Guest Op-ed: What I’ve Learned from 5,000 Data Breaches

When clients ask me to describe the biggest risks surrounding a data breach I sometimes say: “(1) reputation, (2) reputation, and (3) litigation, regulatory, and contractual.” Our guest columnist this week talks about her own opinion of the role of reputation and the impact that customer service plays on that. Please note that the views and opinions expressed are those of the author and do not necessarily reflect the official policy or position of Bryan Cave.

– David Zetoony

What I’ve Learned from 5,000 Data Breaches

By Jamie May, AllClear ID

  1. How has the breach response landscape changed over the last year?

Over the last year, the biggest shift we’ve seen in the industry relates to the activities that occur well before a data breach. We’ve all seen the devastating consequences a botched response can have on brand reputation, customer retention and the bottom line. Today, more and more businesses are engaging with partners like Bryan Cave early on, and taking proactive steps to be ready to address their customers quickly and with care when a data breach does occur.


  1. After a breach, losing customer trust is a big concern for brands. What can companies do before and after a breach to ensure customer trust remains intact?

Companies should place excellent customer service as their guiding principle during response planning and execution. Taking the time to plan for an incident with the customer in mind will go a long way in preserving customer trust when a breach occurs. All communications to customers need to be clear and helpful to minimize confusion and anger.  It is much easier to have clear communications when you think through the flow and complexities in advance of a real incident. Keep in mind, your customers’ first interaction with your brand after a breach may be with the identity protection services and support center, so getting that experience right is crucial to success. To make this easier, look for a partner who can help provide:

  • Identity protection services that are user-friendly and available to every affected customer
  • Guaranteed access to quality, scalable call center services
  • Call center agents who are trained in soft skills as well as identity theft protection best practices


  1. What is the single most important thing companies can do to ensure a breach response goes smoothly?

In my experience, companies across all industries that focus on their customers before, during and after a data breach fare far better than those that do not, both in terms of overall response and the speed at which they are able to return to normal business operations.  To do this well, securing the resources you need before an incident occurs is absolutely critical. Even the best planning is rendered useless if your customers experience hour-long hold times when they call in to the call center for help.  To avoid this negative customer experience, companies should partner with response providers who offer them a contractual guarantee that the resources they need will be available when they need them – this is the most critical component of true breach readiness.

  1. What trends are you currently seeing in the breach response space?

We’re working with more and more companies who are taking proactive steps to be ready to respond well before an incident event occurs. We help these companies build out the operational details of their customer-facing response plan. Part of this process involves testing that plan through a breach simulation. We create a mock breach scenario and use the response plan to actually walk through how the company would respond.  This exercise exposes any gaps in the response plan and allows the response team to practice in a controlled environment.

Another trend we’re seeing is that businesses want a guarantee that we will be available to help them respond to their customers should they ever need us. To address this need, we created our Reserved Response program, which allows companies to reserve guaranteed response manpower. They invest upfront, and we guarantee we will be available when they need us.  This takes a lot of the uncertainty out of breach response.

Jamie May is Vice President of Operations at AllClear ID. Since joining the company in 2007, she has managed the implementation and execution of over 5,000 data breaches, including 3 of the 4 largest and most complex breach responses in history. She advises Fortune 1000 companies, government agencies, and healthcare organizations on all aspects of breach readiness and response and is a sought-after industry expert.

How to Develop a HIPAA Incident Response Team

Covered entities and business associates are required to identify and report breaches of unsecured protected health information (“PHI”) and security incidents. “Breach” is defined as the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Laws which compromises the security or privacy of the PHI, and is not one of the breach exclusions.1 Breach applies to both paper and electronic PHI. “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of electronic PHI (“EPHI”) or interference with the entity’s system operations in its information system.2 The Federal Office for Civil Rights (“OCR”) has recommended that covered entities and business associates have incident response teams capable of identifying and handling breaches and security incidents.3 Incident response plans and policies should be developed, reviewed annually, and approved by management….hipaaincidentresponseteam

Ransomware May Be a Reportable HIPAA Breach

In 2016, more than 4000 ransomware or other malware attacks are occurring daily, a 300% increase since 2015. There have been reports of six hospitals that have been victims of ransomware in 2016. Ransomware is a type of malicious software used by cyber actors to deny access to an entity’s systems and/or data. Ransomware may spread to shared storage drives and other systems. The systems and data are held hostage until a ransom is paid….

ransomware may be a reportable

Analysis of Health Care Data Breach Litigation Trends

Companies that have a breach involving protected health information (“PHI”) worry not only about fines and penalties imposed by the Department of Health and Human Services (“HHS”), but about class action lawsuits.  The risk that a class action lawsuit will lead to financial liability, however, is often misunderstood.

In many, if not most, class action lawsuits that involve the loss of PHI, plaintiffs have been unable to prove that they have standing to seek recovery. Specifically, unless a plaintiff has been the victim of identity theft or has suffered some other type of concrete injury, most courts have refused to let them proceed based solely on the allegation that they are subject to an increased risk of harm as a result of the breach…..


Exploring the Causes of Healthcare Data Breaches

Pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), covered entities (e.g. healthcare providers and health plans) must notify the Department of Health and Human Services (“HHS”) of breaches of unsecured protected health information (“PHI”).1  The information provided to HHS provides organizations with a high level of insight concerning the types of breaches that occur in the healthcare industries.

The data collected by HHS concerning breaches affecting 500 or more individuals in 2014 shows that low-tech breaches remain the most common form of data loss in the health sector – surpassing more publicized hacking events….


Tennessee Breach-Notification Law Indicative of Data-Security Regulators’ Lack of Creativity

Guest Commentary in the Washington Legal Foundation Legal Pulse

David Zetoony authored a blog post June 6 for the Washington Legal Foundation Legal Pulse on the Tennessee breach notification law, which he says is indicative of data security regulators’ lack of creativity. The Tennessee legislature amended its data breach notification statute so that beginning July 1, a “breach of security” will no longer have the qualifier that the data must be “unencrypted.” Despite this change being characterized by the media as making the Tennessee statute “among the nation’s toughest,” Zetoony argues that the change will have very little, if any, impact on businesses. Click here to read the blog post.


How to Evaluate a Credit Monitoring Service (2016)

Organizations are not, generally, required to offer services to consumers whose information was involved in a breach.1 Nonetheless, many organizations choose to offer credit reports (i.e., a list of the open credit accounts associated with a consumer), credit monitoring (i.e., monitoring a consumer’s credit report for suspicious activity), identity restoration services (i.e., helping a consumer restore their credit or close fraudulently opened accounts), and/or identity theft insurance (i.e., defending a consumer if a creditor attempts to collect upon a fraudulently opened account and reimbursing a consumer for any lost funds). In addition, if you do offer one of these services, a 2014 California statute and a 2015 Connecticut law prohibits you from charging the consumer for them.….creditmonitor

How to Avoid Being the Weakest Link in Your Company’s Cybersecurity Efforts

Everyone has been in a movie theatre when one of the actors approaches that door to the basement behind which strange noises are coming. They reach out to turn the knob and in unison the audience is thinking, “Fool, haven’t you ever been to the movies? Don’t you know that the zombies or ghouls or some other equally disgusting creature are waiting for you behind that door? Don’t do it!” They of course open the door, blissfully unaware of the grisly fate waiting for them.

I get the same sort of feeling when I read about cybersecurity lapses at banks. Think about the following:

“Someone dropped a thumb drive, I think I’ll just plug it into my computer at work and see what is on it. Surely nothing bad will happen. If nothing else, I’ll give it to one of my kids, they can use it on the home computer.”

“My good friend, the one who sends me those emails asking me to pass them along to three of my closest friends, just sent me an email with an adorable cat video. I just love cat videos, I’ll open it on my computer at work and see what is on it. Surely nothing bad will happen. Doesn’t the FBI monitor the internet keeping us safe from bad people?”

“Someone from a small European country that I have never heard of has sent me an email telling me that I might be the recipient of an inheritance. I always knew I was destined for better things in life, I’ll just click on the attachment and follow the instructions. Surely nothing bad will happen.”

“My good customer Bob just sent me an email telling me that he is stuck in jail in South America. He needs me to wire money to post his bail. I didn’t know that Bob was traveling, I am pretty sure I just saw him in the bank a couple of days ago. I probably won’t try and call his house or wife or his cell phone to double check, I’m sure his email is legitimate.”

If you were in the movie theatre you’d be yelling out “Don’t do it!” If this were a movie you would see the green glowing blob patiently waiting to silently flow into the office computer. The blob just sits there though, waiting for the bank officer to hit the keystroke that opens the file. Now we see it watching as the person sits down at the computer and logs in, types in a password and initiates a wire transfer. The blob silently memorizes both the login ID and the password. Weeks can go by as the suspense builds. The ominous music begins to swell in the background, we know that something is going to happen when as fast as lightning, the blob springs to life initiating wire transfers for tens of millions of dollars.

This is exactly what occurred in February of 2016 in Bangladesh. Criminals were able to place the blob in the form of malware on to the computers for the central bank of Bangladesh. Reports indicate that part of the malware included a keylogger which was used to memorize passwords and other login credentials to the system created by the Society for Worldwide Interbank Financial Telecommunication (“Swift”) used by banks to initiate funds transfers. In the end, $81 million was wired through the bank’s accounts at the NY Federal Reserve, apparently to a casino in the Philippines where it was converted into untraceable gambling chips.

It is not clear yet exactly how the criminals inserted the malware into the central bank’s computers, but the situation underscores what we have been telling clients about cybersecurity. You are only as strong as your weakest link, and the weakest link is usually someone who clicks on an attachment or picks up the thumb drive found on the floor. It is human nature to be curious, and it takes constant training and reminders to personnel to remind them about appropriate responses. Financial institutions are constantly hiring new employees, and each of them brings their own personal history of computer hygiene with them. Each of them must be taught immediately about the importance of not opening suspicious emails or attachments. Spam and malware filters hopefully block most of the incoming criminally engineered emails, but the criminals are resourceful and continue to innovate.

As we have noted previously, federal banking regulators have higher expectations concerning preparedness for cyberattacks. The Cybersecurity Assessment Tool released in 2015 by the FFIEC provides specific standards by which an institution can be judged when undergoing regulatory examinations.

At Bryan Cave, our Data Privacy and Security Team can assist you by conducting a data risk assessment, including reviewing your cyberattack insurance coverage. That analysis, coupled with our Banking Group’s ability to navigate the bank regulatory gauntlet will better prepare you for upcoming IT and cyberattack exams.

No matter how good a company’s security is, data security events are unavoidable. When a security breach does occur, preventing liability often means analyzing facts, identifying legal obligations, and taking steps to prevent or mitigate harm within the first minutes and hours of becoming aware of a breach. That’s why an attorney from our Data Privacy and Security Team is on-call for clients whenever and wherever a breach occurs: 24 hours a day, 7 days a week. For more information, visit our Bryan Cave Data Breach Hotline web page.

Bryan Cave Data Breach Hotline
+1 202 508 6136 (international)
+1 844 8BREACH (844-827-3224 toll free — US only)

FCC Proposes Bothersome Breach Definition in Privacy NPRM

On April 1, 2016 the Federal Communications Commission (“FCC”) released its Notice of Proposed Rulemaking (“NPRM”) concerning privacy regulation of internet broadband service providers (“ISPs”). The NPRM proposes, among other things, an expansive and vexing definition of “breach.” If not modified, the definition would require notices to customers, the FCC and the FBI of even trivial internal employee access to customer information….fccbothersome

How Employers Can Help Prevent W-2’s From Being Breached and Their Employees From Becoming Victims of ID Theft

The Internal Revenue Service issued an alert about an emerging phishing email scheme that purports to be from company executives and requests personal information on employees.

The IRS has learned this scheme – part of the surge in phishing emails seen this year – already has claimed several victims as payroll and human resources offices mistakenly email payroll data including Forms W-2 that contain Social Security numbers and other personally identifiable information to cybercriminals posing as company executives….w2

Credit Card Data Breaches: Protecting Your Company from the Hidden Surprises

Debit and credit cards are now the primary form of retail payment. One source estimates that 60 percent of all retail transactions involve a payment card – far surpassing cash or checks as the preferred method of payment. Most retailers do not realize, however, that by accepting credit cards, they expose themselves to the risk of a data security breach and significant potential costs and legal liabilities. David Zetoony and Courtney Stout’s whitepaper, Credit Card Data Breaches: Protecting Your Company from the Hidden Surprises, explains the key risks that a retailer faces following a data security breach of its payment card systems as well as the potential for addressing some of those risks through the purchase of cyber-insurance.

The whitepaper is divided into two parts with the first part assessing the risk to a retailer from a credit card data breach and the second addressing insurance coverage gaps…..ccdatabreach

How to Draft an Effective Incident Response Plan (2016)

The best way to handle any emergency is to be prepared. When it comes to data breaches, incident response plans are the first step organizations take to prepare. Furthermore, many organizations are required to maintain one. For example, any organization that accepts payment cards is most likely contractually required to adopt an incident response plan….