Data breach and cyber security incident notification and disclosure requirements vary by industry and jurisdiction, and extend well beyond privacy-related requirements. Businesses typically must meet an array of externally and internally imposed obligations, often with varying and even conflicting thresholds, timelines and structures. This article outlines three key steps to consider when navigating this complex process.
Assess the scope of legal requirements pertaining to data and systems
With respect to data, and in advance of a potential breach, companies should understand the laws, regulations, contractual commitments, and policies that apply to the non-public information they collect and hold, or which is collected or held on their behalf. Relevant data includes, but far exceeds, personal information subject to privacy laws. Companies also must understand the obligations that surround protecting their own business secrets, as well as any third party information they obtained subject to confidentiality clauses and non-disclosure agreements.
When it comes to personal data breach notification, businesses should anticipate different and potentially conflicting thresholds in terms of whether an incident rises to the level of a reportable breach, what to report, the format of reporting it, and to whom and within what time limits the reporting must occur.
Under the EU’s General Data Protection Regulation (GDPR) for example, a data controller must notify the national or lead supervisory authority of a breach that poses any risk to the rights and freedoms of a data subject "where feasible" within 72 hours of discovering it. In addition, firms must notify individual data subjects of the nature of the breach when there is a high risk to their rights and freedoms. Conversely, in the US state-by-state model, the laws are frustratingly fragmented. Many states permit notification to be delayed for weeks or even months, and one state actually prohibits a business from including within its victim notification the nature of the breach or the number of its affected residents.
With respect to systems security, companies must consider technology-specific risks and disclosure requirements even when they do not involve a compromise of data. In the US for example, the Securities and Exchange Commission (SEC) requires publicly traded companies to disclose material cyber security incidents impacting data or systems, as well as non-material incidents when the disclosure is deemed necessary to assess and effectively communicate potential material risks. The rationale behind the requirement is a reasonable expectation that, for most companies operating in today’s technology driven and technology dependent economy, the public disclosure of known or anticipated cyber security risks would affect the value of the company’s securities or influence investor decisions.
Understand the consequences of failure
An organisation’s liability either for its failure to provide sufficient breach notice, to correctly disclose prior or ongoing incidents, or to truthfully state its actual security posture, can range from government imposed fines and audits, to losses in litigation, potential criminal prosecution, lowered consumer confidence, and ultimately hits against corporate value. In Europe, failure to comply with the GDPR’s breach notification requirement alone carries possible fines of €10 million or, if higher, two percent of total worldwide annual turnover of the previous financial year. Because of this substantial penalty, some companies find themselves erring on the side of a phased approach to notification well before all of the facts and regulatory requirements are established.
Still, financial fines are only one element of a regulator’s toolbox. When the US Federal Trade Commission (FTC) concluded that a technology manufacturer’s product line failed to offer ‘‘advanced network security’’ as advertised, the regulator planted its claws in the company for decades, requiring within a settlement that the manufacturer either maintain a comprehensive software security program for 20 years or get out of the IP camera and router market altogether.
Also of note, the typical secrecy surrounding internal breach investigations comes with its own set of problems. In the US, the SEC warned public firms that they must prevent insider trading (a criminal offence) by those privy to material information about an incident prior to its public disclosure.
Apply risk management principles
Notification and disclosure considerations should exist within the company’s larger enterprise risk management structure. Because a single breach can touch upon a wide range of business interests, it is sub-optimal to focus solely on regulatory requirements when determining whether, when, and how to communicate an incident.
To foster effective risk-based incident preparedness and response, one best practice is to review, practice, and update an incident response plan. For starters, practising a plan throughout the year with different scenario-based exercises helps establish and train the organisation’s response team (including legal, technology, security, finance, human resources, and public relations) and highlights the benefit of having outside forensic firms and legal counsel at the ready to assist. Equally important, scenario testing helps reveal whether the company’s existing risk management approach adequately anticipates and mitigates the likelihood of a successful attack and the consequences of such an event. During a tabletop exercise, it is important to focus on communications, to include mandatory disclosures. Regulatory requirements, media reports, consumer opinion, lawmaker concerns, competitor opportunism, as well as board and shareholder enquiries, may dictate that a firm discuss an incident before its cause and effect have been established (indeed, perhaps before it’s clear that a reportable incident even occurred). Messaging must be accurate, informed by legal and business considerations, and prepared to incorporate potentially modified investigative findings.
Another best practice is to maintain a cyber security risk registry to ensure corporate officers, directors, and advisers are aware of any material underlying shortcomings of the cyber security program, and agree on whether and how best to resolve them. Taken together, these formal risk processes build the foundation to establish post-incident what steps will be put in place to prevent a recurrence, and often demonstrate why it was reasonable that those fixes were not prioritised or otherwise in place from the start.
Businesses face increasing complexity in assessing whether, when, and how to provide incident notification and disclosure. By understanding the full scope of a company’s legal obligations and potential liabilities in advance of an incident, companies can apply risk management techniques to best prepare for and respond to the challenge.
Authors: F. Paul Pittman, Counsel & Steven R. Chabinsky, retired Partner of Counsel White & Case