Avoiding Management Struggles When it Comes to Data Breaches: Part 8

Avoiding Management Struggles When it Comes to Data Breaches: Part 8

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult. …

8

Avoiding Management Struggles When it Comes to Data Breaches: Part 7

Avoiding Management Struggles When it Comes to Data Breaches: Part 7

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult. …

7

Avoiding Management Struggles When it Comes to Data Breaches: Part 6

Avoiding Management Struggles When it Comes to Data Breaches: Part 6

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult. …

6

Avoiding Management Struggles When it Comes to Data Breaches: Part 5

Avoiding Management Struggles When it Comes to Data Breaches: Part 5

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult. …

5

Avoiding Management Struggles When it Comes to Data Breaches: Part 4

Avoiding Management Struggles When it Comes to Data Breaches: Part 4

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult. …

4

Avoiding Management Struggles When it Comes to Data Breaches: Part 3

Avoiding Management Struggles When it Comes to Data Breaches: Part 3

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult. …

3

Avoiding Management Struggles When it Comes to Data Breaches: Part 2

Avoiding Management Struggles When it Comes to Data Breaches: Part 2

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult. …

2

Class Action Litigation Trends: A How-To Guide

Class Action Litigation Trends: A How-To Guide

There is a great deal of misunderstanding concerning data security breach-related class actions. In large part the media and the legal media have exaggerated the quantity (and success) of class action litigation. …

class action lit

 

Data Breach Notification Laws: A How-To Guide

Data Breach Notification Law: A How-To Guide

Although Congress has attempted to agree on federal data breach notification legislation, there is no national data breach notification law that applies to most companies. Instead, 48 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have each enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach involving personal information. The only states without such laws are Alabama and South Dakota, although their citizens may be covered in some situations by the data breach laws of other states. …

data breach not

Is Your Company’s Crisis Communications Plan Prepared for Cybersecurity Incidents?

A well-written and consistently updated crisis communication plan ensures that a company has the infrastructure in place to respond to a range of natural or man-made crises. While many companies have a crisis communication plan in place, not all plans are equipped to handle cybersecurity-related incidents. Below are six key elements to ensure that your crisis communication plan is prepared to effectively handle cybersecurity incidents.

  1. The plan is comprehensible, short, and flexible.

One of the most common mistakes that a company can make when creating a crisis communication plan is attempting to cover every “what if” situation and making the document too complicated for an employee to comprehend. Especially during times of crisis, making a plan overly complex can paralyze the employee in charge and cause additional confusion. In certain circumstances, this lack of action or unnecessary delay can make a company susceptible to allegations of misconduct or negligence.

  1. One individual should be designated as the spokesperson.

One individual should be designated as the primary spokesperson to represent the company and answer media questions throughout the crisis. Allowing one individual to be designated as a spokesperson ensures the company is able to control its message and prevents the public and its employees from receiving information that may be untrue or potentially misleading. In addition, a company’s employees should be instructed to refrain from making any comments until directed by the company. In order to prevent rumors from spreading, the company may want to consider creating an FAQ of pre-approved questions and answers once detailed information about the breach has been gathered. This could be used on a public website, or to respond to media or consumer inquiries about the cybersecurity incident.

  1. A legal representative should be involved in the crisis communication process.

A company’s in-house counsel or outside counsel should be involved in the crisis communication process by discussing, reviewing, and approving all external messages. Obtaining feedback from counsel reduces the risk that confidential attorney-client information is inadvertently released, or that misleading statements are inadvertently made about the incident. Releasing confidential information and providing false or misleading statements may damage the company’s chances of prevailing in potential litigation, and injure the company’s reputation.

  1. The plan provides proper and clear guidance to the public.

Many crisis communication plans take an obligatory, proactive approach to notifying the public with a statement like the following: “The company is aware of the crisis and is responding rapidly and responsibly.” While this approach may be appropriate for an earthquake or an active shooter, it may not be the right approach for a cybersecurity incident. Unlike crisis situations where the details of an event are usually known and then released in a matter of hours, data security incidents are often extremely complex and accurate information about a breach may not be known for days or even weeks.

Furthermore, a company may not want to issue a public statement prior to understanding whether a breach actually occurred or the magnitude of the breach. A premature public statement about an incident that turns out to be false can have serious ramifications for the company’s data subjects. These data subjects may be subjected to unnecessary worry, cost, and inconvenience, or attempt to mitigate a harm that may never materialize or exist.

  1. The plan does not conflict with other corporate plans or policies.

A company’s communication plan for a cybersecurity event is typically used in conjunction with an incident response plan. The crisis communication plan must be reviewed and vetted against the company’s incident response plan and with consideration for other policies to ensure that there are no conflicts between policies. Any discrepancies or conflicts between these policies may create delay, confusion, or inaction, and could have serious legal and economic ramifications for both the company and the individuals impacted by the security incident. Discrepancies and conflicts between various plans may also make a company susceptible to allegations of misconduct.

  1. The plan is tested on a yearly basis.

An incident response plan should be tested on a yearly basis. During the annual test, it is important not to neglect a company’s crisis communication plan. Conducting a walkthrough or tabletop exercise will allow a company to address any performance issues or policy gaps that may arise during the testing process. Testing the policy also allows company counsel to effectively train employees on how to handle a real crisis.

Reputation Management: A How-To Guide

Reputation Management: A How-To Guide

The reputational injury following a data breach can be severe. Indeed, reputational injury – including lost customers – often surpasses legal liability. Effective management of the reputational impact of a data security incident requires a proactive and reactive strategy. The proactive strategy assumes that the organization will control when, and what, information will be conveyed to the public, media, and impacted consumers. For many organizations the proactive strategy that they choose is to wait until their investigation of an incident is complete so that they can provide the public with the most accurate and meaningful information. …

reputation m

Credit Monitoring Services: A How-To Guide

Credit Monitoring Services: A How-To Guide

Organizations are not, generally, required to offer services to consumers whose information was involved in a breach.1 Nonetheless, many organizations choose to offer credit reports (i.e., a list of the open credit accounts associated with a consumer), credit monitoring (i.e., monitoring a consumer’s credit report for suspicious activity), identity restoration services (i.e., helping a consumer restore their credit or close fraudulently opened accounts), and/or identity theft insurance (i.e., defending a consumer if a creditor attempts to collect upon a fraudulently opened account and reimbursing a consumer for any lost funds). In addition, if you do offer one of these services a 2014 California statute and a 2015 Connecticut law prohibits you from charging the consumer for them. …

credit monitoring

Selecting a Forensic Investigator: A How-To Guide

Many competent IT departments lack the expertise, hardware, or software to preserve evidence in a forensically sound manner and to thoroughly investigate a security incident. In-house counsel needs to be able to recognize such a deficiency quickly – and before evidence is lost or inadvertently destroyed – and retain external resources to help collect and preserve electronic evidence and investigate the incident. …

Forensic

Incident Response Plans: A How-To Guide

Incident Response Plans: A How-To Guide

The best way to handle any emergency is to be prepared. When it comes to data breaches incident response plans are the first step organizations take to prepare. Furthermore, many organizations are required to maintain one. For example, any organization that accepts payment cards is most likely contractually required to adopt an incident response plan. …

incident

Ransomware: A How-To Guide

Ransomware: A How-To Guide

Some forms of cyber extortion are automated and not targeted at any specific victim. For example, “ransomware” refers to a type of malware that prevents users from accessing their systems unless, and until, a ransom is paid. Although variants of ransomware operate differently many encrypt the contents of a victim’s hard drive using asymmetric encryption in which the decryption key is stored on the attacker’s server and is available only after payment of the ransom. Victims typically discover the ransomware when they receive an on-screen message instructing them to transfer funds using an electronic currency, such as bitcoin, in order to receive the decryption key and access to their files. “CryptoLocker” is the most famous ransomware family and first appeared in 2013. …

ransomware

 

Data Breach Notification In the EU: A Comparison of US and Soon-To-Be EU Law

Data Breach Notification in the EU: A Comparison of US and Soon-To-Be EU Law

In the United States Congress has repeatedly attempted, but failed, to agree on federal data breach notification legislation. As a result, there is no single federal statute that imposes a breach notification obligation on most companies. Instead, 47 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach. The only states without such laws are Alabama, New Mexico, and South Dakota, although their citizens may be covered in some situations by the data breach laws of other states. …

data breachhhh

Incident Response Plans: A Comparison of US Law, EU Law and Soon-To-Be EU Law

Incident Response Plans: A Comparison of US Law, EU Law and Soon-To-Be EU Law

The best way to handle any emergency is to be prepared. When it comes to data breaches incident response plans are the first step organizations take to prepare. In the United States, incident response plans are commonplace. Since 2005, the federal banking agencies have interpreted the Gramm-Leach-Bliley Act as requiring financial institutions to create procedures for handling data security incidents.1 Although there is no federal statute that requires the majority of other types of organizations to create an incident response plan, state data safeguards and data breach notification statutes provide incentives for many other organizations to craft response plans. …

Response plans

Guidelines for Negotiating Payment Processing Agreements

Guidelines for Negotiating Payment Processing Agreements

Credit cards are the primary form of payment received by most retailers. In order to process a credit card a retailer must enter into an agreement with a bank and a payment processor. Payment processing agreements often have significant impacts on a retailer’s financial liability in the event of a data breach. In many cases, the contractual liabilities that flow from a payment processing agreement surpass all other financial liabilities that arise from a data breach including the cost to investigate an incident, defend litigation, and defend a regulatory investigation. The following provides a snapshot of information concerning payment processing agreements. …

guidelines-for-payment-processing

Class Action Litigation Trends

Class Action Litigation Trends

There is a great deal of misunderstanding concerning data security breach-related class actions. In large part the media and the legal media have exaggerated the quantity (and success) of class action litigation. The following provides an overview of the risks associated with lawsuits following data security breaches. …

class-action

Guidelines for Retaining a Forensic Investigator

Guidelines for Retaining a Forensic Investigator

Many competent IT departments lack the expertise, hardware, or software to preserve evidence in a forensically sound manner and to thoroughly investigate a security incident. In-house counsel needs to be able to recognize such a deficiency quickly – and before evidence is lost or inadvertently destroyed – and retain external resources to help collect and preserve electronic evidence and investigate the incident…

guidelines-for-retaining-a-forensic-investigator1

Data Breach Notification Laws: What to consider

Data Breach Notification Laws: What to consider

Although Congress has attempted to agree on federal data breach notification legislation, there is no national data breach notification law that applies to most companies. Instead, 47 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have each enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach involving personal information. The only states without such laws are Alabama, New Mexico, and South Dakota, although their citizens may be covered in some situations by the data breach laws of other states. …

data-breach-notification-laws

 

Data Breach Notification In the EU: A Comparison of US and Soon-To-Be EU Law

Data Breach Notification In the EU: A Comparison of US and Soon-To-Be EU Law

In the United States Congress has repeatedly attempted, but failed, to agree on federal data breach notification legislation. As a result, there is no single federal statute that imposes a breach notification obligation on most companies. Instead, 47 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach. The only states without such laws are Alabama, New Mexico, and South Dakota, although their citizens may be covered in some situations by the data breach laws of other states. …data-breach-eu-us-comp

Data Breach Decision Points: Part 8

Data Breach Decision Points: Part 8

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask us to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult.This is part 8 of an eight-part guide to handling data breaches. This eight-part series explores these difficult decision points. For each there are no “right” or “wrong” answers. Like all strategic decisions management must examine the specific facts facing their company and their organization’s culture, their industry, and business realities. Click for Part 1Part 2Part 3Part 4Part 5, Part 6, and Part 7. …data-breach-pt-8

Data Breach Decision Points: Part 7

Data Breach Decision Points: Part 7

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask us to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult.

This is part 7 of an eight-part guide to handling data breaches. This eight-part series explores these difficult decision points. For each there are no “right” or “wrong” answers. Like all strategic decisions management must examine the specific facts facing their company and their organization’s culture, their industry, and business realities. Click for Part 1Part 2Part 3Part 4, Part 5, and Part 6. …

data-breach-part-7

Guidelines for Reputation Management

Guidelines for Reputation Management

The reputational injury following a data breach can be severe. Indeed, reputational injury – including lost customers – often surpasses legal liability.

Effective management of the reputational impact of a data security incident requires a proactive and reactive strategy. The proactive strategy assumes that the organization will control when, and what, information will be conveyed to the public, media, and impacted consumers. For many organizations the proactive strategy that they choose is to wait until their investigation of an incident is complete so that they can provide the public with the most accurate and meaningful information. …

reputation

Data Breach Decision Points: Part 6

Data Breach Decision Points: Part 6

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask us to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult.

This is part 6 of an eight-part guide to handling data breaches. This eight-part series explores these difficult decision points. For each there are no “right” or “wrong” answers. Like all strategic decisions management must examine the specific facts facing their company and their organization’s culture, their industry, and business realities. Click for Part 1Part 2Part 3Part 4, and Part 5. …

part-6

Data Breach Decision Points: Part 5

Data Breach Decision Points: Part 5

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask us to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult.

This is part 5 of an eight-part guide to handling data breaches. This eight-part series explores these difficult decision points. For each there are no “right” or “wrong” answers. Like all strategic decisions management must examine the specific facts facing their company and their organization’s culture, their industry, and business realities. Click for Part 1Part 2, Part 3, and Part 4. …

pt-5

Data Breach Decision Points: Part 4

Data Breach Decision Points: Part 4

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask us to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult. …

data-breach-4

Data Breach Decision Points: Part 3

Data Breach Decision Points: Part 3

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

This is part 3 of an eight-part guide to handling data breaches. This eight-part series explores these difficult decision points. For each there are no “right” or “wrong” answers. Like all strategic decisions management must examine the specific facts facing their company and their organization’s culture, their industry, and business realities. Part 1 can be found here, and Part 2 can be found here. …

data-breach-pt-3

Data Breach Decision Points: Part 2

Data Breach Decision Points: Part 2

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

This is part 2 of an eight-part guide to handling data breaches. This eight-part series explores these difficult decision points. For each there are no “right” or “wrong” answers. Like all strategic decisions management must examine the specific facts facing their company and their organization’s culture, their industry, and business realities. Part 1 can be found here. …

 

data-points-part-2

 

Data Breach Decision Points: Part 1

Data Breach Decision Points: Part 1

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask us to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult. …

data-breach-pt-1

 

Healthcare Data Breach Enforcements and Fines At A Glance

Healthcare Data Breach Enforcements and Fines At A Glance

The Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) is responsible for enforcing the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Enforcement of the Privacy Rule began on April 14, 2003, while enforcement of the Security Rule began on April 20, 2005. Furthermore, covered entities and business associates were required to comply with the HIPAA Breach Notification Rule beginning on September 23, 2009. ….

healthcare-data

Causes of Healthcare Data Breaches

Causes of Healthcare Data Breaches

Pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), covered entities (e.g. healthcare providers and health plans) must notify the Department of Health and Human Services (“HHS”) of breaches of unsecured protected health information (“PHI”).1 The information provided to HHS provides companies with a high level of insight concerning the types of breaches that occur in the healthcare industry.
The data collected by HHS concerning breaches affecting 500 or more individuals in 2015 shows that unauthorized access or disclosure, such as misdirected mailings, break-ins of physical premises, and employees accessing PHI that is not necessary for their duties, is the most common form of data breach in the health sector – surpassing theft of hardware, which was the leading cause for health data breach in 2014. …causes-of-healthcare-data-breaches

Snapshot of Bryan Cave’s 2016 Data Breach Litigation Report

Bryan Cave LLP began its survey of data breach class action litigation four years ago. We are proud that our annual survey has become the leading authority on data breach class action litigation and is widely cited throughout the data security community. Click here to view an infographic containing select key findings from our report.

Click here to read the full text of the 2016 Data Breach Litigation Report.

snapshot

How to Design or Review an Encryption Policy (2016)

Encryption refers to the process of converting data into a form that is unreadable unless the recipient has a pre-designated algorithm, “key,” and password to convert the information into readable text. Most statutes, regulations, and agencies that require that companies utilize encryption to protect data do not mandate that a specific encryption standard be used. Some statutes do require, however, that companies use an encryption key that is at least 128-bits in length . . . 2016Encryption

SEC CyberDisclosures At A Glance (2015)

Cybersecurity Disclosures - At A GlanceThe SEC has made clear that there are a number of disclosure requirements that might impose an obligation on an issuer to disclose cyber-risks and cyber-incidents and has discussed certain of those requirements, including disclosures required in risk factors, MD&A, business descriptions, legal proceedings, financial statements and disclosure controls and procedures. . . .

 

Wire Transfer Fraud At A Glance (2015)

Businesses are increasingly falling victim to wire fraud scams – sometimes referred to as “man-in-the-email” or “business email compromise” scams.  Although there are multiple variants, a common situation involves an attacker gaining access to the email system of a company, or the company’s vendor, and monitoring email traffic about an upcoming transaction . . . Wire Transfer Fraud At A Glance

 

EMV Technology At A Glance (2015)

Over the past several years the credit card industry has been encouraging banks and retailers to migrate to EMV technology, which is sometimes referred to as “chip-and-pin” or “chip-and-signature.”  EMV, which is named after the developers of the technology (Europay, MasterCard, Visa) is a technical standard that includes a microprocessor physically embedded in a plastic credit card.  The processor stores credit card data and, which, when inserted, is decrypted and read . . . EMV At A Glance

Credit Card Data Breaches At A Glance (2015)

CC_Data_Breaches_At A GlanceFor most retailers credit cards are the primary form of the payments that they receive.  Accepting credit cards, however, carries significant data security risks and potential legal liabilities.  In addition to the normal repercussions of a data security breach . . .

Credit Card Payment Processing Agreements At A Glance (2015)

Credit cards are the primary form of the payment for most retailers.  In order to process credit cards a retailer must enter into an agreement with a bank and a payment processor.  Those agreements can be daunting and often have significant impacts on a retailer’s financial liability in the event of a data breach. Indeed, in many cases the contractual liabilities that flow from the credit card processing agreement surpass all other financial liabilities that arise from a breach including litigation . . . Negotiating Card Agreements_At A Glance_1

Data Breach Reputation Management At A Glance

The reputational injury following a data breach can be severe and often surpasses legal liabilities.  Effective management of the reputational impact of a data security incident requires a proactive and reactive strategy.  The proactive strategy assumes that the organization will control when, and what, information will be conveyed . . .

Breach Reputation Management_At A Glance

 

Healthcare Data Breach Enforcements and Fines At A Glance (2015)

The Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) is responsible for enforcing the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Enforcement of the Privacy Rule began on April 14, 2003, while enforcement of the Security Rule began on April 20, 2005 . . .Healthcare DB_Enforcements_At A Glance

 

Healthcare Breach Litigation At A Glance (2015)

Companies that have a breach involving protected health information (“PHI”) worry not only about fines and penalties imposed by the Department of Health and Human Services (“HHS”), but about class action lawsuits.   The risk that a class action lawsuit will lead to financial liability, however, is often misunderstood . . .

Healthcare DB_Litigation_At A Glance_1

State Level Enforcement and Fines for Health Data Breaches At A Glance (2015)

It does not appear that enforcing HIPAA’s data breach notification requirements is a priority for most AGs, due to the low number of actions brought under the statute. Connecticut, Vermont, Minnesota, and Indiana have each brought one action. Massachusetts is the only state that has brought more than one action . . .Healthcare DB_State_Fines_At A Glance

 

The Causes of Healthcare Breaches At A Glance (2015)

The data collected by HHS concerning breaches shows that low-tech breaches remain the most common form of data loss in the health sector – surpassing the more publicized hacking events.  Almost 40% of breaches still relate to the theft of hardware . . .

CausesofHealthBreachesAtAGlance

Trends in Data Breach Litigation At A Glance (2015)

While General Counsel cite class action fears as one of their top concerns following a data breach, there is a great deal of misunderstanding concernign the nature of data security breach class action litigation . . . Data Security Breach Litigation Trends - At A Glance

Crowdsourcing Security With Bounty Programs At A Glance (2015)

Bounty Programs At A Glance

There is a great deal of debate about the merits of listening to the security concerns of people outside of an organization. On one end of the spectrum companies refuse to discuss any aspect of their security with the public. On the other end of the spectrum companies proactively encourage the public to report security vulnerabilities by paying well meaning hackers (usually called “white hat” hackers) to report problems. While these companies view “bounty” programs as . . .

 

Forensic Investigators At a Glance (2015)

Forensic_Investigator_At A Glance

Many competent IT departments lack the expertise, hardware, or software to preserve evidence in a forensically sound manner and to thoroughly investigate a security incident. In-house counsel needs to be able to recognize such a deficiency quickly — and before evidence is lost or inadvertently destroyed — and retain external resources to help collect and preserve electronic evidence and investigate the incident. . .

 

Incident Response Plans At a Glance (2015)

Incident_Response_At A Glance

The best way to handle any emergency is to be prepared. When it comes to data breaches incident response plans are the first step organizations take to prepare. Furthermore, many organizations are required to maintain one. For example, any company that accepts payment cards is most likely contractually required to adopt an incident response plan . . .

 

Breach Notification Laws At A Glance (2015)

Breach Notification Laws

Although Congress has attempted to agree on federal data breach legislation, there is no national data breach notification law that applies to most companies. Instead, 47 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have each enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach involving certain types of personally identifiable information (“PII”). . .

Data Class Action Litigation At A Glance (2015)

Class Action Litigation (2)

According to FBI Director James Corney “there are two kinds of big companies in the United States. There are those who’ve been hacked…and those who don’t know they’ve been hacked.”  It is no wonder that management is increasingly concerned about the risks that flow from a data breach, especially the risk that their company will face a class action lawsuit. . .

 

Credit Monitoring Services At a Glance (2015)

CreditMonitoringServicesJPG_1

Companies are not required to offer services to consumers whose information was involved in a breach. Nonetheless, many organizations choose to offer credit reports, credit monitoring, identity restoration services, and/or identity theft insurance.  If you do offer one of these services a 2014 California statute prohibits you from charging the consumer for them. . .

 

Cyber Insurance At a Glance (2015)

CyberInsuranceJPG

Most businesses know they need insurance to cover risks to the business’s property like fire or theft or the risk of liability if someone is injured at the business. But, a substantial portion of businesses don’t carry coverage for a rapidly expanding area of risk – data breaches. Despite numerous high profile breaches in the past year, many business do not have a cyber insurance policy. . .