Jena Valdetero David Zetoony Bryan Cave LLP
TABLE OF CONTENTS
ABOUT THE AUTHORS ..................................................................................................ii INTRODUCTION............................................................................................................. 1 I. UNDERSTANDING THE NATURE AND SCOPE OF DATA EVENTS, INCIDENTS,
AND BREACHES ......................................................................................................... 2 A. Security Events ..................................................................................................... 2 B. Security Incidents .................................................................................................. 3 C. Security Breaches ................................................................................................. 4 II. DATA SECURITY INCIDENT PREPAREDNESS ....................................................... 5 A. Cyber Insurance .................................................................................................... 5 B. Written Information Security Program.................................................................... 9 C. Incident Response Plan....................................................................................... 10 D. Contractual Obligations to Business Partners ..................................................... 11 III. INCIDENT RESPONSE ........................................................................................... 12 A. Investigating a Security Incident.......................................................................... 12
1. Include legal counsel at the inception of the investigation............................. 12 2. Form a core team of personnel to attend to the breach ................................ 13 3. Contain the breach and preserve evidence................................................... 13 4. Retain a third-party forensic investigator....................................................... 13 5. Assign a Crisis Manager. .............................................................................. 14 B. Coordination with Data Owners........................................................................... 14 C. Communication to the Public/Media .................................................................... 14 D. Communication with Law Enforcement ............................................................... 16 E. Communication with Impacted Consumers ......................................................... 17 1. Do the state laws apply to your restaurant? .................................................. 17 2. What personally identifiable information triggers notification?....................... 18 3. How quickly must the restaurant notify affected consumers?........................ 19 4. What information does the consumer notice have to include? ...................... 19 5. How must a restaurant notify affected consumers? ...................................... 19 6. Should a restaurant ever voluntarily notify consumers of a breach? ............. 20 7. Is notification required to any other parties?.................................................. 20 8. What types of services should the restaurant offer to affected consumers? . 21 F. Unique Issues Relating To Payment Card Breaches .......................................... 22 G. Unique Issues Relating To Health Information .................................................... 23 CONCLUSION .............................................................................................................. 24
ABOUT THE AUTHORS
Jena Valdetero is a partner at Bryan Cave LLP where she serves as the head of Bryan Cave LLP's data breach response team. She has provided counseling to dozens of clients in connection with data privacy and security issues. She is a Certified Information Privacy Professional, U.S. (CIPP/US), by the leading privacy trade organization, the International Association of Privacy Professionals. In addition to her privacy practice, Ms. Valdetero handles litigation matters on behalf of a variety of clients, including class action litigation, in both state and federal courts. David Zetoony is a partner at Bryan Cave LLP and the leader of the firm's international data privacy and security practice. Mr. Zetoony has helped hundreds of clients respond to data security incidents, and, where necessary has defended inquiries concerning the data security practices of corporations. He is the author of leading handbooks on data security including Data Privacy and Security: A Practical Guide for In-House Counsel and the Better Business Bureau's Data Security Made Simpler. He represents clients across the food service industry including companies that focus on c fast food, casual dining, fine dining, concessions, and catering.
DATA SECURITY BREACHES:
INCIDENT PREPAREDNESS AND RESPONSE
by Jena Valdetero David Zetoony Bryan Cave LLP
Media reports about data security breaches have become an almost daily occurrence. Increased publicity reflects the simple fact that data breaches have grown in frequency and scope. Although statistics vary, in 2015 there were approximately 3930 incidents involving data loss and, according to one watchdog group, those incidents impacted over 736 million consumer records.1 Many of those data security breaches involved nationwide restaurant chains. According to one study, the Food and Beverage industry was the victim of 10% of all security compromises and data breaches in 2015, ranking third behind Retail and Hospitality.2 Consumers, regulators, shareholders, and business partners are scrutinizing whether restaurants that suffer a data security breach had adequate security before the breach occurred, and are critically examining how a restaurant prepares for, investigates, and responds to a security incident. Instances in which stakeholders believe that an organization's preparation or response was inadequate have led to litigation, regulatory investigation, erosion of client base, and, increasingly, changes in management.3 Given this context, it is not surprising that when board members and general counsel are asked "What keeps you up at night?" the answer is usually: "data security."4
Since the first publication of this handbook in 2014, the legal ramifications for mishandling a data security incident have also become more severe. In the United States, the number of federal and state laws that have claimed to regulate data security has mushroomed. The European Union has also enacted a new General Data Protection Regulation which will extend the United States framework for responding to data breaches across the EU, but with significantly enhanced penalties. The EU's version of data breach notifications might best be characterized as US law on steroids and will be sure to cause more sleepless nights on the other side of the Atlantic.
In order to effectively respond to a data security incident, in-house counsel must understand what a "security incident" entails, what the restaurant should do to prepare itself before the incident occurs, and what practical considerations will confront the restaurant when an incident
1Risk Based Security, Data Loss Statistics available at https://www.riskbasedsecurity.com/2016/02/2015-reporteddata-breaches-surpasses-all-previous-years/ (referencing data security incidents and the number of publicly reported data breaches) (last viewed June 15, 2016).
2Trustwave Holdings, Inc., Trustwave Global Security Report (2016) available at https://www2.trustwave.com/GSR2016.html.
3See, e.g., Tiffany Hsu, Los Angeles Times, "Target CEO Gregg Steinhafel Steps Down in Wake of Huge Data Breach" (May 5, 2014); Danielle Abril, Dallas Business Journal, "Sally Beauty To Replace Its CEO, Incurs $1.1M Cost from Data Breach" (May 1, 2014).
4Data security was the most common response for both board members and general counsel, after succession planning and regulatory compliance respectively. FTI, Law in the Boardroom (2013) available at http://ftijournal.com/article/managing-cyber-risk-job-1-for-directors-and-general-counsel. .
arises. Effective response also requires understanding and preparing for the possibility that a data security incident may lead to lawsuits, regulatory investigations, or public scrutiny.
Bryan Cave LLP has represented owners, operators, franchisors, and/or franchisees in connection with over 1,300 restaurants and venues that provide food service. This handbook provides a basic framework to assist in-house legal departments with handling a security incident. Section I explains what security incidents are, how often they occur, and which types of organizations are most at risk. It also discusses the types of costs that a security breach may impose on a restaurant. Section II outlines how in-house counsel can help their restaurant prepare for a security incident and how in-house counsel can evaluate the degree to which the restaurant is already prepared. Section III walks through the different steps that must be taken once a security incident occurs, including how to investigate the incident and how to communicate with other potentially interested entities such as business partners or law enforcement. It also discusses steps to consider if the security incident is, in fact, a "breach" that might harm consumers.
UNDERSTANDING THE NATURE AND SCOPE OF DATA EVENTS,
INCIDENTS, AND BREACHES
People sometimes refer to a "data breach" loosely as any situation in which data may have been removed from, or lost by, an organization. Technically, however, "data breach" is a legally defined term that typically refers in the United States to a subset of such situations-where there is evidence of an unauthorized "acquisition" of and/or "access" to certain types of sensitive personal information (e.g., social security numbers, driver's license numbers, or financial account numbers)-that trigger a legal obligation by an organization such as a restaurant to investigate the situation and to notify consumers, regulators, or business partners. As a result, it is important to realize that many of the situations that are referred to as "data breaches" in the media, and possibly by others in an organization, do not in fact meet the legal definition of the term. For the purpose of clarity, this handbook uses three terms to refer to security situations: a data security "event," "incident," and "breach."
A. Security Events
A "security event" refers to an attempt to obtain data from an organization, such as a restaurant, or a situation in which data could, theoretically, be exposed. Many security events do not necessarily place the organization's data at significant risk of exposure. Although an event might be serious and turn into an "incident" or a "breach," many events are automatically identified and resolved without requiring any sort of manual intervention or investigation and without the need for legal counsel. For example, a failed log-in that suspends an account, a phishing email that is caught in a spam filter, or an attachment that is screened and quarantined by an antivirus program, are all examples of security events that do not lead to an incident or breach and require little to no legal action.
Bryan Cave LLP 2016 DC01DOCS\454232.1
B. Security Incidents
"Security incident" refers to an event for which there is a greater likelihood that data has left, or will leave, the organization, but uncertainty remains about whether unauthorized acquisition or access has occurred. For example, if a restaurant knows that a laptop has been lost, but does not know what information was on the laptop or whether it has fallen into the hands of someone who might have an interest in misusing data, the situation is a security incident. Another way to think of a security incident is as "a situation in which you believe that electronic data that contains personal information may have been improperly accessed or acquired."5 As discussed in this handbook, security incidents almost always necessitate that an entity conduct a thorough investigation to test the suspicion that personal information was improperly accessed or acquired. Put differently, companies conduct investigations to determine whether there is, or is not, evidence that would redefine the "incident" as a "breach."
Security incidents impact all types of entities. Three organizations--Privacy Rights Clearinghouse, the Open Security Foundation, and Risk Based Security--systematically track publicly reported security incidents and breaches and provide up-to-date reports on evolving trends.6 According to the latter source, in 2015, approximately 47% of incidents impacted forprofit businesses, including restaurants, 12% impacted government agencies, 7% impacted medical providers and institutions, 14% impacted educational institutions, and 20% impacted other types of entities including non-profits.7
Security incidents are attributable to a variety of different causes--sometimes referred to as "attack vectors." While over 80% are caused by third parties, approximately 10% are a direct result of employees from within an organization.8 The number of incidents caused by employees should not be underestimated; a recent study found that far more insider-caused incidents now occur through privilege abuse (e.g., an employee stealing customer information) than through data mishandling (e.g., an employee inadvertently emailing a file that contains sensitive information to the wrong party). The number of security incidents attributable to employee actions has remained relatively constant over the past ten years, whereas the number of third party attacks--particularly computer hacking, malware, and social engineering--has risen sharply.9
5David Zetoony, ed., Council Of Better Business Bureaus, Data Security Guide: Data Security Made Simpler: Common Technical and Legal Terms A Glossary, available at http://www.bbb.org/council/data-security-madesimpler/common-technical-and-legal-terms/
http://dbpedia.org/page/Open_Security_Foundation, and https://www.riskbasedsecurity.com/ 2016/02/2015-reporteddata-breaches-surpasses-all-previous-years/. In addition, several consulting firms that offer forensic investigation services publish annual reports concerning trends identified in their investigations of security incidents. These reports differ from the publicly reported breaches insofar as they largely rely upon non-public data (i.e., incidents that may not have turned into breaches or that were not publicly reported). See, e.g., Verizon 2016 Data Breach Investigation Report available at http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/ (last viewed June 15, 2016).
7See DataLossdb Open Source Foundation, Data Loss Statistics available at https://blog.datalossdb.org/analysis/ (referencing data security incidents from 2013). See also Verizon 2016 Data Breach Investigations Report.
8See, e.g., Verizon 2016 Data Breach Investigation Report available at http://www.verizonenterprise.com/ verizoninsights-lab/dbir/2016/.
9See Verizon 2016 Data Breach Investigation Report available at http://www.verizonenterprise.com/verizon-insightslab/dbir/2016/ (last viewed June 16, 2016).
Bryan Cave LLP 2016 DC01DOCS\454232.1
C. Security Breaches
As discussed above, a data "security breach" is a legally defined term. The definition varies depending upon the data breach notification laws that are at issue. As a general matter, a security breach refers to a subset of security incidents where the organization discovers that sensitive information has been accessed or acquired by an unauthorized party and that acquisition has created the possibility that a consumer might be harmed by the disclosure. In the laptop example provided above, if your restaurant determines that the laptop was stolen and it contained unencrypted social security numbers, the incident would fall under the definition of a "security breach." As discussed below, security breaches almost always dictate that your restaurant consider the legal requirements of data breach laws.
Data breaches typically impact organizations in a number of ways:
Reputational Costs: A data breach can erode the confidence of customers, donors, or clients, which can significantly impact sales and/or the reputation of your restaurant. Often the indirect cost to the organization from adverse publicity outweighs direct costs and potential legal liabilities.
Business Continuity Costs: Breaches that create, expose, or exploit vulnerabilities in network infrastructure may require that a network be taken off-line to prevent further dataloss. For restaurants that rely heavily on IT infrastructure, removing or decommissioning an affected system may have a direct impact on the restaurant.
Competitive Disadvantage: Breaches that involve competitively sensitive information such as trade secrets, customer lists, or marketing plans may threaten the ability of your restaurant to compete.
Investigation Costs: Security incidents involving IT infrastructure may require the services of a computer forensics expert in order to help investigate whether a breach has occurred and, if so, the extent of the breach.
Contractual Costs: Your restaurant may be contractually liable to business partners in the event of a data security breach. For example, a breach involving a restaurant's electronic payment system will typically trigger obligations under the restaurant's agreements with its merchant bank and/or its payment processor. Those obligations may include, among other things, the assessment of significant financial penalties. As another example, some outsourcing contracts require companies that provide services to other companies to pay for the cost to notify impacted individuals and to indemnify their business partner from lawsuits.
Notification Costs: If your restaurant is required to, or voluntarily decides to, notify consumers of a data security incident, it may incur direct notification costs such as the cost of printing and mailing notification letters. Although most statutes do not formally require organizations, such as restaurants, to provide consumers with credit monitoring, identity-theft insurance, or identity-theft restoration services, in some situations offering such services at the organization's own cost has become an industry standard practice.
Regulatory Costs: A regulatory agency may decide to investigate whether a restaurant should have prevented a breach and/or whether a restaurant properly investigated and responded to it. In addition, some regulatory agencies are empowered to impose civil penalties or monetary fines in the event that they determine the restaurant's security
Bryan Cave LLP 2016 DC01DOCS\454232.1
practices were unreasonable or that a restaurant failed to properly notify consumers or the agency itself in a timely matter. Significant legal expenses are associated with a regulatory investigation.
Litigation Costs: Bryan Cave LLP's own 2016 Data Breach Litigation Report found that approximately 5% of publicly reported data security breaches result in the filing of a federal putative class action lawsuit. 10 Although most suits have not resulted in a finding of liability, defense costs and settlement costs can be significant.
DATA SECURITY INCIDENT PREPAREDNESS
Many legal departments and information technology professionals have relied on the adage that the best way to prepare for a data security incident is to prevent one from happening in the first place. As a result, the historical focus for many organizations, such as restaurants, has been on taking steps to protect data and to prevent a breach from occurring. Such steps include instituting written information security programs that describe the security infrastructure of a restaurant, investing in defensive information technology resources, installing monitoring systems and training employees on good security practices. As the number of attacks from third parties that exploit previously unknown software vulnerabilities (sometimes referred to as "zero-day exploits") has risen dramatically, most organizations now realize that even the best security cannot prevent a breach. The new rule of thumb is that it is not a matter of if, but rather when, a security breach will occur. From that vantage point, preparing in advance for how your restaurant will respond when a security incident or breach occurs is essential.
Data security incident preparedness is a process that involves management, information technology, public relations, legal, and human resources. It typically includes the creation of a plan for how a restaurant will respond to an incident and/or a breach, as well as continual crossstaff and cross-department training to teach personnel about the plan and how to implement it. Each training exercise inevitably identifies areas in which a restaurant can improve its plan and/or provide additional training to improve its response.
In addition to supporting the restaurant's planning and training efforts, in-house counsel have a special role in terms of data security incident preparation. When a security breach occurs, there are several core legal documents that are typically implicated during, or after, the breach. In-house counsel should ensure that these documents are easily accessible and have a general awareness of the legal obligations or liabilities that these documents create. In-house counsel should also review the incident response plan to make sure that it incorporates those same legal documents. The remainder of this section provides a brief description of each document that in-house counsel should evaluate and understand as part of the restaurant's preparation for a possible breach.
A. Cyber Insurance
10Zetoony, David, Jena Valdetero, and Joy L. Anderson. 2016 Data Breach Litigation Report (April 6, 2016).
Bryan Cave LLP 2016 DC01DOCS\454232.1
Only 31% of companies have purchased insurance specifically designed to cover part, or all, of the costs of a data security breach ("cyber-insurance").11 Cyber-insurance policies differ dramatically in terms of what they cover, what they exclude, and the amount of retentions (i.e., the amount of money for which the insured organization is responsible before the policy provides reimbursement to the organization). If a restaurant has a cyber-insurance policy, inhouse counsel should review it carefully before a security incident occurs so that the legal department understands the degree to which the policy protects (and does not protect) the restaurant from potential incident-related costs and liability. One major restaurant chain learned too late that its cyber-insurance policy would not cover contractual liabilities to its merchant bank, resulting in over $2 million in unexpected liability and litigation costs.12 Policies may also obligate a restaurant to take specific actions, such as notifying the insurer or using pre-approved data incident response resources (e.g., investigators, credit monitoring, mailing services, public relations firms, or outside counsel). Because data security law is rapidly evolving and changing, the policy should be reviewed annually to ensure that the protections it affords continue to align with changes in the legal landscape, coverage trends, and the restaurant's operations.
The following checklist provides a guide to evaluate a cyber-insurance policy. Before completing the checklist, it is important to determine whether a restaurant's goal in purchasing insurance is to help it handle typical data security incidents, to help it cope with catastrophic data security incidents/breaches, or both.
Coverage: Does the policy cover the cost of retaining a forensic investigator? If so, are you limited to a single investigator, or are there situations in which the policy would permit hiring multiple investigators if needed? Restrictions on which forensic investigators can be used can be important. Forensic investigation is not a commodity, and there can be significant differences between investigations. While some insurance companies may focus on unit price (e.g. billable rates) when selecting a panel, many restaurants prefer to focus on overall price, reputation, or the ability of an investigator to work well with the restaurant's IT or legal departments.
Sub-limit: Does the policy have a sub-limit for forensic investigation related costs? Is the sub-limit proportionate to the average cost of retaining a forensic consultant to investigate a data security incident? Would the sub-limit be sufficient if more than one forensic consultant must be retained?
Sub-Retention: Does the policy have a sub-retention when hiring an investigator? If so, is the sub-retention well below the average cost of retaining a forensic investigator? If not, does the restaurant understand that the coverage may only provide protection for catastrophic incidents/breaches?
Coverage: Does the policy cover the cost of issuing notices to consumers? If so, does the coverage give the restaurant the right to control how those notices are given (e.g., in paper format versus in electronic format)? Does it require that the restaurant
11Ponemon Institute, 2014 Cost of Data Breach Study: Global Analysis at 22 (May 2014). 12Cyber Roundup, The Multi-Million Dollar Hole in P.F. Chang's Cyberliability Insurance, available at
https://cyber.ciab.com/2016/06/30/multi-million-dollar-hole-p-f-changs-cyberliability-insurance/ (June 30, 2016).
Bryan Cave LLP 2016 DC01DOCS\454232.1
avail itself of "substitute notice" when permitted by statute? If so, does the restaurant understand that the policy may not pay for printing and mailing notification letters if the restaurant decides that issuing notifications in that manner is necessary to help protect the restaurant's reputation and brand?
Exclusions: Does the policy exclude notifications that are not expressly required under a state data breach notification statute (e.g., "voluntary" notifications)? If so, are there situations in which the restaurant might decide to issue voluntary notices in order to limit reputational damage or decrease the likelihood of a class-action filing? Does your restaurant understand that these notices may not be covered under the policy?
Sub-limit: Does the policy have a sub-limit for the total costs in issuing consumer notifications or the total number of consumer notices for which the policy will provide reimbursement? If so, is the sub-limit proportionate to the quantity of consumers about which the restaurant maintains personal information?
Sub-retention: Does the policy have a sub-retention for either the cost of issuing consumer notifications, or the number of consumer notices that must be paid for by the organization? If so, is the sub-retention well below the total quantity of consumers about which the restaurant maintains personal information?
Credit Monitoring Related Services
Coverage: Does the policy cover the cost of providing credit monitoring (i.e., monitoring consumers' credit reports for suspicious activity), identity restoration services (i.e., helping consumers restore their credit or close fraudulently opened accounts), and identity-theft insurance (i.e., defending consumers if creditors attempt to collect upon fraudulently opened accounts and reimbursing consumers for any lost funds) to consumers who may be impacted by a breach? If so, are there any limitations on when the coverage is triggered?
Exclusions: Does the policy exclude credit-monitoring related services where providing them is not "required" by law. If so, given the fact that there are few statutes that formally require credit monitoring services to be offered, is anything of value really being provided to the company under the policy?
Paneled providers: Does the policy require the restaurant to use a certain company to provide credit-monitoring related services? If so, does the restaurant have a relationship with a different provider? Does the provider that is listed on the panel have a history of consumer complaints? Does it have a history of alleged unfair or deceptive trade practices? Must the provider, or the restaurant's insurer, indemnify it for any consumer complaints concerning credit monitoring services that the restaurant offers? If the policy has a significant retention, are the rates that the paneled provider will charge acceptable if the restaurant has to pay some, or most, of the cost?
Sub-limit: Does the policy have a sub-limit for the total cost that it provides for credit monitoring? If so, is the sub-limit proportionate to the average cost of providing credit monitoring multiplied by the quantity of consumers about which the restaurant maintains personal information?
Bryan Cave LLP 2016 DC01DOCS\454232.1
Sub-retention: Does the policy have a sub-retention? If so, is it well below the average cost of providing credit monitoring multiplied by the quantity of consumers about which the restaurant maintains personal information?
Coverage: Does the policy cover regulatory proceedings that may result from a breach? If so, does the coverage extend to legal fees incurred in a regulatory investigation or regulatory proceeding? Does it also cover the fines or civil penalties that may be assessed as a result of a proceeding?
Exclusions: Does the policy exclude investigations brought by agencies that are likely to investigate your restaurant? For example, if your restaurant is under the jurisdiction of the Federal Trade Commission ("FTC"), does the policy exclude investigations brought by the FTC? Does the policy exclude coverage for investigations brought by state regulators under certain types of state statutes (e.g., state consumer protection statutes or state unfair or deceptive trade practices statutes)?
Sub-limit: Is the sub-limit proportionate to the average cost of defending a regulatory investigation and/or the average cost of the fines assessed to other restaurant s in your industry?
Sub-Retention: Does the policy have a sub-retention for the cost of a regulatory investigation? If so, is the sub-retention well below the average cost of regulatory penalties and fines? If legal fees incurred in a regulatory investigation are covered, is the sub-limit well below the legal fees that you would expect?
Coverage: Does the policy cover contractual liabilities that result from a data security breach? For example, if the restaurant accepts credit cards, does the policy cover contractual liabilities that may be owed to the restaurant's payment processor or merchant bank? These are sometimes referred to as Payment Card Industry ("PCI") fines or assessments. If the restaurant is a business-to-business service provider, does the policy cover any contractual representation, warranties, or guaranties provided to clients?
Exclusions: Does the policy exclude any type of contractual liability such as PCI fines or contracts that the restaurant may have with end-use consumers?
Coverage: Does the policy permit you to retain an attorney to help the restaurant investigate and document an incident, retain investigators if needed, review contracts with service providers, identify statutory obligations to notify consumers and regulators, and advise the restaurant concerning steps that may reduce the likelihood of a class action or regulatory investigation? Does the policy cover legal expenses incurred in defending all types of claims?
Bryan Cave LLP 2016 DC01DOCS\454232.1
Exclusions: Does the policy exclude coverage for lawyers to provide assistance concerning some aspect of a security breach response? For example, does a policy exclude coverage if the restaurant's attorney attempts to negotiate or settle contractual claims, or has to deal with government regulators? Does the policy exclude claims asserting legal theories that are common in class actions (e.g. consumer fraud, deceptive practices, or unfairness claims)?
Paneled providers: Does the policy require that the restaurant use a specific law firm or provide a panel of firms? Does the restaurant have relationships with any of the firms that are on the panel? If not, has the restaurant done due diligence concerning the firm's experience in handling data security breaches? Has it investigated whether the firm has taken legal positions that might benefit the insurer, but be inconsistent with the restaurant's ability to obtain coverage under the policy? Does the restaurant feel confident that its counsel will provide independent advice, even if that advice may not be in the insurer's interest? For example, would the quantity of work that the attorney receives from the insurer influence whether the attorney would advise the restaurant against using the insurer's preferred forensic investigator, if he believes that they were not the best fit for the restaurant? Would the attorney hesitate to advise the restaurant to issue a consumer notification, if the insurer is likely to object to incurring the cost of doing so?
B. Written Information Security Program
After a security breach occurs, customers, the media, regulators, and other interested parties routinely ask what measures the organization took to prevent the breach in the first place. In-house counsel should consider, therefore, whether your restaurant would be able to produce documents that demonstrate that it was attempting to secure the information. Many outside observers will expect that this includes, at a minimum, a written information security program or "WISP." Indeed, Rhode Island and Massachusetts require companies to implement and maintain WISPs if they own or license PII about a resident of those states. Such companies will want to carefully review the requirements of those laws when creating a WISP.
The format and contents of a WISP can greatly vary depending on a restaurant's operations. Nonetheless, there are areas of commonality. Although in-house counsel should be aware of regulations and standards that apply to the restaurant industry, at a minimum, the organization's WISP should include a description of the following:
The administrative safeguards that exist to keep sensitive personal information secure;
The technical safeguards that exist to keep sensitive personal information secure;
The physical safeguards that exist to keep sensitive personal information secure;
The process used by the restaurant to identify, on a periodic basis, internal and external risks to the information that it maintains;
The specific employee who is ultimately responsible for maintaining and implementing security policies;
The sensitive information maintained by the restaurant;
Bryan Cave LLP 2016 DC01DOCS\454232.1
Where and how sensitive information will be stored within the restaurant;
How sensitive information can be transported away from the restaurant;
Procedures that discuss the following:
o Username assignment
o Password assignment
o Encryption format
o Provisioning of user credentials
o De-provisioning of user credentials (e.g., for terminated employees)
o Employee training on security topics
o Destroying data
o Retaining service providers that will have access to data
Some organizations choose to draft their WISP based upon standards or formats created by third parties. Although there are many frameworks that can be looked to, some of the most popular frameworks are those published by the International Standards Organization ("ISO") or the National Institute for Standards and Technology ("NIST"). Other organizations retain third parties to certify that their WISP complies with these frameworks.
C. Incident Response Plan
In addition to the topics discussed above, consider including within the WISP an incident response plan. An incident response plan explains how a restaurant handles security events, security incidents, and security breaches. Among other things, the plan helps employees from different departments understand the role that they are expected to play when investigating a security incident and identifies other people within the restaurant with whom they should be coordinating. The plan can also help educate employees concerning what they should, and should not do when faced with a security incident and can provide them with a reference guide for resources that may help them effectively respond to an incident or breach.
Incident response plans take a variety of forms, and there is no mandated structure. The following topical recommendations, however, may help you draft an incident response plan or evaluate the thoroughness of one that already exists:
Definition of Security Event, Incident, and Breach. Consider explaining the difference between an event, incident, and breach so that those in the restaurant involved with incident response understand the distinction.
Security Event Escalation. By their very nature security events are relatively common occurrences. Only a small percentage of events will become incidents, and an even smaller percentage of events will ultimately become breaches. Nonetheless, it is important to explain the process under which an event should be escalated to an incident, or a breach, and the impact that such an escalation has on who within the restaurant needs to become involved in an investigation and how the investigation should be handled.
Bryan Cave LLP 2016 DC01DOCS\454232.1
Responsibilities For Conducting an Incident Investigation. The plan should explain who within the restaurant is responsible for investigating security incidents, to whom information should be reported, and who has the authority (and responsibility) to seek additional resources when needed. To the extent that one of the purposes for conducting an investigation is to provide in-house counsel with information needed to make legal recommendations, the plan should consider whether a restaurant desires the investigation to be conducted under the auspice of the attorney-client and attorney work product privileges. If so, the plan should make clear that the investigation is operating under the direction of counsel and the plan should provide instructions to the employees who may be collecting information concerning how to preserve privilege, including involving legal counsel in the investigation of certain types of security incidents.
Internal Contact Information. Many plans also include a quick reference guide naming the people within a restaurant who can help in the investigation of a security incident.
External Contact Information. Many plans include a quick reference guide naming the people outside of a restaurant who can help in the investigation of a security incident, which may include contacts with law enforcement (e.g., FBI and Secret Service), outside counsel, forensic investigators, call-center support, credit monitoring, public relations experts, etc. If the restaurant has a cyber-insurance policy, the approved vendors should be identified in the plan.
Recordkeeping. Plans typically explain the type of documents and records that should be kept concerning the investigation in order to permit in-house counsel to reconstruct when the restaurant knew certain pieces of information and when the restaurant took certain steps. Such reconstruction may be necessary in litigation or a regulatory investigation.
Post-Incident Reporting. Many plans discuss how the restaurant will take information learned during an incident and incorporate that back into the restaurant's security program. This might include "lessons-learned" from how an incident was handled or ways to prevent an incident from occurring again.
D. Contractual Obligations to Business Partners
In situations in which a security incident involves data that is wholly owned by the restaurant, there may be few, if any, obligations for the organization to notify business partners. Often, however, business partners may have an interest in the information impacted. For example, if an incident involves data of another entity for which your restaurant is performing services, you may have an obligation in your service agreement or under state data breach notification statutes to notify that entity of an actual (or suspected) security incident. The contractual requirement sometimes requires notifying the partner in a relatively short time frame (e.g., immediately or within 24 hours) when an incident is suspected. As another example, if an incident involves payment card information that you received from consumers, the agreement that you have with your payment processor or merchant bank may similarly require that you notify those entities or additional third parties (e.g., Visa, MasterCard, Discover, and American Express) of a potential security incident.
Bryan Cave LLP 2016 DC01DOCS\454232.1
An essential component to preparing for a security incident is understanding the contractual obligations that your restaurant may have to business partners or affiliates. Ideally those obligations--including the telephone numbers or addresses of business contacts--would be summarized in the incident response plan for easy access in the event of a breach.
As discussed above, the best way to investigate a security incident is to follow an incident response plan that was put in place before the incident occurred and that takes into consideration the specific needs and resources of an organization. If in-house counsel is evaluating an existing response plan, or if a restaurant does not have an incident response plan when an incident is identified, the steps that follow outline best practices that take into account possible legal requirements and obligations. Among other things, these include recommendations for investigating the incident, coordinating with data owners, communicating to the public or media, communicating with law enforcement, communicating with consumers, and communicating with regulators. This section also discusses the types of services that restaurants often offer to consumers whose information was involved in a data breach and unique issues that arise in the context of certain types of breaches.
A. Investigating a Security Incident
When deciding how to investigate a security incident, a restaurant should consider the following factors:
1. Include legal counsel at the inception of the investigation
Once a data breach has been discovered, the restaurant should notify its in-house legal counsel. That person can determine whether the involvement of outside legal counsel specializing in data breach response is necessary. If the restaurant does not have in-house legal counsel, then outside counsel should be consulted and retained as early as possible.
A primary benefit of involving counsel early in an investigation is to allow counsel to help decide whether the remainder of the investigation should be conducted under the cloak of attorney-client privilege. If counsel recommends that the investigation should be led by legal as the information obtained is necessary in order for counsel to provide the restaurant with legal advice, any employees that take part in the investigation should be instructed to copy counsel on all internal communications concerning the cause and the scope of the breach or, when speaking to others, to clearly indicate that they are collecting information at the behest of counsel. For example, if information needs to be requested from IT or HR by email, the subject line of the email should preferably read "Attorney Client Communication: Information Requested By Counsel" to make sure that anyone who reads the email at a later time understands the context in which it was sent, the purpose for which the information was being collected, and the fact that the communication may be privileged and exempt from disclosure outside of the restaurant.
Bryan Cave LLP 2016 DC01DOCS\454232.1
2. Form a core team of personnel to attend to the breach
Effectively investigating a security incident often requires a team of personnel. This may include representatives from IT/IS, legal/risk management, operations, marketing & communications, and human resources (if the breach involves employee misconduct or employees' personally identifiable information). Ideally, the team will have been identified and trained on data breach response prior to any incident. One person should be designated to keep a log or running chronology of the investigation to enable the restaurant to reconstruct, if needed at a later time, what information the organization knew at what time. Personnel should take extreme care when documenting the investigation to only include factual assertions about the breach and to avoid creating a factually inaccurate record or a record with opinions that may be based on preliminary information.
3. Contain the breach and preserve evidence
When dealing with an electronic breach, it is important to preserve all evidence and isolate the source of the breach. A restaurant's IT department should be advised to identify the source of the breach and isolate the compromised systems from the network. The restaurant should take care not to destroy or alter evidence and to continue monitoring the system (e.g., unplug the affected system; do not restart it or turn it off). If the restaurant's IT department has relatively little experience with investigating security incidents, do not necessarily assume that they will automatically preserve evidence or understand how evidence should be preserved. To the contrary, IT departments that have historically focused on business continuity or userexperience may inadvertently overlook the steps needed to preserve the chain-of-custody of evidence in an effort to try to remove suspected malware quickly or to restore the functionality of certain items. In-house counsel may need to explain, for example, the importance of forensically preserving evidence in order to further examine, at a later point, whether the incident was in fact a breach, and, if so, the extent of the breach. In some instances, in-house counsel may need to help IT understand what it means to forensically preserve evidence, and to evaluate whether IT's methods for copying and logging data would be defensible before a regulator or in court.
4. Retain a third-party forensic investigator
Many competent IT departments lack the expertise, hardware, software, or personnel to preserve evidence in a forensically sound manner or to thoroughly investigate a security incident. In such a situation, in-house counsel needs to be able to recognize the deficiency quickly--and before any evidence is lost or inadvertently destroyed--and recommend that the restaurant utilize external resources to help collect and preserve electronic evidence and investigate the incident.
When retaining a forensic investigator, in-house counsel should consider whether the investigator should be retained through in-house counsel or outside counsel to preserve the right to claim that the investigation and all notes related to it are protected by attorney/client privilege and the work product doctrine. Among other things, the investigator should be able to investigate the attack vector, decipher the scope of the breach--including what records were viewed or acquired and how many times the third party gained access to the system--and identify whether, and how, data left the restaurant's information technology environment. These functions are sometimes referred to within the data security community as identifying
Bryan Cave LLP 2016 DC01DOCS\454232.1
"infiltration," "aggregation," and "exfiltration." The investigator may also be able to help in-house counsel coordinate with law enforcement efforts to catch a perpetrator.
When retaining a forensic investigator, it is important to remember that they will be given access to your restaurant's networks and that there is a high likelihood that, if a breach occurred, they may gain access to sensitive personal information as part of their investigation. As a result, you should review the agreement between the investigator and your restaurant carefully to make sure that the investigator agrees to apply the security warranted for the type of information to which they may gain access, and provides appropriate indemnification for any data security lapses of its own. A best practice used by proactive restaurants is to identify and retain a forensic investigator before a breach occurs. Doing so will ensure that the restaurant will be able to negotiate favorable terms and conditions in the retainer agreement before a crisis situation destroys much of the restaurant's bargaining power.
5. Assign a Crisis Manager.
Incident response teams are usually comprised of personnel from a variety of backgrounds and representing a variety of internal resources and departments. Because the members of a response team rarely have the same reporting structure, confusion about who has authority to convene an investigation, assign projects, or retain needed resources can lead to inefficiencies.
A pre-designated crisis manager that reports directly to, and has authority conferred from, senior management often facilitates the most efficient response. This person should work closely with legal counsel to ensure attorney-client privilege is maintained.
B. Coordination with Data Owners
Restaurants are relying increasingly on vendor agreements to carry out various business operations. These agreements may authorize the restaurant or the vendor to have access to or possess sensitive information owned by the other entity. As discussed below, state data breach notification laws typically place the onus on the owner of data to notify affected persons when sensitive personal information is wrongfully accessed or acquired. For instance, a data storage vendor may possess a database that contains social security numbers, but the database may belong to the vendor's client. In many states, the vendor may not have an obligation to notify affected persons itself, but it most likely has a legal obligation to notify its client, who in turn will have an obligation to notify the affected persons.
As a result, when responding to a data breach, a restaurant should analyze whether the affected information was collected directly by it, or whether the data belongs to a third party. If the data belongs to a third party, the restaurant should consult its contracts with the data owner and applicable state data breach notification statutes to determine its notification obligations. In many instances, although the data owner technically has the legal obligation to notify affected persons, the data owner will look to the data user to make the notification or pay for the costs of notification.
C. Communication to the Public/Media
After a breach occurs, restaurants should consider a proactive and reactive public relations / media strategy.
Bryan Cave LLP 2016 DC01DOCS\454232.1
A proactive strategy assumes that the restaurant has control concerning when, and what, information will be conveyed to the public, to the media, and to the impacted consumers about the breach.
As discussed in Section E below, state and federal laws may require a restaurant to notify consumers and/or the media within a certain time period of discovering a breach. There may be significant advantages to notifying consumers as early as is practical for a restaurant. The sooner consumers are notified that sensitive personal information may have been exposed, the sooner they can take proactive steps to reduce the likelihood that they will become the victim of identity theft or other fraud. For example, an early informed consumer can request that the major credit reporting agencies put a freeze on their credit or change the passwords associated with financial accounts. If proactive measures prevent consumers from becoming victims of fraud, they also reduce the likelihood that the consumer will sue your restaurant for damages allegedly incurred by the breach. Early notification may also reduce the likelihood of allegations by regulators that the restaurant did not comply in a timely fashion with data breach notification laws.
While early notification can be beneficial to consumers and restaurants in some situations, premature notification in other situations can harm both consumer and restaurant. Data breach investigations, particularly those that involve the exposure of electronic records, can be extremely time consuming. It may take some time to identify the true scope of the breach to determine whether a breach, in fact, occurred, or to verify which individuals may have been impacted. It also takes time to create an accurate communication to individuals and to coordinate with third parties, such as a mailing house, or ID theft related service providers. A restaurant that notifies consumers before the investigation is complete risks providing inaccurate information concerning the scope and nature of a breach. Specifically, if the investigation is not complete, some consumers may be told that their information was exposed when the investigation ultimately reveals that not to be the case. These consumers may be subjected to unnecessary worry, cost, and inconvenience to try to mitigate harm that will never materialize. Conversely, other consumers may be told that their information was not exposed when the investigation ultimately reveals that it was. These consumers may be confused and may fail to take protective measures that would mitigate a heightened risk of identity theft. Clarifying initial inaccurate information provided by a restaurant can be both difficult and time consuming and can deflect the restaurant `s resources and attention from responding to the breach itself. In addition, confusion by consumers and efforts to clarify that confusion can significantly increase the risk of litigation, as some consumers may incorrectly believe that the restaurant provided erroneous information intentionally.
There may be an additional drawback to prematurely notifying consumers of a security breach. If an investigation has not determined how a third party obtained information, the identity of the third party, or whether the third party has misused the information, putting the culprit on notice that the restaurant is aware of the security breach may compromise the investigation, further threaten the restaurant's networks, cause the culprit to delete or remove evidence, or cause the culprit to exfiltrate information about additional consumers before the point of infiltration has been identified and remediated.
Once the restaurant has decided upon its proactive communications strategy, in-house counsel should work closely with the organization's communications resources concerning how that strategy will be implemented. Among other things the following communications channels should be considered:
Bryan Cave LLP 2016 DC01DOCS\454232.1
Traditional Media. The restaurant should consider whether to provide information print media, and television media. This may take the form of a crafted press release or direct communications to specific reporters.
Social Media. To the extent that your restaurant desires to disseminate information quickly, you should consider the potential risks and benefits of utilizing social media.
While it is important to consider the pros- and cons- of providing information to the public as part of a proactive media strategy, in many situations an organization does not control when the public becomes aware of a breach. For example, a restaurant may decide that it is in the best interest of consumers, and the public, to wait until its investigation is complete and the restaurant is in a position to provide accurate information. However, the media may learn about a breach from a business partner, a government agency, a consumer, or a disgruntled employee. When this occurs, you may see information concerning the breach disseminated in the media without the restaurant's knowledge or input or be asked by the media to comment about the breach. You should be prepared for this to occur. You should anticipate that in such a situation the media may report inaccurate information or may report speculation as `fact.' In-house counsel should be prepared to work closely with your restaurant's communications resources when determining how to respond to such reports. Among other things the following factors should be considered:
Difficulty Correcting The Record. Although a media report may be based upon speculation, if the restaurant's investigation has not concluded, it may be difficult for the restaurant to correct the record.
Difficulty Conveying The Tentative Nature of Early Information. If the restaurant makes a statement to the media based upon the limited information that is available, there is a strong risk that the media may characterize the statement as the "position" of the restaurant and not fully explain qualifications and limitations of that position.
Developments In Information May Be Interpreted As Intentional Withholding. As the investigation develops, the media may misinterpret additional information that is provided by the restaurant. The best case scenario may be that the media characterizes such information as a "revision" by the company. The worst case scenario may be that the media implies that the company should, or could, have disclosed the new information earlier.
New Headlines. Each time that a restaurant releases information to the media it is a potential opportunity for the media to create a new headline concerning a breach. Establishing a pattern of continuously updating the media may result in creating a constant stream of media attention concerning your restaurant.
D. Communication with Law Enforcement
Many security incidents involve a crime that has been committed, or is in the process of being committed, against a restaurant. For example, when someone attempts to hack into a restaurant's network to obtain sensitive personal information, they may be committing criminal trespass, theft, attempted identity theft, computer fraud, wiretapping, or economic espionage, among a host of other statutory violations. Where a crime is being committed against a restaurant, the restaurant should consider reporting it to law enforcement. Among other things, contacting law enforcement may result in assistance stopping the criminal behavior, useful
Bryan Cave LLP 2016 DC01DOCS\454232.1
information that may help the restaurant's investigation of the incident, or prosecution of the culprit. It may also help demonstrate to the public that the organization was diligent in investigating the incident and taking steps to protect consumers.
There is no single federal or state law enforcement agency with jurisdiction over data breaches. In general, however, in-house counsel should consider contacting the Federal Bureau of Investigation's Cybercrimes unit or the United States Secret Service with regard to a security incident that involves the electronic exfiltration of information. For security incidents that involve paper records or known individuals (e.g., employees or former employees), inhouse counsel might also consider contacting municipal law enforcement in the jurisdiction in which the individual resides or works.
When communicating with law enforcement, in-house counsel should be cognizant that information provided to law enforcement may lose the protection of the attorney-client privilege. Although recent legislation including the Cyber Security Act of 2015 is designed to help companies share information with the government without losing privilege protection, counsel should closely examine whether legislation will preserve the privilege if information is given to law enforcement. The applicability of such legislation typically depends upon the type of information shared, how the information will be used, and the law enforcement agency with which it will be shared.
E. Communication with Impacted Consumers
Although Congress has attempted to agree on federal data breach legislation, as of the publication date of this chapter, there is no national data breach notification law that applies to most companies. There are federal statutes that apply to financial institutions, health care providers, and vendors of health records. Instead, 47 states, plus the District of Columbia, Puerto Rico, Guam and the Virgin Islands, have each enacted their own statutes addressing a restaurant's notification obligations in the wake of a data breach involving certain types of personally identifiable information ("PII"). The only states without such laws are Alabama, New Mexico, and South Dakota, although their citizens may be covered by the data breach laws of other states.
Although the state data breach laws are not uniform, the laws are more similar than not. The following summarizes the key provisions of state data breach notification laws and highlights areas in which the state laws diverge. In the event of a breach involving records of consumers who live in multiple states, the laws of those states should be reviewed to ensure that the restaurant is complying with notification requirements.
1. Do the state laws apply to your restaurant?
As a general rule, if your restaurant maintains or transmits personally identifiable information belonging to citizens of a particular state, you should consult the data breach notification law of that state in the event of a breach. Some states maintain that "any entity" is subject to the data breach notification law, while other states limit applicability only to those entities that "conduct business in the state." Most of the statutes place the onus on the "owner or licensor" to ensure that affected consumers are notified, however, some states (e.g., Rhode Island and Wisconsin) place that obligation on organizations that simply "maintain" consumer information. As discussed below, even if the breached restaurant does not own or license the consumer information, most state laws will require that the restaurant timely notify the data owner of the breach so that they may fulfill their notification obligations.
Bryan Cave LLP 2016 DC01DOCS\454232.1
The notification laws typically apply only to consumers who are residents of the state in question. However, Hawaii, New Hampshire, and North Carolina's statutes do not contain this limitation and apply instead to "affected persons," while Texas's statute specifically applies to Texas residents and residents of other states. The language of these statutes could be argued to cover notification to residents of the three states that have not yet passed their own notification law--Alabama, New Mexico, and South Dakota.
2. What personally identifiable information triggers notification?
The statutes generally require notification in the event of breaches involving the following information: the consumer's name in combination with their social security number, driver's license number, account number and access code. Some states go even further and require notification in the event other types of information are accessed or acquired. For example, Iowa, Nebraska, North Carolina, Oregon, and Wisconsin all require notification if biometric data is breached. North Dakota requires notification if the consumer's date of birth or mother's maiden name are exposed, since this data is often associated with password recovery or identity verification on online accounts. Arkansas, Missouri, Puerto Rico, Montana, Nevada, Oregon, Rhode Island, and Texas require notification if certain medical or health information is at issue. Montana and Wyoming recently expanded their definitions to include taxpayer identification numbers.
California amended its statute in January 2014, and became the first state to require consumer notification in the event of a breach involving a username or email address in combination with a password or security question and answer that would permit access to an online account. However, California permits notification to be electronic for such breaches only. The electronic notification should direct the person whose personal information has been breached to promptly change his or her password and security question or answer, as applicable, or to take other steps appropriate to protect the online account with the person or business and all other online accounts for which the person whose personal information has been breached uses the same user name or email address and password or security question or answer. Other states, such as Florida, Wyoming, Rhode Island, Nevada, and Illinois have enacted similar changes to their data breach notification statutes.
The state statutes provide that breach of personal information that is publically available does not give rise to a notification requirement. Similarly, the breach of personal information that is encrypted generally does not give rise to notification obligations, because data is assumed to be sufficiently protected from disclosure if accessed in its encrypted form. At least one state Tennessee no longer assumes, however, that encryption always protects information.
Because not every breach of personal information is likely to lead to a risk of harm to the affected person, many states have included a materiality threshold that limits notification only in cases where the breach "compromises confidentiality, integrity, or security." A handful of states do not contain any such limitation, however, and appear to require notification in the event of any breach, regardless of the risk of harm flowing from the breach.
Bryan Cave LLP 2016 DC01DOCS\454232.1
3. How quickly must the restaurant notify affected consumers?
Most of the state statutes do not strictly define the timing in which notification must occur. Only a few states prescribe specific deadlines (e.g., Wisconsin (45 days), and Florida (30 days)). Generally, the notification must occur in the "most expedient time possible and without unreasonable delay." How this language is interpreted may vary, but as a general rule the restaurant should endeavor to notify affected consumers within 30-45 days. The triggering point is generally the date on which the restaurant determined it had a breach or had a reason to believe a breach may have occurred. All states will permit the restaurant to delay notification if law enforcement determines that notice to individuals would interfere with a criminal investigation. If your restaurant intends to delay notification based upon a request by law enforcement, consider obtaining written confirmation of that request to explain any delay at a later time.
4. What information does the consumer notice have to include?
Many state laws do not provide any instruction or requirements concerning the content of a notification, leaving the content to the discretion of the restaurant. Other states mandate that some or all of the following information be included in the notification letters: (1) a description of the breach; (2) the approximate date of the breach; (3) the type of personal information obtained; (4) contact information for the credit reporting agencies or government agencies; (5) advice to the consumer to report suspected identity theft to law enforcement and/or a reminder to be vigilant about identity theft; and (6) a toll-free number provided by the reporting organization where consumers can call with questions about the breach. However, because there are many deviations from what the states require, each individual statute should be examined in connection with reporting a breach.
Massachusetts's statute contains a significant departure from the other states in that it prohibits a restaurant from identifying the nature of the breach. Thus, in a nationwide breach, in-house counsel should consider whether Massachusetts residents should receive a slightly modified notification letter compared to the one sent to residents of other states. In addition, Massachusetts and Illinois both prohibit companies from providing in the notice the number of those states' residents impacted by the breach.
5. How must a restaurant notify affected consumers?
The majority of states require that consumers be notified in writing. E-mail notice can provide substantial costs savings over mailing written notice, but notification through e-mail is only permitted in approximately one-third of the states and in those states there are restrictions on when e-mail notice is permissible. For example, many states require that the consumer either have consented to receive electronic notices, or that the primary method of communicating with the consumer has been through e-mail, such that the consumer would not be surprised by receiving e-mail notification. Additional states permit e-mail notification if the notice provided is consistent with the provisions regarding electronic records and signatures for notices legally required to be in writing set forth in 15 U.S.C. 7001, the federal ESIGN Act.
If your restaurant is considering an electronic notice, you should consider the risk that third parties may attempt to create fake electronic messages that appear to originate from your
Bryan Cave LLP 2016 DC01DOCS\454232.1
restaurant (a practice called "spoofing"). These messages can further victimize consumers by having them provide additional personal information (a practice called "phishing"). For example, instances have been reported where individuals send fake notification letters that ask consumers to click on a link that, in turn, downloads malware onto the consumer's computer, or to send personally identifiable information to a service allegedly providing credit monitoring. As a result of these risks, some companies have chosen not to send electronic messages concerning a security breach. Or, some companies make clear in the electronic messages that they do send that the company will never request that consumers transmit additional personally identifiable information over email or click on a link to obtain credit monitoring. In other situations, companies have determined that the risk of phishing in their industry is low and have opted (where permitted) to notify consumers by email.
Most states will permit "substitute notification," which is typically some combination of email, posting information about the breach on the restaurant's website, and/or notifying the media. However, the circumstances under which such notice is permitted vary widely. Substitute notice generally is permitted only when the notification costs are great and/or the number of persons to be notified is large. For example, Arizona permits substitute notification if the notification cost exceeds $50,000, or the class of persons exceeds 100,000, or if the restaurant has insufficient contact information for affected consumers. New Jersey (and many other states) will not permit substitute notice unless the cost exceeds $250,000, or the class exceeds 500,000, or if the restaurant has insufficient contact information for affected consumers.
Many states permit a restaurant to create its own notification procedures for the treatment of sensitive personal information if its information security policy complies with the timing requirements under the state law. If notification is done in accordance with the restaurant's policy, the restaurant is considered to have complied with the state law.
6. Should a restaurant ever voluntarily notify consumers of a breach?
In many instances involving a data breach, notice will not be required by any state or federal laws. However, there are many situations in which a restaurant may choose to voluntarily notify consumers. For example, although California and Florida currently are some of the few states in which notification is required for a breach of electronic account user names/email addresses and passwords, if such a breach also involved consumers in other states, the restaurant may want to notify all affected persons for consistency.
In addition, as addressed above, breaches often become public through other means (e.g., internet blogs, the media). Self-notifying, even when such notification is not legally required, may help the restaurant frame the message before the message is framed for it by a third party. Although the restaurant may face initial criticism for its data security practices, consumers may ultimately appreciate a restaurant's candor in connection with a breach.
7. Is notification required to any other parties?
Various state statutes also require third-party notification. Some states will require the restaurant to notify the three major credit reporting agencies in the event of a breach involving a minimum number of affected persons (typically, at least 1,000). The statutes with such a requirement generally do not set forth what information should be provided to the credit
Bryan Cave LLP 2016 DC01DOCS\454232.1
reporting agencies other than the timing, distribution, and content of the notices that the restaurant intends to send to consumers.
In addition, if the restaurant is not the data "owner," as defined by the various statutes (typically, an organization that maintains or stores, but does not own or license, personal information), then the statutes will require the restaurant to notify the data owner of the breach "immediately" or "as soon as possible" of the breach. The obligations would then fall to the data owner to comply with the consumer notification requirements of the various statutes.
In addition, about one-third of the states have a requirement that the state government (usually the Attorney General's office) should be notified of a breach under certain circumstances. Of those states, most require notification in the event of a breach involving any number of persons, while others require that the breach impact a minimum number of residents before state government notification is necessary. For example, New York requires government notification in a breach involving any number, while Hawaii, Missouri, and South Carolina only require state government notification if the breach involves at least 1,000 residents.
For states requiring government notification, the statutes again vary on what information is required to be reported. Most states will require that the reporting restaurant provide a copy of the consumer breach notification letter, identify the number of residents notified, and the timing of the notification. At least Indiana, North Carolina, and New York all have forms prepared by the state for use in connection with government notice of a breach, and these forms are available online. In the event of a multi-state breach, each statute should be carefully examined to ensure full compliance.
8. What types of services should the restaurant offer to affected consumers?
One state Connecticut requires that a company provide ID theft related services if a breach involves social security numbers. Other data breach notification statutes do not require that a restaurant offer any services to consumers whose information was involved in a breach. Nonetheless, restaurants typically consider whether to offer ID theft-related services (i.e., monitoring a consumer's credit report for suspicious activity), identity restoration services (i.e., helping a consumer restore their credit or close fraudulently opened accounts), and/or identity theft insurance (i.e., defending a consumer if a creditor attempts to collect upon a fraudulently opened account and reimbursing a consumer for any lost funds). For those restaurants who choose to offer one or more ID theft-related services, they are also faced with the question of how long to offer each of the services; durations typically range from one year to three years. In September 2014, California amended its personal information privacy law to require that businesses who choose to provide identity theft prevention and mitigation services do so for 12 months at no cost to the affected persons. California is the first state to have such a requirement, and it is likely that other states may follow in its footsteps.
There are several factors to consider when choosing what (if any) services to offer consumers. In terms of mitigating potential harm, credit monitoring (and to a lesser extent identity restoration services and identity theft insurance) is focused on the prospect that a third party might open a financial account in a consumer's name. Not all breaches involve data that would permit a third party to open a financial account, however. For example, while a breach that involved a consumer's name and credit card number could theoretically lead to unauthorized charges placed on the credit account, name and credit card number alone are
Bryan Cave LLP 2016 DC01DOCS\454232.1
insufficient to attempt to open a new financial account, and charges on an existing account are unlikely to be spotted by credit monitoring.
Although credit monitoring may not be connected to the risks intendant in many breaches, a restaurant should consider whether a failure to offer the service--even if unconnected to the breach--could be misunderstood by consumers and regulators as a failure by the company to adequately protect consumers.
If your restaurant chooses to offer credit monitoring, identity restoration services, and/or ID theft insurance, in-house counsel should carefully consider the vendors that are selected to provide the services and the contractual limitations on those vendors. Specifically, vendors (and by association the breached organizations which retained the vendors) have been criticized for the following:
Requiring consumers to submit sensitive personal information to the vender in order to enroll in the offered service(s);
Attempting to "upsell" consumers on additional protection services that are offered by the vendor, but that are not covered by the restaurant;
Deceptively advertising or describing the credit monitoring, identity restoration, or ID theft insurance services or products;
Applying inadequate security to protect the information of consumers who enroll in the credit monitoring, identity restoration, or ID theft insurance products.
F. Unique Issues Relating To Payment Card Breaches
Additional considerations should be analyzed when the restaurant is affected by a breach involving payment card information (e.g., debit or credit cards). This analysis is especially important for restaurants. According to one study, 100% of data compromises in 2015 impacting the Food and Beverage industry targeted card track (magnetic stripe) data.13 If your restaurant accepts payment cards, and card information is the subject of a data breach, you may have additional obligations to notify your payment processor, merchant bank, and/or the payment card brands.
Visa and MasterCard cards are processed through a four-party system. Visa and MasterCard enter into licensing arrangements with various financial institutions called "issuing banks" that issue payment cards to cardholders. The issuing bank collects payment from the cardholders through their monthly payment card statements or via withdrawal from their bank account where debit cards are used. Retailers or merchants who accept Visa or MasterCard contract with other financial institutions called "merchant banks." Merchant banks and retailers in turn typically enter into contracts with payment card processors to process the card transaction and collect payment from a cardholder's issuing bank.
In the four-party system, the merchant banks have contracts with Visa or Mastercard and agree to follow Payment Card Industry Data Security Standards (PCI DSS). A merchant bank will typically have a separate contract with a merchant (directly or through a payment processor)
13Trustwave Holdings, Inc., Trustwave Global Security Report (2016) available at https://www2.trustwave.com/GSR2016.html.
Bryan Cave LLP 2016 DC01DOCS\454232.1
that, in turn, requires the merchant to indemnify the merchant bank if there is a data breach and Visa or Mastercard imposes a liability assessment upon the bank or processor. Accordingly, a restaurant impacted by a payment card breach usually is required to notify its merchant bank or payment processor within 24 hours of discovering the breach. The merchant bank is then required to notify Visa or Mastercard.
The Payment Card Industry has set forth a specific set of guidelines that are often incorporated in the various payment card contracts and must be followed in the event of a suspected incident involving payment card data. A restaurant should review both its contracts with the merchant bank or payment processor and the PCI rules on breach notification to ensure compliance. The PCI rules may require that the merchant retain, at its own cost, a PCI certified forensic investigator to investigate the breach and determine whether the merchant's security systems were in compliance with PCI requirements. A restaurant may wish to retain, through its legal counsel, a private forensic investigator to do its own investigation, since the PCI investigator is required to report its findings to the payment card brands.
Discover and American Express transactions are processed through a three-party system. Discover and American Express typically contract directly with a merchant who accepts those cards. In the event of a breach involving those brands, the merchant should consult its contracts with Discover and American Express and any regulations issued by those brands and follow all notification requirements. Generally, notification is required to be made to the brands immediately or within 24 hours.
Merchants should be advised that the brands may request or require prior review of any breach notification letters that will be sent to affected consumers.
G. Unique Issues Relating To Health Information
Although restaurants do not receive health related information from consumers, if the restaurant has a self-funded health insurance plan that it offers to its employees the information collected as part of administering that plan may be subject to the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the event of a breach. Although HIPAA is a federal law, it does not preempt state laws that provide even greater protection of patient information, so state laws may still need to be examined in the event of a breach involving protected health information (PHI).
PHI is defined as any individually identifiable health information that is transmitted or maintained in any form or medium; is held by a covered entity or its business associate; identifies the individual or offers a reasonable basis for identification; is related or received by a covered entity or any employer; and relates to a past, present or future physical or mental condition, provision of health care of payment for health care to that individual.
Entities that are directly covered under HIPAA include healthcare providers (e.g., doctors or hospitals) that conduct certain transactions in electronic form, health plans (e.g., health insurance companies), and healthcare clearinghouses (e.g., third-party organizations that host, handle, or process medical information). HIPAA also creates obligations for "business associates." A business associate is any person or organization, other than a member of a covered entity's workforce, that performs services or activities for, or on behalf of, a covered entity if such services or activities involve the use or disclosure of PHI. For example, business associates can include third-party claims administrators, billing agents, consultants, attorneys, or accountants who provides services for a covered entity that involves access to PHI, or a
Bryan Cave LLP 2016 DC01DOCS\454232.1
medical record transcriptionist. HIPAA requires that the covered entity contractually require the business associate to comply with the privacy and security rules under HIPAA.
The HIPAA Breach Notification Rule14 requires covered entities to provide notification of a breach involving PHI to affected individuals, the Secretary of the United States Department of Health and Human Services, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate. The timing of the notification to the Secretary depends on the number of persons affected by the breach. If the breach involves 500 or more persons, then the Secretary must be notified without unreasonable delay. For fewer than 500 persons, notification may be made on an annual basis.
Covered entities are also required to have in place written policies and procedures regarding breach notification, to train employees on these policies and procedures, and to develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures.
Planning for how your restaurant will respond to a security breach is essential--it is not a matter of if one will occur, but when. As the data security laws are evolving and changing almost as quickly as the threats to a restaurant's data, in-house counsel plays a vital role in helping a restaurant respond quickly and efficiently when a breach occurs.
Bryan Cave LLP
Bryan Cave LLP is a global law firm with approximately 1,000 highly skilled lawyers in 27 offices in North America, Europe and Asia. The firm represents publicly held multinational corporations, large and mid-sized privately held companies, emerging companies, nonprofit and community organizations, government entities, and individuals. With a foundation based on enduring client relationships, deep and diverse legal experience, industry-shaping innovation and a collaborative culture, Bryan Cave's transaction, litigation and regulatory practice serves clients in key business and financial markets.
Bryan Cave LLP 2016 DC01DOCS\454232.1
BRYAN CAVE LLP ATLANTA BOULDER CHARLOTTE CHICAGO COLORADO SPRINGS DALLAS DENVER FRANKFURT HAMBURG HONG KONG IRVINE JEFFERSON CITY KANSAS CITY LONDON LOS ANGELES MIAMI NEW YORK PARIS PHOENIX
SAN FRANCISCO SHANGHAI SINGAPORE ST. LOUIS WASHINGTON MILAN, Affiliated Firm