《Anatomy of a Data Breach - Association of Corporate Counsel:解剖数据泄露的企业法律顾问协会》由会员分享,可在线阅读,更多相关《Anatomy of a Data Breach - Association of Corporate Counsel:解剖数据泄露的企业法律顾问协会(51页珍藏版)》请在金锄头文库上搜索。
1、We Earn Our Reputation From The Companies We Keep.Anatomy of a Data BreachMarch 12, 2014Lucie Huger Officer, Greensfelder, Hemker conducting business on personal devices; and outsourcing certain business functions to third parties, data breaches are becoming more prevalent.We Earn Our Reputation Fro
2、m The Companies We Keep.Possible Outcomes Affecting Business Operations Resulting From A Breach Loss of customers Damage to business reputation Compliance obligations Government investigations (federal and state) Civil litigationWe Earn Our Reputation From The Companies We Keep.Common Causes of Data
3、 Breaches Negligence Malicious or criminal attacks (hacking or theft of electronic devices) Corporate espionage/malfeasanceWe Earn Our Reputation From The Companies We Keep.Anatomy of a Data Breach1. Notify those within your organization of the incident who need to know: Not every incident constitut
4、es a breach that would lawfully require notification. Internal communications could be discoverable, so be careful what you say and how you say it. Note the date and time of the discovery of the incident.We Earn Our Reputation From The Companies We Keep.Anatomy of a Data Breach2. Assemble a response
5、 team, both internal and external: The team should consist of: Key company stakeholders Legal counsel: since civil litigation is possible, an attorney knowledgeable in breach issues can help to keep the process of working through a breach protected by privilege Forensic IT firm Communications expert
6、We Earn Our Reputation From The Companies We Keep.Anatomy of a Data Breach3. Investigate the incident: What type of data is involved, what are the circumstances involved, how may persons are affected. Carefully plan/strategize the investigation before you begin. Keep language of the investigation ea
7、sy to understand. Interviews may be appropriate. Document the steps and findings. Involve law enforcement, as appropriate. Involve insurers, as appropriate.We Earn Our Reputation From The Companies We Keep.Anatomy of a Data Breach4. Determine whether the incident constitutes a reportable breach: Loo
8、k to applicable laws and determine whether there is there an exception. Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) Gramm-Leach-Bliley Act (GLBA)We Earn Our Reputation From The Companies We Keep.Anatomy of a Data Breach State or States: Currently, there are 46 states
9、that have enacted data breach laws. Some of these laws apply to businesses operating in the state, while others apply to affected residents of the state (multiple state laws may come into play in a single breach). It will be necessary to determine which state(s) law(s) apply. Some states have differ
10、ent definitions for what data constitutes “personal information.” Some state laws require notification of residents based upon “unauthorized access.” Certain states require a risk of harm analysis to determine whether notification is required. Certain state laws protect electronic records, not paper
11、 records. Many states require notice to the State Attorney General. States generally require notice within a defined timeframe, but these timeframes can vary.We Earn Our Reputation From The Companies We Keep.Anatomy of a Data Breach5.Contain the breach and mitigate harm, to the extent possible. Is i
12、t possible to retrieve the lost/stolen device? Is it possible to “wipe” the data from the lost/stolen device? Is it possible to arrange for the return of the data erroneously disclosed? Is it possible to enter into a non- disclosure agreement/attestation for return of data?We Earn Our Reputation Fro
13、m The Companies We Keep.Anatomy of a Data Breach6. Notify Affected persons It takes time to find up to date addresses Law enforcement State Attorneys General Government Department of Health and Human Services Media As required under federal or state lawWe Earn Our Reputation From The Companies We Ke
14、ep.Anatomy of a Data Breach7.Respond to inquiries. Do you need to establish a toll free number for inquiries? Do you need to establish a call center? Have you established a triage team to address unique customer concerns? Have you established a system for addressing press inquiries?We Earn Our Reput
15、ation From The Companies We Keep.Anatomy of a Data Breach8.Improve processes to avoid future data breaches. Have you considered a third party audit to review your companys policies/compliance efforts as well as its technical infrastructure?We Earn Our Reputation From The Companies We Keep.Which Data
16、 Breaches are being Litigated? Probability of a lawsuit is positively correlated with the number of records lost. Probability of a lawsuit is positively correlated with the presence of actual harm (financial loss, emotional distress) and negatively correlated with credit monitoring being offered. Lawsuits are more likely to occur from breaches caused by improper disclos
