Hi, I'm Chris Hart, an attorney at the law firm Foley Hoag in Boston, and part of Foley Hoag's cybersecurity incident response team. I want to talk through how to think about the legal role involved in incident response. Obviously, I'm not giving legal advice here, but instead I want to provide a broad framework that I hope can be helpful to you as you think about navigating a data breach.
Hopefully by the time you're responding to a data security incident, you've already put together a data breach response plan, identified the members of your team, your forensic investigators, legal counsel, PR firm, and have a good sense what you need to do.
From a legal perspective, let me start by giving you an overall legal framework. First, the important question is: what laws apply? In the United States, the answer is that state law probably applies and federal laws might apply. On the state level, data breach notification laws are almost as numerous as the number of states. In fact, the only states without data breach notification laws at the moment are Alabama and South Dakota. Many of these laws are very similar to one another. For example, they'll define what personal information will matter. Normally the personal information that matters and that triggers a data breach notification law, if compromised, will be some part of a person's name and some other sensitive information, like a social security number, a bank account number or a health ID number.
They'll define what constitutes a breach of data security, which is normally knowledge of a breach or a reasonable belief that some breach has likely occurred, and they'll note whether it is mere access of personal information, use of that personal information, or some actual harm like evidence of identity theft that will trigger legal obligations.
On the federal level, it's important to note that there's no national all-purpose data breach notification law, although there have been from time to time attempts in Congress to create such a law. However, there are a few important caveats to that statement. One is that there are sector specific, and thus agency specific regulations. That's true, for example, of the healthcare industry, which is governed by the Health Information Portability and Accountability Act, or HIPAA, and the banking and financial services industry, which is governed by the Graham-Leach-Bliley Act, or GLBA. Agencies like the Securities and Exchange Commission and the Federal Trade Commission, have broad authority as well.
Now that we have some sense of the legal framework, what obligations attach? If you suffered a data breach, one of the reasons for conducting an efficient investigation as quickly as possible is that you want to know how many people have been affected, and where those people reside, so that you can notify them of a breach. If you run a nationwide business with consumers all over the country, there's a good chance you'll need to consider the obligations that attach in each state where you have a consumer. You'll need how to tailor your responses to those consumers depending on each state's requirements.
I should note that sometimes states will allow you to follow your own policies as a way of being in compliance with state statutes, and sometimes the way you can notify individuals will depend on the number of individuals affected. While most of the time you have to notify individual consumers directly through written notice, many states will allow that if a large number of people are affected, notification can be done through, for example, a website.
Some states will also require that state agencies be notified of the breach. Often this means notifying the state attorney general's office. Sometimes it will be also, or alternatively, notifying a consumer protection agency or dedicated cyber security agency, or even the state police. States will also require certain kinds of information be provided in the notices to consumers and to agencies, such as the nature of the breach, what has been done to mitigate the breach, and what protections will be provided to consumers. Some states will also require that credit monitoring be provided to affected residents for a period of time, and normally that'll be for about a year.
And there are also timing requirements. While many states only require notification occur within a reasonable time from the discovery of a breach, a few states require that notification be given within a specified time frame, such as 14 or 30 days, and missing a deadline can potentially lead to having to answer uncomfortable questions later.
Obligations differ on the federal side, depending on the statute or regulation at issue, but a good rule of thumb is that acting reasonably, that is investigating quickly and effectively, notifying consumers and state agencies, providing protections to affected individuals, can go a long way to meeting obligations imposed by federal regulations.
What about calling the police or the FBI? That's normally not a specific requirement, but data breach notification laws allow for delays in notification if law enforcement is involved. Sometimes you might be tipped off to the existence of a breach based on a call from law enforcement. Sometimes though, you might be concerned about criminal activity and should consider reaching out to law enforcement yourself. Legal counsel can help you decide when this is appropriate or prudent.
That's it for this week's Whiteboard Wednesday. I hope this is giving you some understanding of the legal framework. These are the kinds of things I'm thinking about when I'm asked for advice about a data security incident, and probably the kinds of things your legal counsel will be thinking about too. Thank you.
