Breach Response: The Legal ViewFast Action Can Save Reputation and Ensure Compliance
Complying with a multitude of regional and international laws when consumers' personal information is compromised is critical. And depending on the size and reach of the organization breached, that could mean complying with dozens of mandates and regulations in various parts of the country and world.
Sotto, who focuses on privacy and information security, says the role of attorneys has changed significantly in recent years. After a data breach, attorneys handle many facets during the response process. "A lawyer who's well-versed in managing data breaches knows that she or he needs to manage really much more than the straight legal compliance issues," Sotto says in an interview with BankInfoSecurity's Tracy Kitten [transcript below].
Attorneys' duties post-breach typically include: forensics investigations; managing public relations; managing media issues generally; hiring and training call-center agents; retaining a mail house; retaining a credit monitoring and identity protection service; and dealing with the inevitable fallout of a data breach internally.
"And of course, the lawyers also need to set things up to try to mitigate the risk of litigation that typically follows a security incident," Sotto says.
The success or failure of a company is based on the value of its data. And that means roles for attorneys in this emerging field will continue to evolve. "There just couldn't be a more exciting time to practice in this area," Sotto says. "It's still a nascent field, and there's so much more for us to learn and so many new laws being enacted globally in this space that it's a wide-open field."
During this interview, Sotto discusses:
- Why attorneys must play key roles in forensic investigations and subsequent public-relations efforts;
- How attorneys can break into the field of information security, and why they should; and
- Why attorneys are increasingly being looked upon as the gatekeepers of data-privacy, necessitating them to manage an organization's data-security strategy from "the cradle to the grave."
Sotto is the managing partner of the New York office, and her practice focuses on privacy, data security and information management issues. She was rated No. 1 privacy expert in 2007 and 2008 by Computerworld magazine. She also earned a No. 1 U.S. national ranking for privacy and data security from Chambers and Partners. In addition, Hunton & Williams' privacy and information practice received a No. 1 U.S. national ranking from Chambers in privacy and data security.
Breach Legal Issues
TRACY KITTEN: In the event of a data security breach, what legal issues should organizations be concerned about?
LISA SOTTO: There are 46 state breach notification laws in the U.S., plus laws in Puerto Rico, the U.S. Virgin Islands and D.C. These laws require that an entity that maintains computerized personal information that's compromised notify those people whose information was affected by the incident. There's also a federal law that requires similar notification where health information is involved. And layered on top of that morass, there are similar requirements in other countries like Germany, so a company that has experienced a data breach needs to take all of these laws into consideration in deciding how to manage the event.
KITTEN: What role does the organization's attorney play when it comes to data breach notification?
SOTTO: The attorneys need to consider the legal environment so they need to think about what laws apply, which jurisdictions need to be considered and what requirements are applicable in light of the facts of the incident. In addition, lawyers have the benefit of being able to quote certain information in the attorney/client privilege so it's often important for the lawyers to retain any experts that might need to be brought in to help assess the scope of a breach.
KITTEN: How do attorneys typically respond to such breaches? It sounds like they probably just play this role of helping to advise the organization depending on where they are located and where they do business.
SOTTO: That's right and really the first thing an attorney does is ask what happened, and really without a solid understanding of the facts surrounding a data breach, it's impossible to apply the law correctly. Ascertaining the facts is first and then it's time after that to overlay the law and decide how to proceed to ensure legal compliance.
KITTEN: What key areas do attorneys play as they advise corporations and organizations about the steps that they should take?
SOTTO: In data breach situations, attorneys do much more than just advise on strict legal requirements. Data breaches are largely about reputational risk. A lawyer who's well-versed in managing data breaches knows that she or he needs to manage really much more than the straight legal compliance issues, and that means dealing with a forensic investigation, managing the PR, managing media issues generally, hiring and training call-center agents, retaining a mail house, retaining a credit monitoring or identity protection service, and also dealing with the inevitable fallout of a data breach internally within the organization. And of course, the lawyers also need to set things up to try to mitigate the risk of litigation that typically follows a security incident.
Privacy and Breach Notification Laws
KITTEN: How are data privacy and breach notification laws affecting the legal environment?
SOTTO: Privacy and data security really have become the purview of lawyers over the last few years. While these issues once were handled at a policy level, they're now falling squarely within the aegis of the lawyers because of the myriad and complex laws that apply to privacy incursions and to data breaches.
KITTEN: What ethical obligations do organizations have when it comes to notifying consumers and clients in terms of disclosures, e-discovery and the collection of the information?
SOTTO: That's a good question. There are obviously legal requirements that obligate companies to notify consumers whose data was compromised in a breach, but there are also ethical obligations as well to consider. When an organization discovers that information's been compromised, the obligation for the entity to consider is how to let affected individuals know so that they can take steps to protect themselves. The laws only require companies to notify people whose sensitive information - like social security numbers for example - have been compromised, but we're now seeing that data elements we never before thought were sensitive like e-mail addresses are being used to commit identity theft, for example, in social engineering and in phishing attempts. It really behooves an organization that's experienced a data breach to not only think about the legal notification obligation, but also to consider whether it should notify the affected population of other data elements that might be an issue.
Considering the Investigation
KITTEN: When it comes to the role that the attorneys play, what do attorneys need to consider when it comes to the investigation as well as the subsequent notification after a breach?
SOTTO: The lawyers managing a data breach get involved in all aspects of the incident. Once an incident's discovered, the lawyers are often brought in right away to help manage the forensic investigation, and as I mentioned earlier if a forensic expert is retained by a lawyer to assist then there's a chance that the work of the forensic team can remain privileged. As lawyers, we've overseen many forensic investigations carried out by technologists. Once the investigation is complete, then it's time to notify the affected individuals, and the notification process is complicated because most breaches affect people in multiple jurisdictions. This requires an interpretation of many different laws. Making conflicting and overlapping laws mesh into a single, comprehensive action plan is much like dealing with a puzzle containing hundreds of small pieces.
KITTEN: What advice would you offer to attorneys who are interested in pursuing careers in privacy and information security?
SOTTO: There just couldn't be a more exciting time to practice in this area. We are without question living in the information age. Just as companies in the industrial age needed raw materials to thrive, today the success or failure of a company turns on the value of its data. I would certainly advise lawyers who are looking to practice in this area to jump in with both feet. It's still a nascent field and there's so much more for us to learn and so many new laws being enacted globally in this space that it's a wide-open field.
KITTEN: What areas do you see building over the next 12-18 months as far as the legal profession's role and information security is concerned?
SOTTO: Just as I have said, we will certainly see new information security laws enacted in many countries around the world. Lawyers will need to advise not only on the reactive aspects like responding to a data breach, but also on proactive issues, like putting in place appropriate policies and procedures to regulate information security. I think lawyers will certainly be involved going forward in all aspects of information security, managing the security of data from cradle to grave.
Advice for Organizations
KITTEN: What advice can you offer to organizations about the legal ramifications or issues they should be focused on as cybersecurity and data breach notification become increasingly heated topics?
SOTTO: I would certainly push organizations to play close attention to the legal environment. This is an area that's changing at nothing less than lightening speed. Focus on data security is certainly critical and any company that's not making this a high-priority area is just not reading the daily news reports.
KITTEN: What final thoughts would you like to leave our audience with as they relate to legal obligations for corporations and organizations, as well as careers for attorneys?
SOTTO: We've learned over the last several years that data breaches can be game changers for organizations that suffer major incidents. The key really is to prevent the significant breach from happening in the first place. That means making data security a part of the corporate ethos, and training employees to focus on this issue. Unfortunately, many companies don't dedicate sufficient resources to this area, and I have no doubt that we'll be discussing information security and data breaches for many years to come.