What is "Expedient" Notification of a "Data Breach?"

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.dataprivacymonitor.com/data-breach-notification-laws/what-is-expedient-notification-of-a-data-breach/

One of the first questions companies ask us when we are hired to help them
respond to a new security incident is how fast they have to notify if the
investigation shows that a "breach" occurred.  Except for a couple of
states that require notification to occur no later than 45 days after
discovery, there is not a bright-line, objective answer.  Most state breach
notification laws require notification to occur as soon as reasonably
possible and without undue delay subject to some qualifications.  For
example, California's law requires that: "The disclosure shall be made in
the most expedient time possible and without unreasonable delay, consistent
with the legitimate needs of law enforcement . . . or any measures
necessary to determine the scope of the breach and restore the reasonable
integrity of the data system."  Aside from one state attorney general who
uses notification within 30 days as a guidepost, there is relatively little
precedent to guide companies in determining how fast they have to mail
notification letters to comply with applicable laws.  A recent enforcement
action against a company who learned that one of its computers had been
sold at a thrift shop provides an example of what may not constitute
"expedient" notification.

In January 2014, a California company agreed to pay $150,000, notify
employees as information becomes available (instead of at the conclusion of
an investigation), conduct additional employee training on safeguarding
sensitive information, and review and improve its policies regarding
protecting sensitive information to resolve an enforcement action brought
by the California Attorney General.  The lawsuit alleged that the company
learned of the sale of a hard drive at a thrift store on September 24, 2011
and was able to begin forensic analysis after it obtained the drive on
December 21, 2011.  The preliminary forensic analysis was alleged to have
been completed in a week (showing that the drive contained personal
information of employees) with the full forensic analysis continuing into
February 2012.  The complaint further alleges that the company mailed
notification letters in mid-March 2012 to approximately 20,000 current and
former employees informing them that the drive contained their personal
informatiom.

As part of the contention that the time between obtaining the drive in
December 2011 and notification of California residents in March 2012
constituted a violation of California's law, the complaint specifically
alleged that the company "could have notified individuals it had identified
as affected by the breach as early as December 2011, but did not commence
notice until, on, or about March 2012."  Essentially, the complaint alleged
that it is a violation of California law to wait until the investigation
was complete to notify all affected individuals instead of notifying
segments of individuals on a staggered basis as they were identified over
the course of an investigation.

Initially, it sounds reasonable to suggest that companies should provide
staggered notification.  In some circumstances it may be appropriate, such
as when a company believes the information of a segment of affected
individuals is actively being misused.  But a staggered notification can
also create problems.  Examples of such problems include: (1) multiple
notifications over time can create a perception that the company mishandled
the investigation or that there was a "second breach"; (2) if a segment is
notified initially that only their name and SSN were affected but the
investigation later shows that their credit card information was also
affected, the company may need to send a second letter; and (3) uncertainty
in the initial notification as to who will be notified creates apprehension
among the group of potentially affected individuals.

Affected individuals often want the notification to occur "immediately."
 But the work necessary to determine what occurred, who is affected, and
then to complete the logistics necessary for a large mailing (which can
require multiple vendors) can be very difficult to complete within 30-45
days.  If a forensic investigation is required to determine if a "breach"
occurred, it can take weeks for the investigation to produce preliminary
findings.  It often takes at least a week just for the forensic firm to be
engaged, arrive on site, acquire forensic images, and then take the images
back to their lab to start the investigation.  After findings show a
"breach" may have occurred, it can often take several additional weeks to
determine the scope of the attack (when it started, when it was contained,
and what "personal information" could have been accessed during that time
frame).

We often advise companies faced with a potential "breach" to conduct their
response in parallel tracks--while one group is investigating to determine
if there was unauthorized access or acquisition of "personal information" a
second group begins preparing to mail notification letters in the event the
investigation shows a "breach" might have occurred.  In the hundreds of
incidents we have helped clients manage, we have found that there are four
important questions companies should be ready to answer before sending out
notification letters (because these are questions the letter recipients
will ask): (1) what happened; (2) how did it happen; (3) what are you doing
to protect affected individuals; and (4) what are you doing to stop this
from happening in the future?  A quick notification sounds good, but an
accurate notification is critical.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!