A data breach: What (you have) to do when the worst happens
Are you willing to risk it?
April 2019 Footnote
With more than 1,100 data breaches significant enough in size to be known and reported in 2018, it is no surprise that some are calling 2018 the “Year of the Data Breach.” While many are familiar with the widely publicized breaches of Facebook, Marriott, Google and USPS affecting millions, most would be surprised to learn that private businesses accounted for 50 percent of all breaches in 2018.
Data breaches happen in many ways, but email still holds one of the top spots as a point of access for persistent threats, with stolen employee credentials being the No. 1 cause of all data breaches for professional services firms in 2017. These breaches are often the result of phishing attacks designed to trick the recipient into opening a malicious attachment or link, or gain access to a specific target’s information. Small to midsize businesses who believe they are unlikely to be the victim of a breach may not spend the necessary time or resources required to ensure they are adequately protecting sensitive information.
However, the reasons for taking precautions are many, and the implications of not taking the proper measures could be devastating.
It’s the law
Because accounting and other professional services firms often hold sensitive data, they are particularly susceptible to attacks, and are therefore held to increasingly higher standards for protecting client, customer and consumer data. The Federal Trade Commission (FTC) is one of several governing bodies with authority over financial institutions to regulate and enforce data security and privacy measures, including compliance with the Gramm-Leach-Bliley Act (GLBA).
The GLBA is a United States federal law regulating how financial institutions (including firms and individuals who prepare taxes) collect, use, protect and disclose private personal information.
To be GLBA compliant, financial institutions must implement appropriate safeguards — including a written security program — to protect their customers’ private data. The GLBA also contains specific breach notification requirements in the event of a data breach.
The FTC has brought legal actions against organizations that have violated consumers’ privacy rights, misled them by failing to maintain security for sensitive consumer information or caused substantial consumer injury. Ramifications to companies failing to comply have included multimillion-dollar fines and settlements ($22.5 million in Google’s case), requirements that companies implement comprehensive data security programs to address security risks, and ongoing monitoring and oversight of those programs by the FTC for future decades.
Other federal laws enacted for the purpose of protecting an individual’s privacy include HIPAA and HITECH. HIPAA (Health Insurance Portability and Accountability Act) is one of the better known federal laws regulating protection of personal information in the health care setting. The Privacy Rule sets national standards for the protection of health information. HITECH (The Health Information Technology for Economic and Clinical Health Act) was created to strengthen the security and privacy objectives of HIPAA and, more importantly, extended HIPAA’s privacy and security protections to “business associates.”
One who provides actuarial, accounting or consulting may be considered a business associate, and would therefore be required to comply with HIPAA/HITECH’s security requirements. HITECH also created breach notification rules and procedures when personal health information is accessed or disclosed. Again, multimillion-dollar fines and settlements have resulted from data breaches related to HIPAA/HITECH laws.
It’s the law — state considerations
In addition to federal laws, almost all states have data breach notification statutes and requirements that an accounting or professional firm (or their clients) need to follow if a data breach occurs. For example, Minnesota requires notification be provided to all affected persons. If more than 500 persons are affected, the company must also notify, within 48 hours, all consumer reporting agencies as defined by 15 U.S.C. Section 1681a (which broadly includes any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports). The law defines “notice” and requires written notice be sent to the most recent available address of the person or business, but also allows for electronic or substitute forms of notice under certain circumstances.
Companies and firms working with clients in multiple states should also pay attention to the requirements in those states where their clients are domiciled as they may differ.
For example, New York’s breach notification law differs from Minnesota’s law, and proposed changes to the law would expand its reach to any company that has the personal information of a New York resident, regardless of whether that company does business in New York. As data breaches become more common, more states and countries are seeking to pass new standards relating to the security of personal information, and staying abreast of the latest laws and regulations is crucial in order to avoid costly penalties.
Data breaches can be enormously expensive. Engaging forensic experts, providing credit monitoring, discounts on future products or services, in-house investigations, preparing and providing required notices, and legal costs can all add up to big losses for a firm or client experiencing a breach. For example, the Ponemon Institute calculated the average cost of a data breach in the U.S. (excluding mega-breaches of more than 1 million records), to be $7.91 million.
Even breaches of less than 10,000 records can still result in multimillion-dollar losses. Moreover, data breaches often result in significant litigation costs, especially in the event of a class action lawsuit. Many may think class actions would only apply to those data breaches affecting tens of thousands or millions of individuals, but classes can generally be certified with as few as 40 plaintiffs, presenting a significant risk for even small to midsize companies and firms.
It’s your reputation
Due to the notification requirements, data breaches are often highly publicized.
Although a breach in a small or midsize firm may not make national news, they are frequently publicized by local news outlets. Organizations in the U.S. pay the highest price for losing customers after a data breach. This is believed to be the result of customers having more options available here than elsewhere.
Reputational costs incurred as a result of a breach may include the abnormal turnover of customers, costs related to increased customer acquisition activities, opportunity costs and diminished goodwill. Depending on the size and scope of a breach, it may be advisable to hire an outside resource to assist with communications and reputation management.
The consequences of failing to adequately guard against data breaches can be severe. It is important that firms and their clients identify the privacy laws applicable to them and understand what procedures and security measures must be put in place in the event of a data breach. This proactive approach will help mitigate risk and produce the best possible outcome when the unexpected occurs.
Christopher Haugen is an attorney in Messerli Kramer’s Business Litigation Group. Chris litigates a wide variety of cases, including data breach, cybersecurity and privacy cases, contract matters, shareholder/closely held business disputes, employment and other business torts. He has experience in all phases of litigation and has obtained favorable results on behalf of clients in state and federal court.
Impacted by a data breach?
Minnesota requires notification be provided to all affected persons. If more than 500 persons are affected, the company must also notify, within 48 hours, all consumer reporting agencies (CRAs), as defined by 15 U.S.C. Section 1681a. While certainly the major three CRAs (Equifax, Experian and Transunion) should be notified, the law does not limit its applicability to only the big three, and best practices would require notifying specialty CRAs as well. The CFPB has contact information for many of the specialty CRAs at www.tinyurl.com/CFPBcontact.