Search right to access

Image result for north carolina attorney generalCiting to estimates in 2017 “more than 5.3 million North Carolinians were … affected by a data breach,” Attorney General Josh Stein and Rep. Jason Saine announced on January 8 proposed legislation aimed at protecting state residents from becoming victims of identity theft. To do so, the “Act to Strengthen Identity Theft Protections” (see fact sheet on proposed law) would, among other things, build on the state’s existing data breach notification law and require business to adopt reasonable safeguards to protect the personal information of North Carolinians.

Specifically, the Act would:

  • Expand definition of “breach.” The revised definition of “breach” would include situations involving the unauthorized access to or acquisition of an individual’s personal information. This change is intended in significant part to include “ransomware” attacks and, notably, to remove from the breached organization the discretion to determine the risk of harm. A similar approach is taken in guidance by the federal Office of Civil Rights which concerns ransomware and data breach response.
  • Shorten the notification period. Under the state’s current breach notification law, notice generally must be made without unreasonable delay, taking into account the legitimate needs of law enforcement, and consistent with any measures necessary to determine sufficient contact information, the scope of the breach and restore reasonable integrity, security and confidentiality of the data system. The Act would require that the breached entity notify the affected consumer(s) and the Attorney General’s office within 15 days, which would make North Carolina’s law mandate one of the shortest notification deadlines. The purpose of this change is to provide consumers more time to freeze their credit across and take other preventative measures before identity theft occurs.
  • Impose “reasonable safeguard” requirements for a broader set of personal information. Businesses that own or license personal information would be required to implement and maintain reasonable security procedures and practices to protect the personal information from a security breach. This requirement follows other states such as California, Connecticut, Florida, and Massachusetts. Additionally, the Act would expand the definition of “protected information” to include medical information and insurance account numbers.
  • Require free credit monitoring. The Act would require five years of free credit monitoring to be provided to affected consumers for security breaches that occur at a consumer reporting agency. Thus, this requirement would not apply to all businesses subject to the law, just consumer reporting agencies that have a breach.
  • Strengthen penalty provisions. The Act would make clear that businesses that suffer a breach and are found to have failed to maintain reasonable security procedures will have committed a violation of the Unfair and Deceptive Trade Practices Act. In that case, when calculating penalties, each person affected by the breach would represent a separate and distinct violation of the law. If adopted, this provision should spur more organizations to take steps to maintain reasonable safeguards.

Individuals and commercial entities that conduct business in North Carolina and that own or license data in any form that includes personal information about North Carolinians should follow the progress of the Act, as well as developments in other relevant states concerning data protection requirements (See, e.g., update to Maryland’s breach notification law, effective January 1, 2018). However, even if the Act fails to become law, adopting and maintaining reasonable safeguards can help protect against a data breach which might be reportable in virtually all states, including North Carolina.

With the continuing parade of high profile data security breaches, the concern U.S. organizations have about the security of their systems and data has been steadily growing. And rightly so. Almost every organization processes (collects, uses, stores, or transmits) individually identifiable data. Much of this data is personal data, including employee data, which brings heightened privacy and security responsibilities and obligations.

For certain entities, these responsibilities and obligations are about to increase significantly. On May 25, 2018, the EU General Data Protection Regulation (GDPR) goes into effect. This is a game changer for those organizations subject to the jurisdiction of the GDPR, and not just because of its new data breach notification provision. The GDPR contains expanded provisions for data collection, retention, and access rights unlike those they are used to in the U.S. that will create substantial challenges for U.S. employers processing their EU employee data.

To effectively meet these challenges, U.S. employers need to take stock of the data they process concerning individuals relating to EU operations (and not just about employees, although that is our focus here). What categories of EU employee data are processed? Where does it comes from? In what context and where is it processed and maintained? Who has access to it? Are the uses and disclosures being made of that information permitted? What rights do EU employees have with respect to that information? The answers to these questions are not always self-evident. Employee data may cover current, former, or prospective EU employees as well as interns and volunteers. It may come from assorted places and be processed in less traditional contexts. And, it may be processed in the cloud, the U.S., or elsewhere outside the EU.

Starting with the source of EU employee data, the U.S. employer should review its connections with the EU. Does it have a EU branch or office, a subsidiary or affiliate? An EU franchise, agent, or representative? Has it recently merged or acquired an organization with EU locations or connections? Any one of these connections is a potential source of EU employee or comparable internal personal data, regardless of how small.

Next, how does the U.S. employer process its EU employee or internal personal data? This data can be processed in traditional contexts – HRIS, benefits, payroll, Active Directory or contact information, and recruitment or talent management. It can be processed in other contexts – Customer Relationship Management, software applications, IT maintenance and security review activity, surveillance images, remote log in, business-related travel and event attendance support, professional development, training and certification, and external facing websites simulating annual reports or collecting job applications. Even if the U.S. employer outsources payroll, benefits administration, or HR, it may still process EU employee or internal personal data in other contexts.

For a specific example of employee data processing, consider the internal facing website or employee that facilitates business travel or conference registration. This service collects the EU employee’s personal data in the form of name, address, phone number, work title and work address. However, it may also collect the EU employee’s special hotel and dining accommodations needs. This additional information may reveal health, disability, or religious beliefs information about the EU employee, all of which are subject to heightened protections. In another example, the organization’s training portal may use video presentations featuring internal trainers. These videos contain employee personal data – the trainer’s photo and, perhaps, work contact information. Locating and identifying all forms of EU employee data processing is critical.  However, knowing what actually constitutes EU employee personal data is key.

Identifying employee personal data in the context of the GDPR is challenging. The GDPR definition, especially when applied to an EU employee, can be expansive. And for U.S. employers, often surprising. EU employee personal data includes “any information relating to an identified or identifiable” EU employee. Identifiable simply means the employee can be “identified directly or indirectly… by reference to an identifier… or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.” This may include name, address, driver’s license number, date of birth, passport number, vehicle registration plate number, phone number, photos, email address, id card, workplace or school, and financial account numbers. With respect to employees, it may also encompass – gender, personnel reports (including objective and subjective statements), recruitment data, job title and position, work address and phone number, salary information, health and sickness records, monitoring and appraisals, criminal records, rent, retirement or severance data, and online identifiers such as dynamic IP addresses, metadata, social media accounts and posts, cookie identifiers, radio frequency tags, location data, mobile device IDs, web traffic surveillance that identifies the machine and its user, and CCTV images.  ‘Special categories’ of employee data – racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning an employee’s health, sex life, or sexual orientation, and biometric and genetic data – require heightened levels of protection under the GDPR. Given the broad interpretation of personal data under the GDPR, a determination of what constitutes employee personal information is often based on relevant facts and circumstances.

May 2018 is approaching quickly. The GDPR may bring new and enhanced obligations for U.S. employers. Significant among these is employee consent to processing personal data. With this in mind, employers should begin evaluating their organizations through the lens of employee data collection and processing, keeping in mind applicable national laws.

A recent report indicates that nearly 500,000 individual health records were breached in September 2017. This figure is taken from the 39 healthcare data breaches involving more than 500 records that were reported to the Department of Health and Human Services’ Office for Civil Rights in September 2017.  Healthcare providers suffered the most breaches with 27 reported incidents, followed by health plans with 10 breaches, and 2 breaches reported by business associates of covered entities.  This demonstrates the need for security measures by both HIPAA Covered Entities and Business Associates.

The way the health records were accessed is notable. The biggest cause of the breaches was unauthorized access/disclosures (18 breaches), closely followed by hacking and IT incidents (17 breaches).  This data about breaches reported in September shows the importance of taking proactive steps to ensure data security.  With unauthorized access and disclosure continuing to be a leading cause of data breaches, organizations should consider focusing on potential sources of such unauthorized access and disclosure as they conduct the risk assessments required by HIPAA.

The report also notes that email was involved in many of the breaches reported to HHS in September, finding that there were 13 email-related breaches, including a healthcare employee who emailed PHI to a relative to receive assistance with a work-related action. While that case apparently involved intentional misconduct by a healthcare employee, it raises questions that are instructive for organizations across all industries dealing with sensitive data:

  • Does the organization have clear policies regarding appropriate access to and disclosure of protected information?
  • Does the organization provide training for new employees on information security?
  • Does the organization provide refresher training for employees on information security?
  • Does the organization’s email policy address information security?
  • Has the organization reviewed its email system as part of its risk assessment?
  • Does the organization coordinate enforcement of its information security policies with its corrective action policies?

Another important lesson from these September data breach reports is that hacking continues to be a very real risk. Six of the top ten breaches in September were the result of hacking/IT incidents resulting in the exposure of 363,364 records – 76.81% of the records exposed in all reported breaches in September.  The continuing risk from cyberattacks highlights the need for ongoing security audits, employee training, and table top exercises.

The United State Supreme Court recently denied certiorari in Nosal v. United States, 16-1344, declining to weigh in on the scope of unauthorized access under the Computer Fraud and Abuse Act (“CFAA”). The Ninth Circuit held in Nosal that David Nosal violated the CFAA by using his past assistant’s password to access his former employer’s computer system after his access credentials were expressly revoked. (For Nosal case history see our past blog posts here and here.)

The CFAA has generated much debate among the courts regarding the scope of its application. Some forms of “unauthorized access” are obvious – e.g. a hacker breaking into a protected computer system resulting in data theft is clearly a CFAA violation and is the type of event the CFAA was originally designed to protect against. However, other circumstances, particularly in the employment context, can blur the lines of what is considered “unauthorized access” under the CFAA.

For example, in  International Airport Centers, LLC v. Citrin, the Seventh Circuit held that where an employee accesses an employer’s computer or information to further interests adverse to the employer, the employee has violated his or her duty of loyalty and in turn “exceeds authorized access” under the CFAA. The First, Fifth and Eleventh Circuits have taken a similar expansive view that an employee violates the CFAA when he/she accesses the computer system in violation the employer’s data use policies. In U.S. v. John, the Fifth Circuit held that an employee violated the CFAA when she retrieved confidential customer account information she was authorized to access and transferred it to her half-brother for the purpose of committing a fraud. Under this expansive view, there is the potential for more ordinary forms of password-sharing could be prosecutable under the CFAA.  For instance, an employee’s use of a colleague’s password that is out sick to access a presentation or print a document.

Conversely, other courts have taken a more narrow approach to CFAA application. The Fourth Circuit held in WEC Carolina Energy Solutions LLC v. Miller that an employee who allegedly downloaded proprietary information from an employer’s computer system for the benefit of his subsequent employer did not violate the CFAA. The Fourth Circuit emphasized that the CFAA is a criminal statute that should be construed narrowly and is meant to target hackers as opposed to “workers who access computers or information in bad faith, or disregard a use policy.”

In light of the conflicting jurisdictional interpretations of the CFAA, companies should review their policies and procedures to ensure access rights and limitations to their information and information systems are clearly defined and effectively communicated to their employees. Further, when faced with apparent unauthorized access to computer systems – especially if password sharing is involved – companies should conduct an analysis to determine if a potential CFAA violation has occurred.

On November 2nd, New York Attorney General Eric T. Schneiderman announced his proposal of the SHIELD Act – Stop Hacks and Improve Electronic Data Security Act – a bill that would heighten data security requirements for companies and better protect New York residents from data breaches of their personal information.

“It’s clear that New York’s data security laws are weak and outdated. The SHIELD Act would help ensure these hacks never happen in the first place. It’s time for Albany to act, so that no more New Yorkers are needlessly victimized by weak data security measures and criminal hackers who are constantly on the prowl,” said Attorney General Eric Schneiderman.

Key aspects of the proposed SHIELD ACT include:

  • Covering any business that holds sensitive data of New York residents. Interestingly, the proposed legislation would amend the existing breach notification requirement to remove language currently limiting application of the notification rule to persons or businesses that conduct business in New York
  • Requiring all covered businesses to implement “reasonable” administrative, technical, and physical safeguards to protect sensitive data
  • Businesses that are already regulated by and comply with certain applicable state or federal cybersecurity laws (e.g., HIPAA, NY DFS Reg 500, Gramm-Leach-Bliley Act) are considered “compliant regulated entities” under the SHIELD Act. These entities and others that are annually certified by an authorized and independent third party to be compliant with certain data security standards, such as the most up to date version of the ISO /NIST standards, are called “certified compliant entities.” These entities are deemed to be compliant with the proposed law’s reasonable safeguard requirements, and a safe harbor from state enforcement actions would apply to “certified compliant entities”
  • A more flexible standard would exist for small businesses (less than 50 employees and under $3 million in gross revenue; or less than $5 million in assets)
  • Data breach notification obligations would become broader by (i) adding “access to” (in addition to the current trigger “acquisition”) as a trigger for notification, and (ii) expanding the data elements that if breached would require notification to include username-password combination, biometric data, and HIPAA covered health data
  • Deeming inadequate security to be a violation of General Business Law § 349 and permitting the Attorney General to bring suit and civil penalties under General Business Law § 351

AG Schneiderman’s proposed bill comes on the heels of several massive data breaches and ransomware attacks (e.g., Wanncry). The proposed SHIELD Act has the support of two major sponsors in the State Legislature: Senator David Carlucci (D-Clarkstown) of the Independent Democratic Conference and Assemblyman Brian Kavanaugh (D-Manhattan) who led their chamber’s consumer protection committees.

Although the SHIELD Act is a significant step forward for the Empire State, it does not come as a surprise. Attorney General Schneiderman has been vocal and proactive in the pursuit of heightened data security. Following a recent massive credit reporting agency breach, Schneiderman sent formal inquiries to the two other major credit reporting agencies, asking them to detail their security measures, steps they have taken since learning the breach and how they will further assist consumers in protection of their personal information.

In addition, AG Schneiderman has issued several enforcements actions in 2017 against companies that have failed to effectively protect consumer information. In January, Schneiderman announced a settlement with Acer Service Corporation, a computer manufacturer in Taiwan, after a data breach of its website exposed 35,000 credit card numbers. An investigation by the AG office revealed that sensitive customer information had not been protected for almost a full year. Acer agreed to pay $115,000 in penalties and improve data security practices. In April, Schneiderman announced that TRUSTe, Inc., agreed to settle allegations that it failed to properly verify that customer websites aimed at children did not run third-party software to track users. TRUSTe agreed to pay $100,000 and “adopt new measures to strengthen its privacy assessment”. In June, Schneiderman issued his first enforcement action against a wireless security company, Safetech Products LLC, for failing to implement adequate security in its Internet of Things (IoT) devices. It was found that Safetech did not force users to reset default passwords, and did not encrypt passwords sent over the network. As part of the settlement agreement, Safetech agreed to implement a written comprehensive security program.

AG Schneiderman did not begin enforcing New York’s data security laws and regulations in 2017; the issue has been a growing area of concern in his office for some time. In January of 2015, on the heels of former President Obama’s announcement of a cybersecurity legislative proposal, AG Schneiderman indicated his own plans to propose legislation to heighten New York’s data security laws.

The SHIELD Act, if enacted, would have far reaching effects, as any business that holds sensitive data of a New York resident would be required to comply.  Moreover, given the nation’s heightened awareness of cybersecurity in the wake of the recent massive data breaches, other states may also consider similar legislation.

Secretary Tom Price of the U.S. Department of Health and Human Services (HHS) announced his agency needs “to focus more on the most recent breaches and clarify when entities have taken action to resolve the issues that might have led to their breaches.” Accordingly, HHS’ Office of Civil Rights has launched a revised web tool providing information about HIPAA breaches. The tool, the HIPAA Breach Reporting Tool (HBRT), features improved navigation helping those looking for information on breaches and ease-of-use for organizations reporting incidents. It also gives health care providers, health plans and business associates easy access to a database from which they can gain a better sense of the common types of breaches and the steps HHS is calling for in order to resolve HIPAA breach cases.

The HBRT was originally launched in 2009, as required by the HITECH Act, providing information regarding HIPAA breaches involving 500 or more individuals. HHS announced that the HBRT’s new features include:

  • Enhanced functionality and search capabilities allowing users to learn more about breaches currently under investigation and reported within the last 24 months;
  • New archive that includes all older breaches and information about how breaches were resolved;
  • Improved navigation to additional breach information; and
  • Tips for consumers.

The HBRT provides information such as: the name of the entity; state where the entity is located; number of individuals affected by the breach; the date of the breach; type of breach (e.g., hacking/IT incident, theft, loss, unauthorized access/disclosure); and location of the breached information (e.g., laptop, paper records, desktop computer). Additional enhancements are expected in the future.

HIPAA covered entities and business associates may find the HBRT helpful for identifying areas in which to focus their information security efforts. In recent months, there have been several high profile data breaches involving the unauthorized disclosure of the protected health information of several hundred thousand individuals. In this environment of increasing security threats and regulator scrutiny, it would be prudent for entities in possession of individually identifiable health information of patients to take active steps to review and, where appropriate, enhance their security measures. The HBRT could be a helpful tool for assisting in those efforts.

The effects of hurricanes like Harvey and the approaching Irma should be a reminder to all businesses of the importance of disaster recovery planning. When a storm approaches, a business’s first concern is how to protect its employees and physical property. However, we shouldn’t forget that a natural disaster can also destroy a business’s information and technology assets critical to its success and continuity. Key steps to prepare and respond to a natural disaster can help minimize the blow. There are many aspects to comprehensive disaster recovery planning.

Below are some recommended best practices for an effective disaster recovery plan:

  1. Build the Right Team. Companies should be clear about what they are setting out to do and involve the appropriate segments of their organizations. Disasters do not just affect IT departments, they also affect the sales force, human resources, legal, finance, and management. Leadership from these and other business segments need to be at the table to ensure, among other things, appropriate coordination among the segments and an awareness of all available company resources. Excluding critical segments from the process will make it difficult to carry out the next critical step – assessing the risks. The IT department, whether internal or through a third-party vendor, must be well versed in disaster response.
  2. Conduct a Risk Assessment. Before a company can develop a disaster recovery plan, it must first identify the information and technology assets it needs to protect, their locations, their role to the success of the business, their associated costs and the overall and specific risks that apply to those assets. Different disasters pose different risks and require different safeguards. It also is important to analyze how the businesses’ operations would be affected upon the loss of vital components and assets, including identifying what information and technology systems are needed to safely keep the doors open.
  3. Employee Safety. Information and technology assets are critically important, but not at the expense of human life. Employees should be provided with guidelines on how to ensure their safety, and be reminded that their safety comes first.
  4. Develop a Plan. Having involved key personnel and assessed the risks, the business is in a position to develop an enterprise-wide disaster recovery plan. The disaster recovery plan should be in writing and include the following:
    • Keep backups off site, in a safe location. If a data center in lower Manhattan is underwater, being able to switch to another in California, Texas or the cloud will be essential to business continuity. The same is true for voice and electronic communications systems. Having critical business data replicated and stored off-site is a good “insurance policy” for any organization.
    • Regular backups. Frequent and regular backups are critical to ensuring the preservation of important company data, as well as the data it may maintain for others.
    • Data Encryption. Encryption of sensitive and/or critical business data will prevent unauthorized users from gaining access and limit exposure.
    • Don’t neglect laptops/mobile devices. Recovery plans tend to focus on the data center, however approximately two/thirds of corporate data exists outside the data center. Moreover, laptops/mobile devices are far less resilient, for example, than data center servers.
    • Employee Training. No one likes fire drills, but they serve a valuable purpose. Make your employees aware of the risks and steps they must take in case of a disaster.
    • Test for recovery. Perform random recovery tests periodically. Audit the test, and confirm that all your data is recovered.
  5. Update the Plan. As your business changes, grows, and adds locations and new people, the disaster recovery plan also may need to change to address those changes. A regular review of the plan is critical.

So, as you clean up from Harvey and/or prepare for Irma, assess whether your disaster recovery plan meets your needs. If not, make appropriate changes. If you think your business could have benefited from such a plan, there is no time like the present to develop one.

Delaware joins the growing number of states that recently amended their data breach notification law. On August 17th, Delaware amended its data breach notification law with House Bill 180, the first significant change since 2005, effective 240 days after enactment (on or about April 14, 2018). 

Delaware maintains the state law trend of requiring businesses to implement reasonable security measures, expanding the definition of personal information, increasing notification requirements, requiring a risk of harm trigger, and requiring mitigation.

Key aspects of Delaware’s amended data breach notification law include:

  • Maintain Reasonable Procedures and Practices to Protect Personal Information Any “person” subject to the amended law, is now required to implement and maintain reasonable security procedures and practices. The definition of “person” has now been expanded to include any business form, governmental entity, “or any other legal entity”.
  • Expanding the Definition of “Personal Information” – The definition of “Personal Information” was expanded to include: passport number; a username or email address, in combination with a password or security question and answer that would permit access to an online account; medical history, mental or physical condition, medical treatment or diagnosis by a health care professional, or deoxyribonucleic acid profile; health insurance policy number, subscriber identification number, or any other unique identifier used by a health insurer to identify the person; unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes; and an individual taxpayer identification number.
  • Data Breach Notification/Risk of Harm Trigger – Businesses affected by a data breach are now required to give notice to affected state residents “as soon as possible” following the conclusion of an investigation that “misuse of information about a Delaware resident has occurred or is likely to occur”. In addition, the new amendment requires notification within 60 days unless the investigation “reasonably determines that breach of security is unlikely to result in harm to the individuals whose personal information has been breached” or law enforcement has requested a delay in notification.
  • Attorney General Notice – If the affected number of Delaware residents to be notified exceeds 500 residents notice must also be provided to the Attorney General.
  • Credit Monitoring – If the breach of security includes a social security number, the business is now required to offer to each resident, whose personal information was breached or is reasonably believed to have been breached, reasonable identity theft prevention services and identity theft mitigation services at no cost to such resident for a period of 1 year. Both California and Connecticut have similar provisions.

While all states do not currently require reasonable safeguards or credit monitoring, there appears to be a growing trend (which we expect will continue) to include these requirements when breach notification laws are amended. As such, it is imperative for organizations facing a breach to ensure they are applying the most current law.

Not to be outdone by the recent attention to biometric information in Illinois, and the Prairie State’s Biometric Information Privacy Act (BIPA), Washington enacted a biometric data protection statute of its own, HB 1493, which became effective July 23, 2017.

What it notable about Washington’s new biometric information law?

  • It prohibits “persons” from “enrolling” “biometric identifiers” in a database for a “commercial purpose” without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of the biometric identifiers for a commercial purpose. Lots of definitions, more on that below.
  • The exact type of notice and consent should depend on the context, and notice must be given through a procedure reasonably designed to be readably available to affected individuals. Note that the law does not require notice and consent if the person collects, captures, or enrolls a biometric identifier and stores it in a biometric system, or otherwise, in furtherance of a security purpose.
  • In general, a person that has obtained a biometric identifier from an individual and enrolled that identifier may not sell, lease or otherwise disclose the identifier absent consent. There are, of course, some exceptions, such as the disclosure being necessary to provide a product requested by the individual. In addition, a person generally may not use or disclose a biometric identifier for a purpose that is materially inconsistent with the terms under which the identifier was originally provided.
  • Persons that possess biometric identifiers of individuals that have been enrolled for a commercial purpose must (i) have reasonable safeguards to protect against unauthorized access or acquisition to the identifiers, and (ii) not retain the identifiers for longer than is necessary to carry out certain functions, such as providing the product for which the identifier was acquired.
  • There is no private right of action under the new Washington law. It is to be enforced by the state’s Attorney General. Remember that Illinois’ BIPA does permit persons to sue for violations of that law.

To understand how the law applies, one needs to review the defined terms. For example, the term “biometric identifiers” means:

data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual. “Biometric identifier” does not include a physical or digital photograph, video or audio recording or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under the federal health insurance portability and accountability act of 1996.

The law also defines “commercial purpose” to mean:

a purpose in furtherance of the sale or disclosure to a third party of a biometric identifier for the purpose of marketing of goods or services when such goods or services are unrelated to the initial transaction in which a person first gains possession of an individual’s biometric identifier.

And, the term “enroll” means

to capture a biometric identifier of an individual, convert it into a reference template that cannot be reconstructed into the original output image, and store it in a database that matches the biometric identifier to a specific individual.

The use of biometrics and biometric identifiers in commercial transactions and for other purposes is growing, and so is the number of state laws intending to protect that kind of data. Businesses that use or disclose biometrics in carrying out their business should carefully consider whether this new state law applies and, if so, what they need to do to comply.

Data breach “horror” stories have become a new staple in today’s business environment. The frequency of attacks which threaten (or compromise) the security of business networks and information systems continually increases — in the health care space alone (which holds the dubious honor of Most Likely To Be Attacked), a FBI and HHS’ Office for Civil Rights report notes that ransomware attacks occur at the rate of 4,000 per day, a four-fold increase from 2015. Experienced data breach forecasters continue to predict that cyber-attacks will continue to increase in frequency. Although data security and breach response are constantly in the headlines, studies demonstrate that organizations remain unprepared to effectively respond to a data breach.

For entities that are covered under HIPAA (or their business associates), or other state or federal cybersecurity regulations (such as the NYS DFS regulations we previously discussed in our articles, Getting Prepared for the New York Department of Financial Services’ Proposed Cybersecurity Regulations, and New York Releases Revised Proposed Cybersecurity Regulations) breach response preparedness is required. This would include periodic assessment and development of an effective incident response plan. Breach response readiness is not only required for many organizations, it is just sound business practice in today’s environment.

Is your organization ready? It may have an incident response plan, drafted a couple of years ago, adorning a forlorn shelf (blow the dust off carefully), but perhaps the plan has not been updated or tested, or staff has not been trained (and re-trained) — or legal counsel may not have provided input on the plan.

Legal counsel is valuable not only to provide input on legal definitions, notification processes, and third party contract provisions in the incident response plan. Another important benefit to including legal counsel in the planning process (as well as data breach response) is to ensure that the incident response plan is drafted to appropriately address legal counsel’s role, thereby protecting attorney-client/work product privileges. These protections are not absolute – in fact, there is significant case law discussing how and when they apply. Therefore, legal counsel should be involved in plan development and the plan should clearly provide that investigations are initiated and overseen by legal counsel as part of the breach response (and litigation risk assessment) process.

A May 18, 2017 decision of the United States District Court in the Central District of California underscores the benefits of legal counsel in breach response preparation and planning. In this decision, rendered in the context of the Experian breach litigation, the plaintiffs sought access to a forensic consultant’s report. The forensic consultant had been retained by Experian’s legal counsel immediately after the breach was discovered by Experian, and the report was used by legal counsel to develop a legal strategy for Experian’s response to the breach. The plaintiffs claimed the report should be disclosed because it was also used for the purpose of meeting Experian’s legal duty to investigate the data breach.

Despite the fact that the forensic consultant had previously worked for Experian (doing a very similar analysis), the court noted when the forensic consulting firm was retained by legal counsel, as well as the way legal counsel directed the form and content of the report (so that only portions could be disseminated to Experian’s incident response team, ensuring privilege was not waived), and held that this demonstrated that the report was work product and should not be disclosed to the other side.

The decision discusses another important point – whether the plaintiffs were entitled to disclosure of the report because they would not be able to re-create the investigation of the servers as it was performed on “live” operating networks, and therefore would suffer a substantial hardship. In this case, however, the report was prepared using server images, rather than the live systems. Consequently, the court held that there was no substantial hardship calling for the report to be disclosed.

At Jackson Lewis, our 24/7 Data Incident Response Team is prepared to assist with your planning and ready to assist if (when?) a breach occurs. Our data breach hotline is: 844-544-5296.