It’s 6 p.m. on a Friday and you get a call from your IT department. They have detected that an intruder has gained access to your company’s network. At this point, the headlines from the major data breaches of recent years may be flashing before you. You may be assuming the worst: regulatory investigations … class actions … congressional testimony. Keep calm and gather the essential facts. As illustrated by the BakerHostetler Data Security Incident Response Report 2015 (the Report), many data security incidents are just that – incidents. If managed properly, many data security incidents can be resolved with minimal impact on your company.
As a starting point, you should not assume that you are going to have notification obligations just because you have experienced a data security incident. The Report distills data from more than 200 data security incidents where BakerHostetler assisted clients in 2014. Notification to affected individuals was provided in only 75 of these incidents. Notification obligations are not triggered by every data security incident, but only by incidents involving the unauthorized access to and/or acquisition of specific types of personal information that are identified as protected under applicable state and federal laws. Many data breach notification laws also permit a company not to give notice when it determines after reasonable investigation that the incident does not present a risk of harm to the affected individuals. Through careful forensic investigation, it is often possible to conclude that an incident triggered no notification obligations.
When notice is given, credit monitoring can be a significant expense. You should not assume that merely because you have notification obligations you must incur the potential expense of offering credit monitoring to all affected individuals. Offering credit monitoring is not currently required under any data breach notification law – although a Connecticut law mandating credit monitoring does go into effect this fall. While credit monitoring may help the company mitigate potential liability in an incident that creates a risk of identity theft and can be part of the company’s effort to restore its relationship with customers or patients, credit monitoring may not always be the right solution. For example, when an incident involves the compromise of only online usernames and passwords, credit monitoring does not solve this problem. Instead, the online credentials need to be changed quickly. Before incurring the expense of credit monitoring, it is important to determine whether offering credit monitoring is the right solution to the problems arising from the incident. In the incidents involving notification to affected individuals that we handled in 2014, credit monitoring was not offered in one-third of the incidents.
Many assume litigation regularly occurs after an incident is disclosed. But the Report reveals that in more than 200 data security incidents in 2014, only five led to class action suits against the companies brought on behalf of potentially affected individuals. It is a mistake to generalize about what circumstances will lead to class action lawsuits. Although companies should be prepared for the risk of a class action in any incident involving the compromise of over 500,000 individual’s records, we have seen incidents involving millions of compromised individual records where no class actions were filed, and we have seen class actions filed in incidents where fewer than 10,000 individual records were implicated. Sustained adverse publicity can be a factor in attracting the interest of class action plaintiff lawyers. The nature of the information compromised also matters. Class action plaintiff lawyers may be more inclined to invest resources in pursuing a claim when they believe that they can tie an incident to actual incidents of identity theft.