Many companies in the United States are adopting policies to more quickly notify customers if there's been a data breach. Some legal advisers suggest a more prudent approach. A recent study of 2010 data by The Ponemon Institute found:
Companies that were victimized by data security breaches in the past were largely able to avoid liability. But that may be changing as a host of laws has been introduced in Congress to establish comprehensive federal data security laws. At the same time that efforts are ongoing to establish federal regulations, 46 states have adopted their own data breach requirements. Together, the actions are creating a hodgepodge of compliance issues and increasing the legal exposure of companies ensnared in a data breach.
"Notification requirements all vary from state to state and federally," says Peter Guffin, a Pierce Atwood attorney who presented on the topic last month at the CyberCrime 2011 Symposium in Portsmouth, N.H. Guffin's presentation was one of several workshops offered at the annual event organized by South Portland-based Sage Data Security to share strategies and approaches to detecting, deterring and defeating cybercrime. "The legal landscape is definitely changing," he says.
In Maine, the most well-known data breach case involved Hannaford Bros. Co, when in 2008 a hacker stole up to 4.2 million credit and debit card numbers leading to approximately 1,800 fraudulent charges on those accounts. Last month the U.S. Court of Appeals for the First Circuit overturned a lower court's dismissal of a suit against Hannaford, ruling consumers could recover money they spent on fees to replace their compromised accounts, and money spent on obtaining identity theft insurance and credit monitoring services as reasonable mitigation costs.
"The court's basic legal theory has been 'no harm, no foul'," says Portland-based Perkins-Thompson attorney Dave McConnell, who writes a security blog on his firm's website, perkinsthompson.com. "Recent court decisions suggest a change in the tide."
In addition to the Hannaford ruling, he cites a decision by the Ninth Circuit Court of Appeals last year in a case against Gap Inc. where mitigation costs were recognized as a basis for compensation. And in April of this year, a federal district court in California declined to dismiss a consumer's case against Rockyou Inc., a social games developer, ruling the consumer had a "property right" in his personal information and that unauthorized exposure of that information "caused him to lose some ascertainable but unidentified 'value' and/or property right inherent in the [personal information]," says McConnell. Following the court's ruling, Rockyou Inc. paid the consumer and his attorney $292,000.
Legal practitioners expect there will be similar cases in the future, as more regulations come on the books and more challenges to them are sought in court.
"The [legal] contours are going to be better defined as we get more decisions," says McConnell. "Right now, it's in its infancy in the legal sense."
Adding to the complexity of compliance is the lack of standardized laws among states, and sometimes even within a single state. For example, Guffin cites a Connecticut case where in May 2009 insurer Health Net discovered it lost a hard drive containing personal health information of about 500,000 residents. The following January the state sued, charging Health Net failed to notify people of the breach in a timely way, and violated the Health Insurance Portability and Protection Act and the state's unfair trade practices act. In July, the organization agreed to pay a $250,000 penalty. Four months later, the state's insurance department settled a separate action arising from the same data breach and settled for $350,000 in penalties. Two months later, the state of Vermont filed an action against two Health Net affiliates on behalf of 525 Vermont residents whose data had been compromised in the same incident and assessed a penalty of $55,000.
Not only are there multiple organizations claiming regulatory authority over data breach notifications, there are competing — and sometimes unrealistic — timelines for compliance. Guffin cites a case in Massachusetts, a state with aggressive consumer disclosure laws and requires consumer notification of a breach within five days of discovery. The Briar Group, a Massachusetts-based restaurant chain, in 2009 failed to protect customer credit and debit card information in its computer system, and the company's employees also did not attempt to correct their mistake quickly enough. The delay, which the company disputes, played into the $110,000 settlement Briar Group struck with the Massachusetts Attorney General, the first test of the state's enhanced data protection laws enacted in March 2010. The settlement also required Briar Group to implement more stringent payment and data security measures.
"The Briar Group didn't get involved with the investigation team to find out what happened," says Guffin, who heads the Portland law firm's privacy and data security practice group. "[That] got the attention of the Massachusetts Attorney General."
The timing of a company's notification of a breach to consumers is essential, says Guffin. He cites a study released this year by The Ponemon Institute that assesses the cost of data breach incidents of U.S. companies. The study estimates that a data security breach in the United States now costs an organization approximately $214 per compromised record or $7.2 million on average per incident, with notification expenses accounting for about 7% of the total cost. The study also shows that companies that respond within a month of discovering the breach pay more per record to resolve the breach than their lollygagging counterparts. The study's authors suggest some companies lose cost efficiencies during the investigation and notification phase of a breach, and their haste could reflect pressure to comply with commercial regulations and state and federal data protection laws.
Guffin encourages businesses to properly investigate a data breach before making notifications.
"Given the stakes — disruption of business operations, damage to brand reputation and customer relationships, and possibility of government investigations and class action lawsuits — it is critical that an organization perform a proper investigation and know what it is talking about before it notifies affected individuals," he says. "Premature notification is not a good strategy and often may cause more harm than good. In the event of a data breach, it's essential to know what laws apply and what each law requires."
McConnell concurs, calling the regulatory environment around notifications "a minefield." In addition to state and federal laws that might be in conflict with each other, there are industry-specific standards, especially in financial services and health care. He says after a company locks down its system following a breach, it needs to slow down and consider remedial measures.
"Companies do need to take a breath and figure out the regulatory landscape and how it applies to their situation," he says
To lessen the chances of dealing with a data breach, both men recommend companies invest in systems to protect data and adopt comprehensive security policies.