Our caseloads and court dockets attest: bad things happen the eve of an employee departure. A sales manager e-mails himself customer, pricing, or personnel information. A physician fills her thumb drive with the practice group’s patient list and billing information. A medical assistant forges patient checks or charges personal expenses to patient credit cards. A loan officer (and embezzler) decides to run and takes a bank laptop. Our client is hot. We call the police. We rush to interview staff and review our client’s contracts, to draft and file injunction papers. Yet, while we scramble to stem the loss of trade secrets and competitive information, another risk demands our attention: data breach.
By now we, and hopefully our clients, have been appropriately sensitized to the horrors that attend poor cybersecurity. Malware, spyware, and ransomware can disrupt and infiltrate systems by way of hacking, social engineering, spoofing, phishing, vishing, watering holes, and cyber fraud by any other name. These in turn result in data breaches, identity theft, stolen IP, extortion, threats to public safety, as well as destruction of property, reputation and goodwill.
Every year new laws and regulations appear to address these ills and assign responsibility for them. Our own Rules of Professional Responsibility require us to safeguard client data and to become reasonably tech savvy in doing so. Nearly all states have passed data breach notification laws that protect personal financial and medical information. (New Mexico is the most recent domino to fall. Alabama and South Dakota – and, some might say, the federal government – are the lone holdouts.) Similar laws are imposed and enforced by federal and state agencies that regulate some of our clients. A growing number of states (the Nutmeg State included) mandate that certain businesses maintain comprehensive written information security programs and impose penalties for violations.
The point is: when an employee steals valuable company data or devices that also happen to contain the personal information of others, the client’s liability under one or more of these laws is implicated – every bit as much as if the client had suffered a cyber attack. Although the client’s focus may be consumed by the employee’s betrayal and the threatened loss of business, their attorney should be prepared to spot the ensuing data privacy and security issues and help the client manage the related litigation and regulatory compliance risks. What follows are several points to add to the list of considerations the next time that a client faces a theft of company information or devices.
The main issue is whether the theft also constitutes a data breach that requires reporting to a regulator and notification to affected individuals. If the client has a privacy or security officer and a data breach response plan, the appropriate individual(s) should be notified and the procedures followed in consultation with litigation counsel. Ready or not, there are a number of questions to address:
What kind of information was involved? State breach notification laws define personal information differently. They typically focus on types of personally identifying information the combination of which might permit identity theft, invasion of medical privacy, or unauthorized access to financial accounts. Some states like California and Rhode Island also protect information such as user names and passwords that might facilitate unauthorized access to an e-mail, social media account, or similar on-line service. To determine which, if any, state breach notification laws apply it is critical to know what type of information was contained in the stolen file or device and the location of the individuals affected.
What forensic work needs to be done and who will do it? The client may not know what information was taken without the help of digital forensics. If the client does not have reasonably qualified IT professionals in-house, it may need to engage a digital forensic investigator. This can be helpful both in reporting to a regulator and in preparing evidence that can be used in the lawsuit against the employee.
In what form was the stolen information kept? Some breach notification laws are triggered by disclosure of computerized information only; others apply equally to paper and even oral information. Still other laws expressly exclude from the definition of breach, disclosure of personal information that was properly encrypted. If the stolen file, laptop, or thumb drive was encrypted and the rogue employee does not have the decryption key, then the theft might not be a reportable breach.
Is the client regulated? Clients operating in healthcare, insurance, banking, telecommunications, education, and online services involving children, are subject to special federal and state regulations that govern data privacy and security. These regulations often contain breach reporting and notification rules that should be considered in addition to general state breach notification statutes. Even if a client is not technically within the reach of applicable regulation, they may have contractually assumed similar obligations with a business partner who is. Contractual reporting and remediation obligations should be reviewed.
Other clients such as retailers may be contractually obligated to comply with self-regulated industry requirements like the Payment Card Industry Data Security Standard or “PCI-DSS”, which carries the prospects of shorter deadlines, more stringent forensic investigation and reporting requirements and more substantial, unpredictable fines and penalties. Thus, with respect to the earlier example of the medical assistant who has stolen patient credit card information, the client would likely need to comply with at least three breach notification schemes: the PCI-DSS (to the sole satisfaction of Visa, MasterCard, etc.); the Breach Notification Rule of the federal Health Insurance Portability and Accountability Act (HIPAA) as administered by the Office of Civil Rights of the U.S. Department of Health and Human Services; and the state breach notification statute administered by the Office of the Attorney General.
Is the breach likely to result in harm to the individual(s) affected? Many state breach notification statutes do not require notification where the breach is not likely to result in harm to the individual(s) whose information was disclosed. In states like Connecticut, this determination is not made unilaterally, but in consultation with responsible authorities. Other standards, such as the HIPAA Breach Notification Rule, do not condition notification on the arguably subjective determination of whether there is a risk of harm to the individual, but they presume that notification is necessary unless the client can demonstrate (through a multi-factor analysis) that the breach carries a “low probability” that the individual’s protected information has been “compromised”.
When did the client discover the theft? The client has only a limited period of time in which to report to the regulator (if required) and to make individual notification once it discovers or reasonably should have discovered that the employee theft involved protected personal information. Some laws do not require agency notification. Others require agency notification at least simultaneously with individual notification, and in some instances before individual notification, including as early as 14 days after discovery. Individual notification is generally within a “reasonable” time subject to maximum periods of 30, 60, or 90 days from discovery. Notification form and content varies and often depends on the number of individuals affected.
Does the client have cyber risk coverage? Data breach investigation and response can be bewildering and expensive. Have the client confirm whether they have applicable insurance coverage and notify the insurer accordingly. Some cyber policies set sublimits for specific response costs and provide for a team of professionals who can help with forensics, notification, credit monitoring and restoration, public relations, and so on.
Does breach response impact the employee litigation? Be sure that the employee litigation team and the breach response team are working in consultation with each other. Consider issues of timing. It may not look good to the regulator if your client has sought with all haste to protect its own interests, for example, by seeking an ex parte temporary restraining order against the rogue employee, while at the same time permitting the interests of affected individuals to languish as the client belabors the decision of whether individual breach notification is required.
In this regard, it may serve your client to contact the regulator even if not required, to alert the regulator to a potential data breach situation. You may not want the regulator to be learning for the first time about a possible data breach involving its constituents through news coverage about your employee theft suit. Even if the regulator and the client ultimately determine that individual notification is not required, the regulator may suggest language for any eventual injunction against the employee that strengthens protections for potentially affected individuals.
Theft of business information is frustrating enough for clients. Help manage that frustration by confronting the data breach risks that, if ignored, may only make matters worse.