Welcome to the data breach parade. In December, Target Corp. announced a massive breach, followed by Snapchat Inc. and Neiman Marcus Group Inc. Then arts and crafts retailer The Michaels Cos. Inc. warned of a possible breach, followed by Coca Cola Co. and Yahoo Inc.
Each of these actual and potential breaches confronted the organizations with the same challenge: when to notify regulatory authorities and everyone whose identifiable information may have been compromised about the breach. This challenge came into sharp focus when Target was criticized in some quarters for revising the scope of its breach from 40 million customers to as many as 110 million customers two weeks after the initial announcement on Dec. 19.
Did Target jump the gun on its initial reports of the breach, which occurred from Nov. 27 through mid-December? Legal and insurance experts agree the giant retailer should not be faulted for upping the estimate, although they say revisions should be avoided given the impact on an organization's reputation.
“When exactly to make the announcement of a breach is a very tough decision to make,” said Tom Srail, Cleveland-based senior vice president of FINEX North America at Willis North America Inc.
“There's a natural tension between the CEO wanting to do the right thing and get the word out fast, and the forensics investigators and legal counsel advising patience,” Mr. Srail said.
The key, he said, is to find the middle ground.
“Forty-six states have data breach notification laws on the books, but they differ insofar as fines, sanctions and when to report and notify,” said Collin Hite, partner and practice leader of the insurance recovery group with Richmond, Va.-based law firm Hirschler Fleischer.
These differences can be significant. “Some states require notification within 30 days following the determination of a breach, although Florida, for instance, requires notification within 45 days,” said Joe DePaul, managing director of cyber risk services with Arthur J. Gallagher Risk Management Services Inc. in Itasca, Ill. “New Jersey, on the other hand, mandates notification in the most expedient time possible, which at times can become debatable.”
Federal laws such as the Health Insurance Portability and Accountability Act complicate the decision by requiring notification within 60 days, he said.
“Generally speaking, reasonably expeditious notice should be sent between 10 and 30 days after the discovery of the breach,” said Wendee M. Hilderbrand, a member of Bass, Berry & Sims P.L.C., a Nashville, Tenn.-based law firm. “Always, you want to assure you have taken into account the time it takes to promptly investigate the scope of the breach — which individuals and what information were affected.”
By taking a reasonable amount of time to fully investigate the matter, the possibility of having to restate the scope of the breach is limited.
“The cardinal sin all companies should avoid is having to renotify or communicate more than once to the victims about the breach of their personally identifiable information,” said David Katz, partner and head of the privacy and information security practice at Atlanta-based law firm Nelson Mullins Riley & Scarborough L.L.P. “It has the effect of creating undue stress, which can reverberate in lingering trust, brand and reputation problems.”
Choose the state “with the most onerous guidelines and use that as a baseline,” Mr. Hite said. By complying with the most rigorous laws, companies are protected from criticism claiming they should have notified victims earlier, he said.
Mr. Katz agreed.
“There are states like Massachusetts, Virginia and North Carolina that are more apt to investigate a company post-breach if they feel you did not handle the forensics appropriately or your privacy and security controls appear to have been lax,” he said. “There is a greater chance such states will ask the company for more details, and potentially fine it or put it under consent order.”
Honest and transparent communications are a best practice with regard to the mandated notification of victims, experts say. Since people have different levels of comprehension when it comes to understanding technology and finance, the notification needs to take these disparities into account.
“Companies must balance accuracy and completeness with a person's ability to understand what you're saying,” Mr. Srail said.
The experts concurred that written notices by mail are most appropriate, and many states require notification by mail.
Much thought must be given to the actual content of the letter. “I've seen examples of notification letters that were confusing and too impersonal,” Mr. Katz said. “Remember, this is the first opportunity to repair the relationship that occurs when the breach of trust occurs. Companies must take full responsibility for the problem.”
Mr. DePaul shared this view.
“You want to provide an understanding of the facts, how the breach occurred, and what is being provided to the affected individuals, such as credit monitoring,” he said.
Both agreed that the notification should also provide assurances that the problem won't reoccur.
“The letter should clearly state what the entity has done to stop and mitigate future events,” Mr. DePaul said.
On the bright side, Ms. Hilderbrand said, “the incident will likely pass with minimal expense and virtually no reputation damage” if companies act promptly and reasonably to fulfill the legal requirements and offer customers prompt notice with identity theft protection.