This past week I was honored to be the keynote speaker at the 2017 ACC Alberta Annual Conference in Calgary. First, let me say that Calgary is a wonderful city and a great place to visit (and the people are awesome too). Second, a big “thank you” to ACC Alberta for inviting me and hosting a tremendous event. One of the topics I spoke on was what to do when you are faced with a data breach. It was a very interactive session with lots of great questions and feedback from the lawyers in the audience. In particular, we spent some time discussing the recent Equifax data breach and the very negative fallout that company is experiencing – mostly because it seems Equifax was very unprepared to deal with a breach. This is very surprising given the nature and the amount of sensitive data in its possession. We also talked a lot about things in-house counsel should be doing before there is a breach. Some of those things were in my presentation, others were brought forward by members of the audience. And as I stood on stage listening to the discussion I knew I had my next blog forming right before my eyes. As important as it is to know what to do if you have a breach, there are a number of things that all in-house lawyers should focus on before there is a breach and by doing so, you can substantially limit the potential damage caused by a breach. So, with big thanks to my friends from Canada, this edition of “Ten Things” will discuss ten things to do to get your house in order before you are faced with a data breach:
1. “Who you gonna call?” The number one thing in-house counsel should be doing right now, before there is a problem, is identifying the outside lawyers they will call within the first five minutes of notice of a data incident. Notice I did not say “data breach.” That’s because you need to be absolutely sure that whatever happened rises to the level of a data breach before labeling it as such. A data breach (which involves the loss of personal data) drives a myriad of obligations, whereas a data incident does not. Unless you are an experienced privacy lawyer (or have one on your team), trying to handle a true data breach situation (or even just figuring out whether you have a breach or not) may not be the wisest thing to undertake without the guidance of experienced outside counsel. Likewise, outside counsel can help you assert the attorney-client privilege around the investigation and help you with the review and drafting of documents related to the data breach – all with an eye toward minimizing self-inflicted wounds caused by “bad documents.” Finally, outside counsel probably has a list of other experts (IT forensic, crisis communications, etc.) that they can bring to bear to help you and your company with your situation – assuming you do not have your own already picked out. It’s worth the time and effort to go ahead and establish a relationship with outside counsel now and know who you will call if faced with a data breach or incident.
2. Have a data breach response plan. If you are in-house counsel to a company that does not have a written data breach response plan, make getting one in place in 2018 a top priority. In my experience, only about 50% of the companies that handle personal data have a written data breach response plan. This number should 100%. You do not want to face a data breach without having a plan that outlines, among other things: 1) who are the members of the response team – internal and external; 2) key contact information for everyone; 3) the communications plan – external, internal, and to the C-Suite/Board of Directors (along with key contact information); 4) important regulators to contact and keep advised; 5) who will lead the investigation; 6) the cadence of communications; 7) a social media plan; and 8) document templates. Not only do you need to have a plan, you need to update it yearly (at a minimum) and – more importantly – you need to practice it every year as well. And after running a “table top” exercise, use what you learn to update and enhance your plan. The same is true if you experience a real data breach, i.e., what worked, what didn’t work, what needs to be changed, fixed, etc. Additionally, create your own personal “mini-plan” checklist of what to do if you get the call (or email) that there has been a possible breach. While a full-blown data breach response plan is a necessity, having a short checklist you can pull out to get yourself oriented and pointed in the right direction in those first 15 minutes can make a huge difference (and allow you to be the calm in the eye of the data breach hurricane).
3. Take communications training. This one may not be obvious to you, but how your company communicates during a data breach is probably among the most critical decisions that will be made. Do it poorly (e.g., Equifax, Target) and your company’s reputation and brand can be tarnished for years. Companies with bad reputations lose customers, have a falling stock price, and have a tougher time with regulators. Get it right, and you can help put a data breach behind you in a dramatically shorter time frame. In-house (and outside) counsel will be key players in drafting and reviewing communications and in developing a communications strategy. Accordingly, it’s very important that you not bring the stereotypical lawyer mentality to the table – saying “nothing” or “very little” will not work. Not in this day and age. And trying to force your spokesperson to communicate through a mouthful of legalese is a recipe for disaster as well. The best way to solve this problem is for in-house counsel to participate in the same media training that most companies offer to their senior executives. While the lawyers and the communications people may not always agree on what exactly to say (or not say), in-house counsel that has gone through media training will at least be speaking the same language as the communications professionals and can marry that training with their legal skills, business acumen, and – hopefully – good old fashion common sense. All of which are skills that make in-house lawyers so valuable to companies, especially in times of crisis. As part of your training, you should review case studies of companies that communicated well (or poorly) during a crisis and take those lessons to heart.
4. Put the right contractual protections into place. It was strangely inept of Equifax to try to sneak a class action waiver into the sign-up terms and conditions of the free credit monitoring services it was offering post-breach. After a breach is not the time to try to change the terms of your contracts, especially by trying to “trick” someone into agreeing to them. Instead, in-house counsel should be looking at all of the company’s contracts now to ensure that they contain the best possible protection against liability. For example, do your website terms and conditions contain the right limitations of liability, arbitration clause, class-action waivers, choice of law, exclusive venue and jurisdiction provisions? If not, put those into place before there is a problem. Similarly, is your public-facing privacy notice up-to-date and does it accurately describe how your company handles personal information? An out-of-date and inaccurate privacy notice can cause your company almost as many problems as the data breach itself. Be sure to review and update yours on a yearly basis. Do you have the right contractual protections – including force majeure – in your vendor contracts, provisions that will allow you to properly recover against them if they are at fault in a data breach incident? And have you fully vetted your vendors to see if they can live up to the promises they make? On the flip side, do you have clauses in your contracts that minimize your exposure and appropriately shift the risks of a data breach? All of these are things you must do now because once there is a breach you cannot wish your way into a new contract.
5. Get cyber-risk insurance. If your company handles personal data, it should invest in cyber-risk insurance. While it is possible that some of your existing insurance policies may cover a data breach (e.g., Errors and Omissions, Business Interruption), the far safer bet is to not roll the dice because even if those policies do apply their application is probably limited and nowhere near the scope of coverage you need to protect against a true data breach. Also, keep in mind that there is not a one-size-fits-all cyber-risk insurance policy. You need to be very careful that you truly understand what your policy covers. The best cyber-risk policies provide customer notification services (think notice obligations under various data breach laws), ransomware demands, forensic investigation costs, business interruption costs, your first-party expenses, your third-party obligations, litigation costs; credit-monitoring, regulatory costs, and so on. Keep asking questions until you are sure your policy covers the scenarios and damages you want to be covered. There is little worse than having to explain after the fact that your policy doesn’t really cover all of the cyber-risk issues management thought it covered.
6. Encrypt/Segment the data. If personal data is encrypted and is stolen, for the most part, you become immune to most, if not all, of the obligations, burdens, and liabilities normally associated with a data breach. In fact, many data protection laws explicitly carve out personal data that is encrypted from any of the notice and other obligations. It is worth having a long discussion with your IT friends about the process of encrypting any personal data your company stores – both in transit and at rest. It is also a good idea (and in some cases the law) to encrypt the hard drives of company laptops, including requiring a password to even get past the first screen of the computer. If the hard drive is encrypted and is stolen, the data on that hard drive is basically worthless. But, encryption isn’t cheap and – as with everything – a cost-benefit analysis is probably required. That said, over time, the cost of encryption technology should come down and be more affordable. If you cannot encrypt, consider segmenting personal data, i.e., put some personal information in one system, and other personal information in another so it is not all vulnerable from a single breach.
7. Train your employees. The most inexpensive way to help prevent a data breach is by properly training your workforce. This includes training on creating proper passwords (along with having technology that requires those passwords to meet certain criteria and be changed frequently); how to spot social engineering attempts (e.g., “Phishing”); what to do with suspicious emails (i.e., don’t click on the links and report it to IT office immediately); and how to be alert for industrial espionage (unauthorized visitors, picking up strange USB flash drives and plugging them into your computer to see what’s on them, etc.). Additionally, train your employees on keeping their antivirus software up-to-date and how they may or may not use the data that sits on the company’s servers. For some reason, many people on the business side think any data in the possession of the company is theirs to do with what they want. Training also includes ensuring that your IT department is aware of viruses and security patches and promptly and properly implements those patches. It appears that Equifax’s problems stem, in part, from completely installing a security patch to protect against a well-known Internet malware threat (though it’s not always so simple to just “patch it“). Finally, training can include teaching your workforce how to properly report an incident and how to draft such a report in a way that sets out just the facts, and not a lot of unnecessary (and usually inaccurate) commentary that you, as in-house counsel, will have to deal with as part of the breach. Teaching employees how to “write smart” is always a good investment of time by the legal department. The good news is that most of this training is fairly inexpensive in the overall scheme of things and can be very effective in preventing problems down the road.
8. Meet your regulators. Just about any company that handles personal data has a regulator to answer to in the event of a breach. Often, more than one. It’s always a good idea to try to get to know your regulators before there is a problem. Even if it’s just to set up a short meeting to introduce yourself and your company’s business to the regulator. The caveat here is to be sure you have your house in order generally before setting up such a meeting. For example, you don’t want a meeting with a privacy regulator when you don’t have a properly drafted privacy notice on your website. That could make for some awkward discussion at the meeting. Here in the U.S., the FBI or Secret Service will often get involved in the event of a data breach. Establishing a relationship with the local office can pay off if there is trouble down the road. Knowing who exactly to call and having them know who you are can be a big advantage when faced with a data breach. With the respect to the FBI, consider joining the local branch of InfraGard which is a public-private partnership where the FBI works with local business to keep them abreast of cyber threats and gather information and intelligence from the members about potential threats or issues. Finally, and it may not always be possible, but notifying your regulators about a data breach/incident before you notify the press is a smart idea. As you can imagine, they don’t like to be surprised or learn about breaches via the news.
9. Limit the data you collect (and access to the data). If your company limits the amount of personal data it collects, disposes of unneeded data promptly, and limits access to personal data to those with a “need to know” to do their jobs, it is taking major strides in mitigating the damage from a potential breach. Simply put, the less data you have collected and stored, the less data the bad guys can access in the event of a breach. Similarly, the odds of breach go up when more employees have access to data because an employee “failure” of some type is a frequent cause of a data breach, e.g., losing a laptop packed with personal data. Make sure that all employees have access only to the data they need to do their jobs. Part and parcel to this effort is ensuring that you have up-to-date and well distributed/understood internal policies about access to, handling of, and use of personal data. Without clear guidance, employees in various business units may feel that it is open season on any and all data they find in the company’s systems. It’s very important that everyone understand that – in addition to any data privacy laws – the company must respect its own data privacy notice to customers about how data will be used, along with any contractual commitments regarding the ownership and use of data. It’s a rare occurrence that personal data residing on the company’s servers is fair game for anyone to use as they see fit. Make sure everyone in the company knows the rules of the road around the use and handling of this data. Additionally, in the event of a breach, rest assured the regulators will be asking to see all of your internal policies. Just another reason to have these buttoned up.
10. Stay up to date. It’s important that all in-house lawyers have a basic understanding of data privacy laws and data security issues. You don’t have to become a “privacy” lawyer or get an IAPP certification, but you should know the basics. Without such a foundation, it’s difficult to be effective either in pre-breach planning or in dealing with the aftermath of a breach. In addition to the various links above, here are a few things to read that will get you up to speed on the issues:
- Data Privacy – The Essentials
- Data Security Breaches – Incident Preparedness and Response
- NIST: Cyber Security Framework v1.1 (Draft)
- Cyberbreach Response Checklist
- GDPR – What You Need to Know
While I know everyone is a little tired of hearing about data breach preparation, the recent data events involving Equifax, Sonic, Deloitte, SEC, and others only go to underscore that the problem is not going away. The value destruction a company faces when hit with a data breach (treasure and reputation) can be devastating – not to mention that employees and executives often lose their jobs in the aftermath. The legal department demonstrates its highest value when it proactively takes steps to avoid or minimize value destruction events. There are no guarantees, but proactively taking measures – like those listed above – can help minimize the damage if your company suffers a data breach.
September 29, 2017
Ten Things You Need to Know as In-House Counsel: Practical Advice and Successful Strategies is now available for sale. Described by the American Bar Association as “The one book all in-house counsel need to own!” Click here for details on how to order. Perfect for your library, or as a gift to clients or members of the legal department (or your next legal offsite).
If you find this blog useful, please click “follow” in the top right and you will get all new editions emailed to you directly. “Ten Things” is not legal advice nor legal opinion and represents my views only. It is intended to provide practical tips and references to the busy in-house practitioner and other readers. If you have questions or comments, please contact me at firstname.lastname@example.org.
My first book, “The Evolution of Professional Football,” is available for sale on Amazon and at www.SterlingMillerBooks.com.