While the legal definition of a data breach will vary depending on the state where a business operates, a data breach generally occurs when any type of sensitive, private, confidential data has – or could have been – accessed or viewed without authorization. From the unauthorized access of e-mail, to leaving a company laptop or computer exposed, to a server being hacked or compromised, privacy incidents can transpire in a multitude of ways.
Taking the right initial steps following a data privacy breach incident will enable a company not only to mitigate legal liability, but also to reduce reputational harm. The following are several initial actions for a company to take in the event of a breach.
A first concern should be contacting technical and compliance experts to better understand the nature and extent of the breach. Technical experts could be members of your internal IT team or outside specialists with forensic data capabilities. Compliance experts are the legal stakeholders who advise on the notification and disclosure steps that will need to be taken following the incident.
Secure the Situation
Once contact with the compliance and technical leads is established, the next objective is to contain the incident and make certain the data loss doesn’t worsen. When the origin of the leak and affected sources of data have been identified, the technical team should be directed to secure all potential access points and attack vectors.
Fix Vulnerabilities and Analyze the Breach
After the technical leads have reestablished control of the impacted systems, they should be directed to begin repairing vulnerabilities and determining if there were any implicated third-party service providers. These external parties should be contacted along with the stakeholders mentioned below.
After all outstanding vulnerabilities have been patched, discussion with technical leads is necessary in order to explain the various aspects of the breach in preparation for upcoming disclosures and public relations statements. Begin asking questions such as:
- What type of data was compromised in the breach?
- How many parties were affected by the breach?
- What contact information is available for the affected parties?
- What encryption methods were enabled when the breach occurred?
- What information can be gleaned from access logs and who had access to the data at the time of the breach?
Plan Your Communications
One of the hardest, but most essential steps is to determine how to convey the bad news. Consider how to inform all affected stakeholders – including individuals in management, employees, customers, and the general public. It is important to be transparent and forthcoming in these communications, as any misleading statements will be amplified in the context and limelight of a data security incident.
Assess the Legal Requirements
The next focus is to use the gathered information to assess the type of legal action to be taken. All states have passed breach notification laws, so it is imperative to seek legal counsel in determining what notification steps are necessary to reduce and avoid liability. Expect to notify affected customers, businesses, and employees. Indiana Code § 4-1-11-2 et seq. governs data breach notifications over any “person that owns computerized data that includes personal information.” Further, an Indiana business must notify any group whose data was implicated and if the business reasonably knows or should know that the data breach incident could result in identity deception, identity theft, or fraud affecting the Indiana resident.
Depending on the state, the law may require notification to certain authorities if a threshold amount of individuals were impacted by the breach or if certain personal information was compromised. Under Indiana law, personal information is defined as:
- A social security number that has not been encrypted or redacted – OR –
- An individual’s first name or first initial and last name and one of the following data elements:
- Driver’s license number,
- State identification card number,
- Credit card number, or
- Financial account number or debit card number and accompanying security code.
Some states will specifically detail the information that must be included in the notifications, the manner of notifying, and the timeline of when notice must be given. Failing to follow applicable state laws when facing a data breach incident can expose a business to a myriad of legal issues, claims, and/or hefty fines.
Traversing breach notification laws should be done in consultation with compliance experts and legal counsel. If you’ve experienced a breach or want to learn more, please contact attorney Matt Rust at mrust@KDDK.com or (812) 423-3183.
About the Author
Matthew R. Rust, an attorney at Kahn, Dees, Donovan & Kahn, LLP, in Evansville, Indiana, is an entrepreneur and technophile at heart. Matt’s deep interest in business, technology and law provides a unique approach to problem-solving that addresses legal issues with the client’s core business objectives in mind. While Matt effectively works with businesses of any size, he particularly enjoys working on projects with entrepreneurs and technologists.