<link href="media/stylesheet.css" rel="stylesheet" type="text/css"/> <script src="media/lexnex_ebook.js" type="text/javascript"> </script> <meta content="urn:uuid:161b0dc9-7ce8-41a5-8217-1ee58f16dccf" name="Adept.expected.resource"/> </head><body><div data-locale-citeas="1 Bender on Privacy and Data Protection Ch. 22 (2020)"><div data-locale-citeas="1 Bender on Privacy and Data Protection § 22.02 (2020)" data-locale-level="tr:secmain" data-locale-lnuid="lnuid_46844_22.02" data-locale-navtrail="§ 22.02" id="t17_d127951e561"><div class="nav_trail"><span class="nav_level"><a class="nav_prev" href="t02_00.xhtml#group2" style="text-decoration:none !important;" title="PART I. U.S. Federal Privacy and Data Protection Law">«</a><a class="nav_parent" href="t16_00.xhtml#group3" style="text-decoration:none !important;" title="PART II. U.S. State Privacy and Data Protection Law">Pt. II</a><a class="nav_next" href="t23_00.xhtml#group4" style="text-decoration:none !important;" title="PART III. International Privacy and Data Protection Law">»</a></span><span class="nav_level"><a class="nav_prev" href="t16_00.xhtml#t16_d122151e80" style="text-decoration:none !important;" title="CHAPTER 21 — PRIVACY TORTS">«</a><a class="nav_parent" href="t17_00.xhtml#t17_d127951e81" style="text-decoration:none !important;" title="CHAPTER 22 — U.S. DATA BREACH NOTIFICATION LAWS">Ch. 22</a><a class="nav_next" href="t18_00.xhtml#t18_d138891e82" style="text-decoration:none !important;" title="APPENDIX 22 — CHAPTER APPENDIX">»</a></span><span class="nav_level"><a class="nav_prev" href="t17_00.xhtml#t17_d127951e366" style="text-decoration:none !important;" title="§ 22.01. Overview">«</a><a class="nav_head" style="text-decoration:none !important;" title="§ 22.02. Key Practice Insights">§ 22.02</a><a class="nav_next" href="t17_02.xhtml#t17_d127951e607" style="text-decoration:none !important;" title="§ 22.03. The Surge in Disclosed Data Security Breaches">»</a></span></div><div class="bl_citeas">1 Bender on Privacy and Data Protection § 22.02 (2020)</div><div class="h_s"><a href="t17_00.xhtml#t17_d127951e561_stoc">§ 22.02. Key Practice Insights</a></div><div class="p"><span class="em_biu">The Incident Response Plan</span>. If the enterprise has an incident response plan (as each enterprise should, as discussed below in the section on “Effect on Company Policies and Practices”), it should be followed. If not, one should be mapped out for use in the instant situation.</div><div class="p"><span class="em_biu">Who Owns the Data</span>. Most of the obligations set out in the breach notification statutes are on the person that “owns or licenses” the personal information. The very first thing counsel should do upon learning of the breach is to determine the owner or owners of the personal information in question. Where that is not the client, generally the client’s sole obligation under the statutes is to notify the owner, and the statutes usually require immediate notification here. But beyond that statutory obligation, the client may have obligations under contract with the owner. The contract(s) should immediately be scrutinized. Much of the remaining discussion pertains to situations where the client owns (or licenses) the data.</div><div class="p"><span class="em_biu">Fact Acquisition</span>. The initial stage of complying with a breach is directed to the acquisition of facts. In some situations it will be rather clear what has happened (<i>e.g.</i>, a laptop was lost at an airport), although even there it may not be easy to identify the data that was on it and whether it was encrypted. But in other situations, especially those involving hacking, it may require a prodigious amount of forensics to determine (if indeed it can be determined) precisely what happened. When the company itself lacks the expertise to determine exactly what has transpired, what data has been exposed, and the extent of that exposure, it must avail itself of outside expertise. Indeed, even when the company has the expertise, it may be preferable to call in an outside expert to enhance the perception of independence, and to protect the company against the all-too-human inclination of its personnel to minimize any fault on their part. Moreover, even if these personnel are quite unbiased, in the event of regulatory or legal proceedings, it would likely serve the company better to avail itself of independent forensics analysis. It is a definite benefit if counsel (whether inside or outside) has a short list of individuals with proven expertise in such matters, and who can be called upon in a moment’s notice. And it is important that counsel have this list before the breach occurs, so that no time will be lost acquiring this knowledge.</div><div class="p"><span class="em_biu">Calm Them Down</span>. Another important aspect of counsel’s role, as soon as informed of the breach, is to react rationally and to induce others to do the same. The realization of a breach, combined with an awareness (often very vague and inaccurate) that the statutes require a highly time-sensitive reaction, not infrequently lead corporate personnel to act irrationally. While this is not as frequent today as when the statutes were newer, it nevertheless is still an important factor. Accordingly, without detracting from the potential gravity of the matter, counsel should seek to calm down any overly-anxious personnel. It may be beneficial to inform them that, while expeditiousness is required, there is a certain amount of time in which the company is entitled, if not required, to gather the facts so as to take rational action under the statutes. And if counsel believes it will not unduly diminish the sense of urgency, counsel may inform them (as is the case) that the average time between discovery of a breach and notification to individuals is several weeks. Once this is accomplished, working with corporate personnel, counsel must immediately commence the fact acquisition process. Wherever possible facts should be gleaned from persons with first-hand knowledge. The precise details may be quite important, so counsel should initially seek as raw a set of facts as can practicably be acquired. Many of these factual items may have to be interpreted by other corporate personnel so as to render them comprehensible to counsel. Nevertheless, it is helpful to know at which points in the process judgment, as opposed to reporting, was used.</div><div class="p"><span class="em_biu">Outside Experts</span>. At this point counsel, with the assistance of corporate personnel, should recommend whether to call upon the services of a vendor and, if so, whom. Counsel should come armed with its short list, but corporate personnel may have their own ideas. The object is to end up with a vendor that is experienced in similar matters (this is important), competent to the task, independent, whose team leader (or the single individual, if no team is used) is articulate enough to testify if necessary, and that won’t break the bank. Great emphasis should be placed on track record. Large vendors with recognizable names may be more likely to offer an articulate team leader, but may tend to engage a larger team (some members of which will be less necessary than others) than would a small vendor. In many instances, a single person with the requisite expertise and experience, and a sufficient block of available time, can do an excellent job.</div><div class="p"><span class="em_biu">Keep Management in the Loop</span>. Breach notification is an important and sensitive task that can have long-lasting significance to the company’s brands, to customer churn, and to its image, not to mention the affect that compliance costs have directly on the bottom line. Management will likely be heavily involved but on the chance they are not, counsel should make sure to notify them accurately, directly, and often, and to seek their input. Management should make some of the decisions that will have to be made in breach response.</div><div class="p">One query should be posed to management early: if there is an obligation to notify any individual, does it wish to notify every affected individual? If so, a good deal of legal research may be avoided as, while it will be necessary to scrutinize one or two of the “hair trigger” states to see if notification is required, no further research on individual notification will be necessary. If the limited research indicates that individual in hair-trigger states must be notified, then all affected individuals will be notified. Alternatively, if the hair-trigger research indicates no notification is necessary, then the company may choose to notify no individual in any state. But research will nevertheless be necessary to determine obligations in those states that require notification to government agencies (usually the Attorney General), and those states that require notification to consumer reporting agencies.</div><div class="p">A related management decision is to whom should notification be given if, after considering the facts (as best they can be determined within a reasonable time frame), counsel advises that there is an obligation to notify individuals in certain states but not others.<a href="#t17_d127951e603"><span class="fr" id="t17_d127951e603_ref">1</span></a> Moreover, there is some latitude in the manner, and considerable latitude in the content, of notification. Consumer research suggests the manner and content most effective (and least effective) in preventing customer loss and damage to brand and reputation. But there is generally a greater expense associated with taking the most prophylactic route. This is another area for management decision.</div><div class="fn_grp">Footnotes — § 22.02:</div><div class="fn" id="t17_d127951e603"><a class="fn_link" href="#t17_d127951e603_ref">1</a> Not infrequently, this is the advice.</div></div></div></body></html>