Effective Breach ResponseAttorneys: Don't Take a One-Size-Fits-All Approach
The key to effective breach response is to not take a one-size-fits-all approach, says attorney Ronald Raether, who outlines top strategies organizations should consider when deal,oing with an incident.
"A good example of how to do it right was Zappos," says Raether during a panel discussion with Information Security Media Group [transcript below]. "In particular, they had a website set up so that different audiences could go and look at frequently-asked questions that were more pertinent to their special interest."
This one-size-does-not-fit-all approach is one that other organizations can utilize, he explains. "You need to look at a lot of different factors, including the market that the company is in, the type of data that's at issue and who's the audience that you need to speak with," Raether says.
Accountability also needs to be addressed when responding to a breach. "It's important that the public understand that the company is oftentimes a victim in these matters, as well as their customers or the consumers whose data they're managing," Raether explains. "But likewise, the company still needs to be accountable."
Raether also encourages being proactive with regulators and reaching out early, rather than waiting until after notices have been sent to affected individuals. "Know who the important regulators are going to be based on the various components that are at issue," he says.
In this fourth installment of the five-part Legal Roundtable series, Raether, along with attorney David Navetta, discusses:
- Top breaches of 2012;
- Which breached entities responded best and worst;
- Lessons we can carry into 2013.
About the panel participants:
David Navetta is co-founder of the Information Law Group and co-chairman of the American Bar Association's Information Security Committee. He has been a keen observer of information security-related litigation, including financial fraud and state privacy laws.
Ronald Raether is partner at Faruki Ireland & Cox in Dayton, Ohio. His experience with technology-related issues spans an array of legal areas, including patent; antitrust; licensing and contracts; employment; trademark; domain name disputes; and federal and state privacy statutes.
Lisa Sotto is managing partner for New York-based law firm Hunton & Williams, where she focuses on privacy, data security and information management issues. She has earned a No. 1 U.S. national ranking for privacy and data security from Chambers and Partners.
The remaining installments of this series focus on:
- The legal merits of 'hack back';
- Regulators dictating privacy;
- Fraud litigation trends;
- Top security/privacy issues of 2013.
Top Breaches of 2012
TOM FIELD: Ron, there are so many incidents to choose from. What would you say were some of the most significant breaches of 2012, and why would you designate those?
RONALD RAETHER: It's difficult to say and really identify which ones are the most significant. I think there are some exemplary ones that really show the trends that we were seeing in 2012, so walking through those I think would be helpful. And to the extent that they're showing the trends, obviously they're significant.
The first would be Global Payments, which is a breach that happened towards the beginning of the year involving a company that processes Visa credit cards, and I think the significance of that particular incident was that it involved a company that was presumably PCI compliant. Oftentimes we hear regulators, we hear individuals generally, talking about standards, the importance of standards, meeting those standards and how those ought to mitigate or avoid breaches. I think Global Payments is a good example of even when you meet certain requirements - in terms of standards - you're still susceptible to breaches. Global Payments is important from that perspective.
Another example is the Barnes and Noble PIN pad hack. Why is that important? It's important because it reveals the fact that the vulnerabilities aren't just the sophisticated schemes where the bad guys are trying to hack through large sophisticated firewalls with complicated software or malware, but rather it shows the ingenuity of criminals and their ability to use common everyday devices to find vulnerabilities in them and being able to scale those vulnerabilities in order to effectuate a financial fraud. The other important thing about the PIN pad hack is it's not new. It's something we saw three or four years ago and now it's making a resurgence. It's another good lesson in that don't forget about the vulnerabilities that were out there in the past, because if we do they're often likely to repeat themselves. A good criminal will keep trying different ways to be able to apply their trade, and sometimes that means doing things that they've done previously. We've maybe gotten a little bit relaxed in terms of dealing with past threats because we're so focused on what's current and what people are talking about in the future.
The other ones are the Yahoo! and LinkedIn hacks. Why do I think those are interesting? They are because these are two fairly large, presumably sophisticated companies and the issue there was storing passwords in plain text, something that we all ought to know not to do. But for whatever reason, those vulnerabilities are still out there. I don't think that Yahoo! and LinkedIn are alone, believing that they're somehow immune from having to protect against what I consider to be somewhat customary, plain types of vulnerabilities. Storing passwords in some type of hash or encryption to me ought to be commonplace today, so I think it's important for that.
Lastly, the breach involving the South Carolina Department of Revenue is interesting in a lot of respects. One is that it reaffirms sort of what we saw three, four, even five, years ago that the government often remains one of the more vulnerable areas in which bad guys are able to apply their trades. Four or five years ago it seemed to be that education and education institutions were the center of the target of bad guys. This incident involving the South Carolina Department of Revenue reminds us that our government institutions are still vulnerable. But I think even just as interesting is the fact that there was a third-party vendor involved, and that's Trustwave. In the lawsuits that have come out of that South Carolina data breach, Trustwave was named as a defendant and I think it's interesting from the perspective of now seeing in essence the equivalent of outsourcing; in this case, outsourcing security, technical process and procedures. But this outsourcing entity Trustwave did come within the scope of plaintiff's counsel and is involved in this data breach as a response in the incident of litigation.
DAVID NAVETTA: [Here are] a couple of points to follow up on what Ron said. Trustwave, assuming they would be basically a security company, I do think that's a very interesting issue. Where I often see this is in representing a company that has been breached, they start looking at, for instance, [in the case of credit cards], the point-of-sale vendor to see if they were configuring the system in a way that was inappropriate or not PCI compliant. Beyond the plaintiff going after the service provider, I think we're going to see more and more companies going after the service provider themselves after they suffered a breach, blaming the service provider for failing to have adequate security and causing or allowing the breach to happen in the first place. This is just a natural result of all the outsourcing that goes on, all the cloud computing and third-party reliance that we have now on entities that are actually doing the data processing.
Following up on your point about passwords being stolen, from a breach notification standpoint it's interesting because typically username and password for most states is not considered the type of information that if stolen you need to provide notice about. It kind of falls between the cracks when it comes to breach notification and regulatory scrutiny on some level, but I think with these high-profile breaches like with Yahoo!, LinkedIn and Blizzard, which is a gaming company, we've seen exactly what happens when that type of information is stolen.
Unfortunately, many people use their same username and passwords for multiple sites, perhaps for banking sites and their e-commerce type of sites. The bad guys have figured this out and have decided that [they] don't need to worry about identity theft in creating my identity. They just use the credentials that exist in a common username and password for a particular individual and start logging into the various e-commerce sites that are common across the world, or in the U.S. at least, and start buying things.
Then I've had calls from frantic companies that all of a sudden realize that all the purchases they just took were actually from a hacker who had stolen someone's username and password. You have to think beyond identity theft and kind of what happens on the front end, and think about how certain information like username and password could be used two steps beyond the actual theft to create havoc or allow for criminal activity. Then, beyond breach notification laws in their strict requirements, would it be appropriate for some sort of voluntary notice perhaps to warn customers from even a business point-of-view of a potential breach involving this type of information? I think those are some of the key questions companies are going to have to struggle with when there are situations where breach notification laws themselves are not strictly a trigger.
Breach Response: Pros and Cons
FIELD: Ron, one of your specialties is breach response. Which organizations have you seen respond particularly well or particularly badly to the incidents that we've talked about?
RAETHER: I think we're seeing some pretty common characteristics with regard to proper breach response, always starting from the premise that one size does not fit all. David made a good point that sometimes companies feel like it's the appropriate thing to do to provide notice even though statutes may not require them to do so. The problem of course is that the media and the public in general don't post those fine legal distinctions, but instead lump those companies in the same bucket as the companies that are having to disclose a breach with regard to something that the law at least considers to be more sensitive; for example, healthcare information or financial information.
What we saw in the last year is that some companies did a good job of realizing that they must customize their communications plan to the specific incident. Other companies that used more of a formulaic approach I think got caught up in that. Looking at the latter, I think Global Payments in their initial response to the events exemplifies how a company can get caught up in that formulaic response and get caught under the pressures of checking the box and just following through their written incident response plan without necessarily looking at all the implications.
The important thing is to balance accuracy and speed. Sometimes the two are in conflict with each other. The speed comes from the expectation of the media and the regulators, the people that are looking over our shoulders to question why it took so long for the company to come forward and bring public the fact of the breach, with the concept and the idea being that once you make that information public, then the consumer can be proactive in protecting themselves.
Of course, balancing against that is a need to be accurate, to make sure that what you're saying is complete and true. If you don't have complete answers at that moment, then you need to qualify what you're saying based on that. Unfortunately for Global Payments, when they first came out, they announced that the breach involved at one point five million people. They made certain representations about what was the cause of the breach, whether it was track 1 or track 2 data, which is important in terms of how easy it is to misuse somebody's credit card information. Visa came out around the same time and issued statements that were inconsistent with what Global Payments was saying, so really the consequence of that is a loss of customer confidence in the company, confusion within the regulators, and opportunities for a plaintiff litigation counsel to use those communications and to use the inconsistencies to tarnish the company in subsequent actions.
On the other side of that, there were some companies that did an effective job of not only balancing accuracy and speed, but also using the right media to communicate the event and what transpired, and just as importantly what consumers ought to do to help protect themselves against any consequences. Interestingly, a good example of how to do it right was Zappos, even though Zappos involved information that arguably did not require a breach notice. When you look at how they used the website, in particular they had a website set up so that different audiences could go and look at frequently-asked questions that were more pertinent to their special interest. If you were a consumer, you could go to a page and see questions and answers that would be relative to you. If you were an investor, there was a separate page that would have the information that was pertinent to you and so on and so forth. Generally speaking, companies are realizing that one size doesn't fit all, but likewise [are] balancing accuracy, speed, transparency and making sure that you're using the right medium to reach the group of people that are really going to be interested and need the assistance during the data breach response period.
Response: Lessons Learned
FIELD: Ron, given all you've talked about here, what would you say are some of the lessons that we've learned about breach response in 2012?
RAETHER: One size does not fit all, so I think you need to look at a lot of different factors including the market that the company is in, the type of data that's at issue and who's the audience that you need to speak with, balancing accuracy and speed, dealing with what I talked about in terms of transparency and using the right media.
Also, make sure that there's accountability so it's important that the public understand that the company is oftentimes a victim in these matters, as well as their customers or the consumers whose data they're managing. But likewise, the company still needs to be accountable and recognize publicly that they ought to be a trusted actor when it comes to dealing with data, especially in terms of future concerns. You want to maintain those consumer relationships and you have to have accountability, so it means having the right spokesperson and having that spokesperson say the right, balanced things.
The other important thing that I think we started really addressing in 2011 - and it's carried over into 2012 - is being proactive with the regulators. It's not waiting until the notices are sent and then following up or waiting for the regulators to call you and then reacting to that. Obviously, be proactive with them. Know who the important regulators are going to be based on the various components that are at issue. What state is my client located in? Who are the attorney generals that have a particular interest in this topic? Before, there were some clear actors that were generally interested in privacy and now we're starting to see some attorney generals who have a heightened interest in health information, HIPAA-regulated issues, other AGs showing a particular interest in other topics. Know the right people to contact and then speak with them even before the notice goes out. Quite frankly, in a lot of instances, ask the attorney general to review the form of notice, even when it's not required by the applicable statutes.