Almost every day brings a new report of a significant cyber-security breach. National retailers, large financial institutions, and local entities large and small have been recent victims of cyber-hacking. Financial institutions, health care providers, and retailers are frequent targets of cyber warfare, but virtually every business is at risk. The St. Louis Business Journal’s Oct. 10-16, 2014, cover story, “Why no company is safe in the age of cyber warfare,” (Felt, Brian) reports the staggering costs in lost business and post-data breach losses associated with cyber attacks. According to a local cyber security expert quoted in the Business Journal, “executives should be operating under the assumption that they’ll soon be hacked if they haven’t been already.”
In addition to taking steps to protect its data, before a breach occurs every business should develop a plan to react to such an event. One of the key steps in being prepared from a legal compliance standpoint is to identify the notification requirements that will be applicable. Almost every state (47 to date), the District of Columbia, Puerto Rico, the US Virgin Islands and Guam have enacted data breach notification laws requiring businesses and other entities to notify affected individuals when a data breach involving identifiable personal information occurs. The Missouri data breach notification statute is contained within the Missouri consumer protection statutes (See, Mo. Stat. §407.1500). Illinois, one of the first states to pass a comprehensive data breach notification law, enacted the Personal Information Protection Act (PIPA,815 ILCS 530/5) in 2006. Although there are variations in provisions in each state, data breach notification statutes routinely require timely notice. Missouri requires notice “without unreasonable delay,” whereas Illinois requires notice in the “most expedient time possible.” Therefore, it is imperative that businesses proactively prepare to be in position to timely provide notice of data security breaches. To accomplish that, businesses should initiate pre-breach and breach-response best practices.
The time to think about how your business will deal with a data security breach is before the breach occurs. Pre-breach best practices should include inventorying and assessing the laws and regulations for each jurisdiction that may be applicable in the event of a breach, as well as establishing a data breach response team and a game plan for addressing data breaches. The response team should include C-Level executive(s), IT personnel (internal, and external consultants), compliance, public relations (internal and external) and legal counsel (internal, if applicable, and external).
Post-breach best practices should include seeking expert forensic advice immediately to identify the scope and the nature of the breach. Information regarding the nature and scope of the breach is statutorily required to be included in the notification to affected persons under many data breach notification laws. In addition, outside consultants can assist in stopping and isolating the breach as quickly and thoroughly as possible. The “timely notice” clock begins ticking as soon as the breach is discovered. Legal counsel can assist in preparing appropriate and legally compliant notification to affected persons; as well as working as a liaison with law enforcement to report the data security breach.