There are four words no executive wants to hear from their IT team: "There's been a breach." Your mind starts racing. You have a thousand questions, but your team has few answers. They're too busy scrambling to shut down systems and figure out the extent of the data breach.
We all understand how critical those early minutes are from a technical perspective, but few recognize their relevance from a legal and regulatory perspective. I spoke to Jennifer Reuhr, Adobe's legal counsel on privacy and security, and she helped shed some light on the matter for entrepreneurs and small business owners everywhere.
To understand your legal exposure, Reuhr says, start by asking these four questions:
1. What information was impacted?
It's important to understand whether the breach included any personally identifiable information (PII). Regulators hold you to a much higher standard if that data includes things like email addresses, phone numbers, or health information.
If such information was included, Reuhr recommends assembling a team of "internal and external parties such as forensic investigators, outside counsel, and your insurer."
"It could be a good idea to bring in some internal parties right away, like customer care and communications even if legal obligations for notifications are still being reviewed. You'll want the input and experience of teams who understand the customer's perspective in addition to determining the legal obligation."
2. How many customers were impacted?
The number of customers impacted will inform both your communication and legal strategy.
"Most regulations don't have [minimum] threshold of impacted users to notify individuals," says Reuhr. But the smaller the number, the more you can focus on direct communication with customers.
As the number increases, you may need to anticipate class action lawsuits, unwanted press coverage, and damage to your brand's reputation?
3. What geographies were impacted?
"The triggers for who needs to be notified and when will differ based on where the individual resides" says Reuhr. There are 49 different regulators in the United States alone that each govern different jurisdictions. If any European Union citizens were impacted, there's even more red tape for you to navigate.
"In Europe, the definition of what is personal data is pretty expansive, whereas in the U.S., most state and federal laws are sector specific or focused on sensitivity of the data (e.g. financial, health, national ID)," Reuhr adds.
Each regulator has different timelines for breach notifications and the clock is ticking. You need to quickly identify which are relevant so that your lawyers can contact the appropriate regulators.
4. Do we have logs?
For anyone unfamiliar with the term, logs are a historical record of actions taken on a database or server. Think of them as an audit trail to understand who did what, when, and where. They are essential to help your technical team understand the scope and source of the damage, but they also play a regulatory role.
If it does, regulators may require evidence that your team followed any defined policies and procedures. That means you'll need logs to demonstrate what monitoring was in place and how your team responded.
If any of your contracts include Service Level Agreements (SLA) that commit to providing clients with privacy protections, you may also need those logs to demonstrate to clients that you have fulfilled your contractual obligations.
Make sure that your IT, engineering, and security teams are familiar with these questions in advance. You do not want them to waste valuable hours trying to track down answers during a breach only to discover that they do not have sufficient monitoring in place.
Invest the time to develop a common vocabulary, set expectations and define a formal response plan that assigns roles and responsibilities before an incident ever occurs so that no one is surprised to hear these questions during the stressful aftermath of a data breach.
That shared understanding can help everyone involved establish priorities and focus in what can otherwise be a pretty chaotic time. It will also ensure that your team has put in place the monitoring necessary to answer these questions.