business sector you operate in, ensure that if any additional industry specific Regulations or codes of practice apply, that you are aware of same and you comply with them.
     
  • Keep written records and documents of all the steps you take following discovery of the breach.  Document decisions that are made and the reasons why those decisions were taken (including what issues were considered in making the decision) to demonstrate compliance to the Regulator.
Firm: GLIMSTEDT
Jurisdiction: Lithuanialithuania
Author: Raminta Stravinskait ė, Associate
 
The only obligation imposed by applicable laws of the Republic of Lithuania in the event of a cyber incident and (or) data breach is to communicate to the competent authorities and, in certain cases, to data subjects the cyber incident and (or) data breach if that cyber incident and (or) data breach results in a personal data breach (cyber incidents that lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed).
 
Under current legislation, a mandatory obligation to report a cyber incident and (or) data breach is imposed only on: (i) public administration entities that manage state information resources; (ii) critical information infrastructure managers; (iii) providers of public communication networks and/or publicly available electronic communications services; and (iv) providers of electronic information hosting service. The reporting obligation does not apply to private businesses, unless they are critical information infrastructure managers or electronic information hosting service providers.  
 
Electronic information hosting service providers in addition: (i) are required to inform electronic information hosting service clients immediately and without charge of any incidents and/or integrity breaches having a moderate or significant impact, (ii) may take emergency measures, including temporary suspension of electronic information hosting service, where a cyber incident or an integrity breach occurs or where an imminent threat of an incident and/or integrity breach exists.
 
A general notification obligation for businesses arises only with coming into force of the General Data Protection Regulation (GDPR) (2016/679) from 25 May 2018. It says that the controller, whether it is a private entity or a public administration entity, must notify a personal data breach to the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it. In addition, the GDPR requires mandatory notification of a personal data breach to data subjects where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions.

Firm: Arendt & Medernach
Jurisdiction: Luxembourgluxembourg
Authors: Sophie Wagner-Chartier, Partner and David Alexandre, Senior Associate
 
To the best of our knowledge, Luxembourg law does not incorporate any general obligation related to data breaches. For the time being, the only legal obligation in this regard is incumbent on the providers of electronic communication services available to the public (such as telephone companies or Internet service providers), who must notify the Luxembourg data protection supervisory authority (the "CNPD") of any known data breach within 24 hours once they become aware of such breach. They must also notify their subscribers about such breach, insofar as the breach is likely to impair the level of protection of their privacy and of their personal data. Apart from these legal obligations, when a data breach is discovered and it is owed to a cyberattack, we generally recommend that our clients file a criminal complaint with the law enforcement authorities, so that an official criminal investigation may be launched. As far as financial institutions are concerned, it is generally considered good practice (albeit not a legal obligation) for them to notify the Luxembourg financial supervisory authority (the "CSSF"), for transparency purposes. Finally, data controllers should all be aware that they will be legally bound to notify the CNPD and the data subject of such breaches when the General Data Protection Regulation ("GDPR") comes into effect in May 2018, notwithstanding their fields of activities.

Firm: Hjort
Jurisdiction: Norwaynorway
Author: Monica Syrdal, Partner
 
The five most important steps would be to take remedial action as soon as possible, notify the Data Protection Authority and (if you are a processor) the controller without undue delay, to notify affected persons and to document your actions:
  • Remedial action must be undertaken without undue delay to prevent further data breach and to rectify (if possible) the consequences of the data breach.
     
  • A data breach involving personal data which require confidentiality, must be notified in writing to the Norwegian Data Protection Authority without undue delay. In Norway this includes sensitive personal data, personal identification number, personal data subject to confidentiality, personal data that are sensitive due in respect of amount and type of information or information that an undertaking considers as confidential in relation to its customers such as account information or purchase history. With effect from May 2018, such notification must be made no later than 72 hours after the undertaking has been made aware of the data breach. If there is any risk, that the Authority could receive information about the data breach from a third party, it is advisable to make an initial oral contact with the Authority. The notification shall describe the data breach (e.g. type of data breach, how and when it happened, when the notifying party became aware of it), its consequences (e.g. what kind of persons and personal data which is involved, the number of persons affected and the kind of persons/number of persons which has gained unauthorized access to the information), any remedial measures undertaken and provide contact details to a contact person. It is possible to make such notification through the Authority's website. The above described obligation to notify rests with both the controller and the processor. 
     
  • If you are a processor and become aware of a data breach, you must notify the data controller about the breach without undue delay after becoming aware of the data breach. 
     
  • Today, best practice is for the controller to notify the data breach to affected persons. With effect from May 2018, a controller will be legally obliged to notify affected persons in clear and plain language and without undue delay if the personal data breach is likely to result in a high risk to their rights and freedoms. Such notification shall include information about the consequences of the data breach, any remedial measures undertaken and provide contact details to a contact person. If individual communication would entail an inappropriate effort, public communication or similar measure may be sufficient. There will be certain exceptions to obligation to notify affected persons, if certain qualified measures have already been undertaken that would effectively mitigate the risk of the data breach. 
     
  • The facts relating to the data breach, its effects and the remedial measures undertaken must be documented to enable the Authority to verify compliance. 
Firm: Musat & Asociatii
Jurisdiction: Romaniaromania
Author: Bogdan Mihai, Partner
 
Data breaches are very prejudicial since, although affecting severely the company holding the data and its clients alike, the damaging effects are seldom unforeseen and extend long after the initial breach. In this respect, and in line with the principles of the Romanian law, the company victim of a data breach should take the following steps:
  • Determine what was affected, in order to evaluate the extent of the damage  and to control it.
     
  • Change all passwords, or interrupt affected services, in order to prevent further breach on the same attack type. 
     
  • If the targeted company is a telecommunication services provider, it should notify the Data Protection Authority about the breach. 
     
  • Improve upon security measures, in order for such breaches not to be repeated in the future.
Firm:  Brodies
Jurisdiction: Scotland scotland
Author: Grant Campbell, Partner and Martin Sloan, Partner
 
Action your data breach management plan immediately. The priorities are investigating the scope of breach (what data and who is affected) and containment so that things don't get worse. Involve independent experts where needed, and preserve and gather any relevant evidence, such as system logs. Consider who you need to notify, including insurers and law enforcement agencies.  Under the new EU General Data Protection Regulation, which comes into force on 25 May 2018, there are compulsory requirements to notify privacy regulators (such as the ICO in the UK) for serious data protection breaches but, in addition, sector specific rules may require that breaches are notified to other regulators.
 
In terms of those affected, remember it's not just a question of legal liability to them. You should look at the breach from their perspective in terms of the harm that they are exposed to. Effective and sympathetic communication is essential if client confidence and trust is to be saved.

Firm: Kelvin Chia Partnership
Jurisdiction: Singaporesingapore
Author: Nicholas Teo, Senior Consultant
 
The Personal Data Protection Act 2012 ("PDPA") requires organisations to make reasonable security arrangements to protect the personal data that they possess or control, to prevent unauthorised access, collection, use, disclosure or similar risks. In the event of a data breach, an organisation should immediately:
  • Contain the breach by, inter alia, shutting down/isolating/disabling the compromised system, and taking steps to recover any lost data;
     
  • Limit the impact of the breach by notifying affected individuals of the breach (especially if it pertains to sensitive personal data) together with steps that may be taken to avoid the potential abuse of such data;
     
  • Notify the police if criminal activity is suspected and preserve evidence of any malicious activity (e.g. unauthorised access) for investigation;
     
  • Notify the Personal Data Protection Commission of the breach; and 
     
  • Take remedial action to prevent further similar breaches.
Firm: PETERKA & PARTNERS
Jurisdiction: Slovakia slovakia
Authors: Andrea Farinic Stefancikova, Partner and Jan Makara, Partner
 
In Slovakia, there is a similar situation as in Czech Republic. Currently, only the Slovak Act on Electronic Communications expressly stipulates duties of the companies providing a publicly available electronic communications service (telecommunication companies) related to data breaches. In the event of a breach of protection of the personal data of a natural person, the telecommunication company must
  •  Notify this fact to the Slovak Office for Personal Data Protection ("Office") without undue delay. Such a notification must contain (a) nature of the breach, (b) a description of the consequences of the breach of protection and (c) the protection measures the company has adopted, or proposes adopting for mitigating the adverse consequences of the breach, (d) date of the breach and (e) date when the breach was discovered by the telecommunication company;
     
  • Notify this breach to respective users - natural persons, unless, before this, the company had proved to the Office that the company adopted reasonable technical protection measures which applied to the data subject to the breach (such measures must ensure that the data are unreadable to unauthorised persons); the Office can also require that that company makes such notification. In this notification, the company must indicate the (a) nature of the breach of personal data protection, (b) recommendations for the implementation of interventions to mitigate the impact of the breach of personal data protection and (c) the contact information location. 
     
  • Maintain a list of breaches of personal data protection, including information on the circumstances of the breach, its impacts and measures adopted to remedy the situation.
 
The other companies are obliged to 
  • Prevent damages under the Slovak Civil Code. 
     
  • From 25 May 2018 under the GDPR, fulfil basically the same duties related to data breaches as telecommunication companies now, including notification duty towards the Office and data subjects.  
Jurisdiction: South Africasouth_africa
Author: Bob Groeneveld, Director
 
The Protection of Personal Information Act 4 of 2013 ("POPI") was signed into South African law in 2013 but, to date, only a few provisions have come into effect and the Regulations are still in draft form. It is expected, however, that the Act will be fully implemented in 2018, after which natural and juristic persons will have at least one year to conform.
 
Steps to take when personal information has been accessed or acquired by an unauthorised person, according to POPI:  
  • Where there are reasonable grounds to believe that the personal information of a data subject (the person to whom the personal information relates) has been accessed or acquired by any unauthorised person, the responsible party (person who controls or processes the personal information) must notify the Information Regulator (body established by POPI to monitor and enforce compliance) and the data subject as soon as reasonably possible after the discovery of the compromise.

  • The responsible party may only delay notification of the data subject if a public body responsible for the prevention, detection or investigation of offences or the Information Regulator determines that notification will impede a criminal investigation.

  • The notification to the data subject must be in writing and sent via email or to the data subject's last known address. The notification could also be placed in a prominent position on the website of the responsible party, published in the media; or as directed by the Information Regulator.

  • The notification must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise and must include a description of the measures taken by the responsible party to address the security breach, as well as a recommendation on what measures the data subject should take to mitigate the possible adverse effects of the breach.

  • The responsible party must also provide the identity of the unauthorized person who may have accessed or acquired the personal information, if this is known to the responsible party.  
Firm: LALIVE
Jurisdiction: Switzerland - Genevageneva
Authors: Simone Nadelhofer, Partner; Sonja Maeder Morvant, Counsel; Katja Böttcher, Legal Project Manager; and Jonathon Boroski, Associate
 
We recommend a proactive approach that includes awareness of local requirements, adherence to a pre-prepared, rigorously tested crisis response plan and communication of the breach to the authorities and customers in a timely fashion. Companies often keep harmful data breaches under wraps in fear of the potential legal and reputational ramifications. While delaying disclosure can allow companies time to properly investigate the extent of the breach, Equifax waited over a month before notifying its customers. While the Swiss Data Protection Act (DPA) does not currently include a mandatory notification period, the updated DPA should be implemented sometime in 2018 and be in line with the requirements under the European Union General Data Protection Regulation (EU-GDPR), which will be enforceable from 25 May 2018. Under the EU-GDPR, organizations will have a duty to notify the supervisory authorities within 72 hours of a data breach at the risk of heavy fines. In Switzerland, a notification to affected parties may also be required depending on the seriousness of the breach and can mitigate further damage resulting from the leaked data. A comprehensive incident response plan as well as the appointment of a data protection officer are crucial elements in properly managing data breaches and minimizing the risks to the organization and its customers. 

Firm: Burr & Forman LLP
Jurisdiction: Alabama, USAusa
Author: India E. Vincent, Head of IP/Cybersecurity Practice
 
If you were the victim of a cyber-attack and have now confirmed your data was breached, if you have not already, you should first contact your data privacy / cyber-security attorneys.  This serves at least two key purposes.  First, it allows you to invoke the attorney-client privilege with regard to discussions surrounding the breach, giving everyone the ability to talk more freely as you work toward a resolution.  Second, your counsel will assist you in confirming which, if any, reporting requirements apply to your breach.  If reporting requirements do apply, your attorney will assist you in meeting those requirements.  You also should work with your counsel to notify your insurance carrier of the breach.  The next step is to understand what happened.  Presumably some type of forensic investigation was conducted to confirm the data was compromised.  Understanding specifically what data was compromised and how it was compromised, is key both to determining your obligations going forward, and to making sure that the breach is completely mitigated.  During this process, you will also want to determine whether to notify law enforcement, and if you do, the appropriate time to notify law enforcement of the breach.  Not only can working with law enforcement provide access to additional resources to assist in containing a breach, but it is also a necessary step in trying to identify those responsible for the attack. As all of this is occurring, someone needs to be focusing on communications - communication among your response team, communication internally at your organization, communication with your clients and customers, and communication with the press and public.  No one wants to be in the spot-light as a result of a data breach, but communicating in a timely manner with clear and thoughtful information is critical to preserving confidence in your organization.  Needing to move on all of these items essentially simultaneously highlights the importance of a response plan that lays out each person's responsibilities and the steps that are to be taken, so that when a timely response is needed your organization is able to react as efficiently as possible.

Firm: Holland & Hart
Jurisdiction: Colorado, Idaho, Nevada & Wyoming, USA
Author: Tracy Gray, Partner
 
In the U.S., upon discovery that personal information has been compromised, the initial critical steps should be:
  • Bring out your security breach incident response plan and gather the pre-determined team to ensure all actions are covered.  The team should include representatives from legal, IT, communications, HR, and others as necessary, based on nature of data that was compromised.
     
  • Analyze the types of personal information that have been breached.  If health or financial data was compromised, federal sectoral laws, specifically, HIPAA and/or GLBA, may be implicated.
     
  • Determine the state of residence of each individual affected by the breach. While 48 states have enacted legislation requiring private or governmental entities to notify individuals of breaches involving personally identifiable information, there are variations from state to state, including time frame for notification, whether certain state regulators must be notified, content and requirements for the notification.
     
  • Conduct internal investigation, making sure to preserve forensic evidence.  During this step, it will also be important to determine who owns the data, as that may drive which entity should provide the notifications to individuals and regulators.
     
  • Contact law enforcement immediately to investigate the security breach while the evidence is fresh.  
Firm: Wiggin and Dana
Jurisdiction: Connecticut, USA
Author: Michelle Wilcox DeBarge, Partner and John B. Kennedy, Partner
   
The most important critical step to comply with applicable regulatory requirements in the event of a data breach is actually what you do before a breach occurs and is discovered, not after. In the U.S., post-breach investigations and litigation increasingly focus not only on the breach itself, but also on the quality of the victim organization's overall breach response. The recent Equifax breach is the latest example of this trend. One of the first things regulators in the U.S. ask to see in the wake of a breach is the incident response plan. Developing and practicing a comprehensive incident response plan in advance through planning and periodic testing exercises (e.g., a mock security incident) is therefore critical. Once a breach is discovered, the plan can then be executed in a systematic and organized fashion while taking into account the unique circumstances of the particular breach. The alternative -figuring out an ad hoc response process as you struggle in the middle of an actual breach event -- will only  make a bad situation worse. The plan should include components required by applicable state and federal regulations, including investigation, breach notification to affected individuals and regulatory authorities, and mitigation obligations. The plan should also:  (i) designate an incident response team; (ii) consider insurance coverage notification requirements; (iii) outline a process to contain the breach; (iv) provide for the development of an internal and external communication plan; (v) require identification of the root cause; and (vi) once the breach is contained and notifications have been made, mandate the implementation of corrective action and associated changes to operational and compliance practices going forward.  

Firm: Bilzin Sumberg
Jurisdiction: Miami Dade County, Florida, USA
Author: James Ward, Associate

The first days after a data breach are critical. Although there is no perfect way to handle a breach, lessons learned from prior breaches offer a good guide to how best to respond -- and how not to. The first step is to identify the problem and determine how far it goes.  Simply downloading a patch for vulnerable software or hoping for a "kill switch" as with the WannaCry ransomware will not always solve the problem. Thoroughly examine the breach and try to detect other vulnerabilities. Second, log all of your efforts to rectify the problem. This information is not only valuable in terms of establishing a clear process, it often is necessary to include in reports to government and regulators. Next, review state law breach notification requirements. Some states do not require that you notify consumers if the breach is "minimal" or unlikely to cause damage, but most states do not. Failure to timely notify affected consumers (or, in some cases, the state Attorney General), can result in heavy penalties. Whatever the requirements are, treat them as bright-line rules. States have dramatically increased their enforcement of these laws in recent years, and there is no sign that this will change. Finally, determine whether you need to report to any federal agency. Although there is no general privacy law in the US, industry-specific regulations (GLB, FERPA, HIPAA) may require you to contact regulatory agencies to inform them of a breach. Again, failure to do so can result in penalties and fines, so delay is not advisable. And of course, the General Data Protection Regulation (GDPR) has stringent notification requirements for EU companies or those doing business in Europe. All breaches (even de minimis ones) must be reported within 72 hours. Failure to properly account for breaches can result in escalating penalties, eventually amounting to 4% of global annual turnover. Although following these steps can seem daunting, if they are part of a more comprehensive data security protocol, it will be far easier to manage. Consult with data security counsel to help draft a policy that works best for your company.
  
Firm: Buchanan Ingersoll & Rooney
Jurisdiction: Florida (Outside Miami Dade County), USA
Authors: Sue Friedberg and Matthew Meade, Co-chairs Cybersecurity and Data Protection Group
 
It is most important that clients not jump to the conclusion that a possible security incident is a legally reportable "breach." The term "breach" involves very specific legal criteria (as to type of compromised information and likelihood of unauthorized access) that are different under each state's breach notification laws and any applicable Federal laws.  
  • We advise clients to start with Step One of their Incident Response Plan. If they don't have an Incident Response Plan-and they should because regulators will expect to see a plan and it's a cybersecurity best practice-the client needs to do several things at once:
    • IT needs to coordinate with Legal about what is being done to contain any spreading if a malware attack is involved without destroying evidence and to decide if law enforcement needs to be called in right away;
    • IT should identify which databases, servers, machines etc. may have been impacted so that a preliminary assessment can be made as to what types of data may have been compromised;
    • Assemble a team of senior managers from C-Suite, Legal, IT, Risk Management, Communications, possibly HR ("Team") to put someone in charge of the response effort, assess the likely severity of the incident, and begin planning a centralized response; and
    • Notify the cybersecurity insurance carrier.
       
  • Bring in experienced cybersecurity legal counsel who will advise on legal issues and engage an independent forensic expert to try to investigate, among other things, what aspects of the system may have been compromised and for how long, whether any data was accessed or exfiltrated. The insurance carrier will have a list of pre-approved legal counsel and forensic investigators. If the client has a plan in place, the lawyers and investigators will have been identified in advance as part of the plan.
     
  • Alert all individuals with knowledge of the incident to maintain strict confidentiality and direct any questions to a single individual designated by the Team to be the central point person for all internal and external communications about the incident.
     
  • Rapid and accurate response is critical, because if the incident meets the criteria for a reportable breach under applicable state and/or Federal law, the timeframes for providing notice to affected individuals  are very short-ranging from 30 to 60 days from first discovering the incident.  
Jurisdiction: Louisiana, USA
Author: The Phelps Dunbar Cybersecurity and Data Privacy Team 
  
  • If there has been a "compromise of the security, confidentiality, or integrity of a computer data system" that includes individuals' "personal information" maintained by that company (i.e., social security number, driver's license number, and certain financial account information), the company's reporting obligations are triggered under La. Rev. Stat.§ 51:3071 et seq.  The company must provide notice to Louisiana residents "in the most expedient time possible and without unreasonable delay."  La. Rev. Stat. § 51:3074(C).  The company also must provide notice to the Consumer Protection Section of the Louisiana Attorney General's Office within ten days of providing notice to residents.  
  • Louisiana's data breach notification statute does not expressly include medical information in the definition of "personal information," and the notification statute only will be triggered if the medical information at issue also contains "personal information" such as social security number, driver's license number, or certain financial account information.  La. Rev. Stat. § 51:3074(C).  Nevertheless, if protected health information ("PHI") has been compromised, data breach reporting and notice requirements will be triggered under the Health Insurance Portability and Accountability Act ("HIPAA").  HIPAA requires notice to the impacted individuals without unreasonable delay, and no later than 60 days of discovering the breach.  For breaches impacting more than 500 individuals, HIPAA also requires media notice and notice to the Secretary of Health and Human Services no later than 60 days of discovering the breach. 
  • Louisiana's data breach statute does, however, provide a safe harbor provision that spares a company from providing notice of the breach if, after a reasonable investigation, the company determines that there is "no reasonable likelihood of harm to customers."  La. Rev. Stat. § 51:3074(G).   Any breached company must perform this analysis when evaluating its response requirements, and the decision to not send statutory notice must not be made lightly.  A company should thoroughly document its analysis and findings if it determines that the data breach likely will not harm Louisiana residents, as this decision may later be challenged by the Louisiana Attorney General's Office or aggrieved individuals impacted by the data breach. 
  • In the event of a breach, Louisiana's statute does not require credit monitoring, although the breached company may elect to offer credit monitoring as a courtesy and to help its image with customers. 
  • Lastly, as it relates to enforcement, the statute allows the Louisiana Attorney General's Office to levy civil fines against breached companies who violate the notification statute, and also creates a private cause of action for aggrieved individuals.  La. Rev. Stat. § 51.3075.      

 
Firm: Miles & Stockbridge
Jurisdiction: Maryland, USA
Author:  Veronica D. Jackson, Associate
 
There are several key steps to take immediately upon discovery of a personal information data breach. First, contact your company's incident response team pursuant to your Written Information Security Plan ("WISP").  (If you don't yet have a WISP, contact your data security counsel and create one immediately to plan for any future cyber incidents.)   Second, assess the scope of the breach (i.e., whether data was acquired or simply accessed by the hacker, whether the breach is ongoing, who suffered a breach of their personally identifiable information, and the type of information that was exposed).   Third, contact law enforcement and any relevant insurance carriers to assist with coverage of costs for the data breach response effort and to prevent potential coverage waiver for tardy notice. Fourth, stop the breach, if possible, through remedial data security measures, possibly with the assistance of a forensic IT consultant to bolster your company's security systems. Fifth, analyze data breach compliance requirements by gathering the jurisdictions of residence for the affected population and assessing what notification requirements are triggered by each applicable statute.  Data breach compliance requirements may also be triggered by the regulatory framework over the type of information that was exposed (i.e., HI-TECH and HIPAA compliance for personal health information). 
 
Finally, prepare a data breach response plan that attempts to mitigate potential harm to the affected population and complies with applicable data breach requirement statutes and regulations.  For affected persons residing in Maryland, for example, notification is not required if, after an investigation, the entity determines personal information has not been or is not likely to be misused.  Documentation of that conclusion, however, must be retained by the entity for three years).  In the District of Columbia, there is no such "likely harm" exception to notification.  In instances where notification is required in Maryland, even for just one Maryland resident, notice must first be sent to the Maryland Attorney General's data breach notification department.  The District of Columbia does not require notice to its Attorney General.  Both Maryland and the District of Columbia require, in instances where 1,000 or more of their residents are receiving notice at a single time, that notice must be sent to all nationwide consumer reporting agencies regarding the timing, distribution and content of the notices.
  
Firm: Stinson Leonard Street
Jurisdiction: Minnesota, USA
Author: Steve Cosentino, Partner and Chair of Intellectual Property & Technology Division
 
The first step is to advise your client to immediately contact their insurance carrier who will want to budget the various steps in the remediation process.  Many carriers do not yet have a protocol for budgeting this sort of matter, so your counsel will be important in putting a budget together that works to address the various remediation and notification steps.  Immediately engage a reputable cybersecurity forensic investigative firm to investigate the matter.  If the breach does not involve PCI (Payment Card Industry) data, you may be able to use your law firm to hire the cybersecurity firm to try to preserve privilege.  PCI related data requires a PFI (PCI Forensic Investigator) investigation and, in that case, your client will likely be required to hire the forensic firm directly.  An investigation is important for both remediation and to determine the likelihood of harm.  Many jurisdictions have exceptions to notice requirements if it is determined that harm is unlikely to occur.  Next, it is important to receive a report from your client as to the number of consumers whose records have been breached and the jurisdictions in which those breaches occurred.  This information will enable you to determine whether notice requirements apply, alternative notice provisions, notice timing, and the scope and content of the notices. Many US states require reporting to the state attorney general or other authority. For data breaches that involve international jurisdictions, determine whether there is also a national reporting requirement.  Canada, for example, requires reporting to the Privacy Commissioner of Canada. 
  
Firm: McLane Middleton
Jurisdiction: New Hampshire, USA
Author: Cameron Shilling, Director, Litigation Department and Chair of Privacy and Information Security
                  
New Hampshire is just one of the 48 states that requires prompt notification of its attorney general and residents affected by a data security breach. A company's timeliness, proactivity, and compassion when providing notice and handling the multitude of other issues that arise in a data security incident are critically important factors that influence the perception and reaction of the affected individuals, news media, state and federal regulators, and public at large. Inexplicable delays, obtuse customer service, and dissemination of inaccurate information can eviscerate a company's reputation and, consequently, its financial health.  By contrast, promptly disclosing accurate and helpful information to customers, regulators, and the media, compassionately and timely responding to concerned stakeholders, and efficiently providing thoughtful and meaningful remedies for individuals affected by a breach are the key ingredients for a company to skillfully navigate this situation.  In addition, regulators auditing a company post-breach - and determining the amount of fines to levy - focus critically on not only the immediate cause of the breach and the propriety of the company's response to the breach, but also the extent to which the company had complied with data security regulations and industry best practices before the breach.  So, let Equifax be a lesson for all businesses - if you have never before completed a comprehensive risk assessment and data security process, do so immediately; and if you have done so recently, take the opportunity this year to reassess your data security protocols and policies and determine if your business has any new or unidentified vulnerabilities or opportunities to enhance its data security.

  
Firm: Porter Hedges
Jurisdiction: Houston, Texas, USA
Author: Heather Hatfield, Partner
 
In Texas, a person or company that conducts business in the state has duties both before and after a data breach.  In order to comply with the Texas data breach notification statute, companies that conduct business in Texas should take the following steps:
  • Develop a Plan - Prior to a data breach, companies must implement and maintain reasonable procedures to protect against the disclosure of sensitive personal information, including taking any appropriate corrective action once a breach occurs.  Regardless of whether a company gathers or keeps sensitive personal information of its customers, nearly every company has sensitive personal information related to its employees. Therefore, every company should have procedures in place before a data breach occurs to comply with Texas statutory requirements. 
  • Investigate the Breach - Once a company believes that a breach has occurred, it must investigate the breach immediately to determine the extent of the breach.  An important part of the investigation includes collecting, analyzing and preserving the data at issue.  Proper forensic retention of data may become crucial in any criminal investigation.  
  • Determine the Residences of those affected - Each state has its own notification requirements.  If a person is a resident of Texas, they must be notified "as quickly as possible" of the breach in writing.  If a person is a resident of another state, notification can be provided pursuant to the laws of that state. 
  • Provide written notice - The Texas statute is not specific about the language required in the notice, but it does require that notice shall be provided "as quickly as possible."  If more than 10,000 people are affected by the breach, a company must notify all of those affected by the breach, as well as each consumer reporting agency.
  
Jurisdiction: Utah, USA
Author: Tomu Johnson, Partner
 
After a data breach, an organization should do the following: engage outside counsel; confirm that an event has occurred; and consider calling your insurance provider.  After a suspected data breach, engage outside counsel to apply the attorney client privilege during the investigation.  Before notifying others about the incident, verify that a breach occurred, what happened, and who was affected.  Prematurely notifying people about an incident creates panic and complicates the investigation.  Finally, once you have confirmed an incident, call your insurance agent and ask to notify relevant insurance carriers about the incident.  Your insurance provider will have incident response coaches, incident management attorneys, security investigators who can help manage the breach.  

  
Website       About Us          Law Firm Search     Contact Us