At a recent international economic forum, John Chambers, CEO of Cisco Systems Inc., stated that “[t]here are two types of companies: those who have been hacked and those who don’t yet know they have been hacked.” Over the past two years alone, cyberattacks have increased three-fold according to the Verizon 2014 Data Breach Investigation Report. The headlines are replete with instances of massive identity-theft breaches including Target, Chase, eBay, Home Depot, Barnes & Noble, P.F. Chang’s, and most recently the breach at Anthem affecting up to 80 million people. Typically the breaches are financially motivated, so the targets include retail organizations, restaurants, food-service-type firms and banks.
One in five data breaches, however, is a cyber espionage case where the hackers target the manufacturing industry and computer and engineering firms that typically have a large amount of intellectual property like trade secrets, proprietary manufacturing processes, designs and product formulas. Notably, Verizon found there is almost a 50-50 split between the number of large organizations and small organizations that experienced breaches related to cyber espionage targeting intellectual property and that used the exact same tactics. It appears that regardless of industry or size of the company, every organization should be prepared to respond to an attempted or actual data breach/cyberattack.
Data breaches can be very stressful events for an organization and counsel should be prepared to help a client navigate the complexities of a proper response. At the end of the day, maintaining the client’s ongoing relationship with its customers and its reputation in the marketplace should be the primary goal of the client and counsel. One way to think about how to respond to a data breach event is to look at the various liabilities that may arise from a data breach: regulatory, civil and potential criminal aspects.
Regulatory compliance and reporting obligations
Once an organization suspects that confidential information may have been compromised or acquired by an unauthorized person, there is a duty to investigate whether an actual breach has occurred. Typically in-house IT professionals are not equipped to handle such an inquiry and outside forensic examiners are almost always necessary to identify whether and how a breach occurred. Those examiners should be able to: 1) ensure that the breach is contained; and 2) preserve all of the information in the process so that the data breach information is not destroyed or altered in any way.
Indiana has what is referred to as an acquisition-based data-breach notification statute, see Ind. Code §§24-4.9 et seq.; §4-1-11 et seq. In Indiana, a breach has occurred when an unauthorized acquisition of computerized data has been transferred to another medium. Once that occurs, the notification requirements of the statute are mandatory and require notification to any affected person and the attorney general. Other states have risk-based notification statutes whereby a company must make a determination whether the stolen data will cause a material risk of identity theft before the notification requirement is triggered. All statutes, however, contain provisions for penalties, whether by the attorney general or a private cause of action, if notification is not made without unreasonable delay.
Currently, there is no federal requirement for reporting data breaches, unless it involves the Department of Defense. The attorney general of Connecticut, for example, opened an investigation into the Anthem data breach the same day Anthem announced the breach. In any event, an organization must make a determination of the state of residency of each affected person and comply with the notification laws of every state.
At the same time an organization is investigating the breach and preparing the various notifications under state law, it must consider the high likelihood that a civil lawsuit will be filed on behalf of persons affected by the breach. Multiple civil lawsuits were filed just one day after the announcement of the Anthem breach, and dozens of class actions have since been filed all over the country. Counsel should be engaged early in the process. This will help to ensure that an organization meets its obligations to identify, locate and preserve potentially relevant documents and electronically stored information; determine other potentially responsible parties; conduct a thorough investigation; and establish the protections of the attorney-client privilege. Beyond the traditional litigation concerns, counsel should also be prepared to discuss and recommend early mitigation techniques, including credit monitoring and identity theft restoration services to affected individuals.
In addition, counsel should discuss insurance coverage issues and determine whether there may be coverage under the organization’s liability policies. While many general liability policies exclude lost data, they often cover physical damage, which may include loss of use of computers. Also, where plaintiffs allege emotional or psychological harm, the general liability policies may include coverage for personal injuries. Finally, many organizations have dedicated cyber-risk insurance, and those policies must be examined to determine exactly what, if anything under the particular circumstances, is covered by the terms of the cyber policy.
To date, there do not appear to be any criminal proceedings that have been instituted against an organization as a result of a data breach. This makes sense given that the organization is typically as much a victim of outside criminal activity as an individual who had his or her information stolen. That does not mean, however, that an organization doesn’t have a duty to investigate whether any individual employees may have participated in the breach by providing access to the systems or stole the protected information and sold it to cyber criminals. Often the FBI, in its anti-cyberterrorism role or more traditional role regarding bank and credit fraud, may be involved. Counsel should be prepared to answer inquiries, respond to subpoenas and otherwise facilitate cooperation regarding the investigation.
A data breach can be a messy, stressful event for a client. Counsel should be prepared to guide the client through the various legal hurdles while keeping in mind that the client’s ongoing relationship with its customers and reputation in the marketplace are of primary concern. If the client acts swiftly to eliminate the source of the breach and avoid future damages, communicates clearly and honestly with customers and regulatory agencies, and treats the customers fairly by providing credit monitoring and/or some type of fraud protection, these measures will go a long way to minimize long-term damage to the organization and its reputation.•
John McCauley is a partner at Bingham Greenebaum Doll LLP and specializes in commercial litigation. The firm and its partners are currently representing clients in active data/privacy breach class-action litigation. The opinions expressed are those of the author.