When the Dike Breaks: Responding to the Inevitable Data Breach

The California Information Practice Act of 2003—also known as SB-1386—was the nation’s first law requiring notice to those impacted by a loss of personal information. Notice given under that statute in 2005 set off an avalanche of press regarding one data breach after another, and legislatures nationwide jumped on the breach disclosure bandwagon. So far, as many as 19 different states have passed such legislation. Congress is considering some nine different bills, some of which are sweeping in scope.

It has been said that SB-1386 “uses fear and shame” to make companies take information security more seriously. That may be the desired result, but the dozens of stories in the media over the past year suggest that data security has yet to improve markedly. One fact has been made clear: Data breaches come in many forms. The breaches reported in 2005 have resulted from hacking incidents, viruses, lost or stolen computer equipment, vendor mistakes, employee mistakes and fraud by data thieves. Apart from legislation, the sheer variety of data breaches should be enough to strike fear in anyone who has responsibility for managing and protecting data. But the list of entities reporting data breaches this year should also be convincing evidence that no amount of fear or shame will lead to a commercial atmosphere in which data breaches cease. The list includes two of the world’s largest financial institutions (Bank of America and CitiFinancial), three respected research institutions (Cal Berkeley, Boston College and Tufts), and two U.S. government agencies normally associated with the ability to keep a secret (the IRS and the Justice Department).

It is also fair to assume that the threat of public shame will not soon subside. ChoicePoint was not the first to report a breach in compliance with SB-1386, but it became a national media target because the story of its breach caused many Americans to realize for the first time that the collection of personal data is a business. The reaction by many was visceral. Given the simplicity of these “stories of shame” and the very predictable response from the public, they will continue to be newsworthy.

The takeaway is simple: No one is immune. There are companies whose core business is the collection of data. But many other businesses collect “personally identifiable information”—not because they want to, but because it is unavoidable. Airlines, for instance, request identification upon check-in. Often, the i.d. number is entered into the airline’s computer system for future security reference. Hotels often request and record similar information. Couple that information with a credit card number and, like it or not, these companies are in the data collection business.

Four Things to Do

“Experience makes it apparent that attempts to prevent data loss will ultimately fail,” wrote Drew Robb in the September 19, 2005 issue of Computerworld magazine. The issue is not whether a business will experience a data breach triggering statutory disclosure obligations and subjecting it to public shame. Rather, the issue is how that business will respond when the inevitable happens. A statutorily-mandated breach disclosure will, for most companies, create a near-term public relations crisis. Fortunately for those who were not among the first to disclose data breaches under SB-1386, the experiences of those who were have created a template for how to respond. There are several key points to remember.

First, companies can take preventative action. Many companies within the last few years have created a chief privacy officer or similar position, even when data collection is not their core business. All substantial businesses should consider creating such a position, or at least tapping an existing corporate officer with the duties of such a position and including this position in her title. The very act of creating the position evidences heightened concern for data security and privacy. It also serves two practical ends. It sends a clear message to customers, as well as potential data thieves, that the company’s eye is on the data-security ball. If it is the job of no one in particular to keep an eye on that ball, it is more likely to hit the ground at some point. Having someone in charge who focuses on privacy and data security will certainly help avoid some problems that might otherwise arise. Also, ordaining a chief privacy officer may help address post-breach claims that a company cavalierly ignored the importance of privacy and data security. As with many other issues that create potential liability, it is important to have policies in place and be able to point to tangible actions taken to help minimize harm. The very existence of a chief privacy officer who manages policies aimed at preventing a breach may provide good defenses to claims asserted in the aftermath of a breach, either by the media or by lawyers.

Second, corporate America should be aware that, even though a company experiencing data loss may be a crime victim, the public will not view it that way. The public views the individuals whose data was lost or stolen as the victims, even though they may not have experienced actual harm. Plaintiffs’ lawyers are claiming harm from “the anxiety of waiting wondering.” Although it remains to be seen what judges do, it is possible that the public (which makes up juries) might ignore established damages principles and accept that theory. Businesses should keep this in mind when considering a public response.

Third, senior management needs to be immediately available to the media and they should tell the media what they know as soon as possible. They should also move to assure that:

1. personnel and systems aimed at preventing data breaches are in place;
2. an investigation is undertaken regarding the cause of the breach;
3. the situation that led to the breach is being or has been remedied; and,
4. a top-down review of personnel and systems is underway in order to attempt to prevent future breaches.

Management should quickly communicate these assurances to the public, at the very least, and consider going even further. For instance, ChoicePoint over-notified by a wide margin, issuing nationwide notices (not just to Californians) and also offering assistance to consumers whose information may have been compromised. This sort of extra effort will go a long way toward muting the public outcry. Perhaps most important, without admitting any liability, the company should publicly apologize for any inconvenience the data breach might cause the persons whose data was lost or stolen.

Finally, when a business experiences a major data breach, it should be prepared to defend a variety of claims asserted in various class action lawsuits. The deeper the company’s pockets, the greater the likelihood of a lawsuit. It will likely take years to sort out the legalities of such claims. Until that happens, plaintiffs’ lawyers will continue to test a number of different theories. It appears that the plaintiffs’ bar already hopes this is the next asbestos or tobacco bonanza.

Disaster Preparedness

Companies that developed a “crisis preparedness plan” in the wake of 9/11 should consider including data breaches as part of that plan. Basic crisis preparedness planning includes aspects particularly important to data breach responses:

1. identifying who will be in charge; and,
2. identifying specifically which persons are responsible for communicating with various constituencies (i.e., employees, customers, government, media, etc.).

Such a plan might also anticipate other important issues. Who should be contacted in addition to those required by disclosure statutes? Are there friendly media contacts identified in advance? What regulators should be notified and how? This is not just a plan for PR spin. It should set forth precisely what the company intends to do in the event of a data breach. The spate of data breaches in 2005 has shown that companies that respond quickly fare far better.

Privacy concerns are at an all-time high. Government is imposing new and significant regulation. The way companies store and use personal data is now a matter of national policy debate. Depending on the business, a data breach can bring a company to its knees. At the very least, it can expose a company to significant potential liability. Senior management needs to recognize the risk and anticipate a response. Waiting until a breach occurs will leave a company flat-footed, and the public response will be costly.