The Security Breach Disclosure framework of the United States is unusually complex. At the States and territory level, 46 States, the District of Columbia, Puerto Rico and the Virgin Islands have enacted Security Breach Disclosure Laws that require businesses to publicly disclose security breach incidents that might have caused sensitive personal data to be accessed by unauthorized third parties.
In addition, federal laws, such as the HITECH Act or financial institution regulations, create obligations on regulated companies to make similar disclosures when protected personal data have been exposed or compromised as a result of a security breach. Abroad, an increasing number of countries are adopting security breach disclosure laws or guidelines.
While these laws have many common elements, there are significant differences. Each of the applicable laws applies to a different set of data, and has different requirements.
A company’s task in the event of a breach of security is extraordinarily complex. The nature of the event, and its serious effect on individuals, require that the company ensure that it handles the breach as smoothly as possible. In addition to the need to comply, fully, carefully, and cautiously, with all applicable legal laws, and to make the required filings with the applicable agencies, a business that is affected by a breach of security must ensure that it interacts in an appropriate manner with the affected individuals, in order to limit the exposure to significant financial consequences to the individuals and to the company itself.
We have experience in assisting businesses with their legal obligations in the event of a breach of security, and the preparation of incident response plans. Legal counseling with respect to security breach issues is performed at different levels:
- Preparation in anticipation of a security incident
- Responding to a breach of security
- Addressing contractual issues associated with breach of security.
Incident Plan Preparation
When a company discovers a breach of security, it must react promptly in order to mitigate the effects of the incident. Numerous activities must occur, at a very fast pace. A combination of technical, legal, public relations, and other issues arise at the same time. The handling of all of these issues concurrently is extraordinarily complex.
The activities are so specific and diverse, and the issues to be addressed so numerous, that businesses are well advised to address the matter in advance. It is essential to have prepared, well in advance, a security breach incident response plan that addresses the steps and procedures that will have to be followed in the event of the breach.
We have assisted companies in preparing Security Breach Incident Response Plans that are adapted to their needs and capabilities. This has included, for example:
- Explaining the legal obligations in the event of a breach of security;
- Defining the elements of the incident response plan;
- Providing guidance on the activities to be planned;
- Identifying the documents to be prepared, relationships to be established, procedures and processes to be developed;
- Organizing adequate training of the work force in preparation for an incident, so that the personnel understand what to do when a security breach is suspected or identified.
Security Breach Response
No company is immune from security incidents; these events are bound to occur. When a breach occurs, we assist the client in handling the breach, either by following the incident response plan, if any, or if such document does not exist, by handling the matter on a case-by-case basis, based on the specific nature of the data that were lost or exposed, and the relevant applicable legal requirements.
We have assisted businesses in:
- Evaluating the breach of security;
- Assessing whether the incident was within the scope of applicable security breach disclosure laws;
- Counseling one the applicable laws and explaining the related legal requirements;
- Responding to the incident as appropriate under the circumstances;
- Providing information on general industry practices in similar circumstances.
Vendor Contract and Due Diligence
Companies that disclose their employees or clients’ personal data to service providers have a legal obligation to ensure that these service providers will respond to a breach of security as required under applicable laws. To this end the company must perform adequate due diligence of the policies and procedures that are used by the proposed service provider. It must also ensure that its contract with the service provider contains adequate provision to address the eventuality of a breach of security.
As data security counsel to vendors and purchasers of services, we assist businesses on contracts matters related to their security breach disclosure obligations. For example, we:
- Assist the client in performing the necessary data security legal due diligence to ensure that adequate processes and procedures are in place to address a breach of security affecting the vendor’s systems or operations;
- Structure and negotiate contract provisions that address security breach issues, such as to:
- Define what constitutes a breach of security;
- Require that the service provider promptly inform the client when a security breach has occur;
- Require that the service provider respond to the incident in accordance with an agreed upon incident response plan;
- Adequately indemnify the client for the expenses that will be incurred to address the breach of security.