Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Quick action on data losses not always the right move

Early client notifications can cause problems

Reprints
Quick action on data losses not always the right move

Companies experiencing data breaches face difficult decisions as to when to let their clients know about the problem.

While 46 state regulations set deadlines as to the latest point at which clients must be informed, still remaining is the issue of how soon they should be told. An initial estimate of affected records that is too low can result in subsequent notices to additional clients that can hurt firms' reputations. But a too-high estimate can unnecessarily worry clients whose information had not been compromised. Notifications also can generate significant expenses.

There are steps companies can take to help minimize the problem, though, including establishing an incident response plan that lets them spring quickly into action whenever a problem emerges (see related story).

Meanwhile, many observers say a federal data breach notification law would simplify the entire notification process and be welcome, assuming such a law pre-empts state laws (see story, page 22).

“Companies are now struggling” with the question of whether, when and how to notify, said Joe DePaul, New York-based senior vp for Arthur J. Gallagher Risk Management Services Inc.

“It's a subject of a lot of conversations within the industry,” said John Doernberg, vp at William Gallagher Associates Insurance Brokers Inc. in Boston. There is a tension between the desire to quickly notify people about a breach so they can take action, as well as to abide by regulations, “and the need to conduct a sufficient and adequate forensics investigation to really determine what data was compromised, so you know who really needs to be notified,” he said.

Working with law enforcement also can be among the factors that “are in the mix in figuring out what's the right time to go public with this,” said Mr. Doernberg.

Telling clients too early is a potential problem, say experts. Alan E. Brill, senior managing director for the computer forensics and secure information services practice of New York-based Kroll Inc., said, “We see very often companies don't take advantage of the time that's available in all the laws to actually investigate and determine what happened.

“There's often a rush to notify without really understanding what happened,” in which case “you're running a significant risk of either notifying the wrong people, too many or not enough, or in fact responding to an event that may never have happened, because there's a difference between thinking something happened and knowing something happened.”

In one case, he said, a company believed a laptop that had consumer data on 500,000 individuals was stolen, and that it was required to report it. But an investigation revealed the data had not been downloaded before the laptop's theft. In another case, a firm initially thought 360,000 credit card records were compromised, when in fact malware had obtained only a small portion of that total.

Lori S. Nugent, a partner with law firm Wilson Elser Moskowitz Edelman & Dicker L.L.P. in Chicago, said, “It is important to provide notification quickly and reasonably. That doesn't mean that the notice has to be provided the second someone knows that a situation has happened,” she said. “Sometimes, providing notice before there's a clear understanding from a forensics level of what happened actually results in notification being provided to people that aren't exposed, which unnecessarily causes upset.”

Experts say another problem that arises when notification is too hasty is when firms are forced to send out subsequent notices as it discovers additional data breach victims. That can be like “death by a thousand cuts,” said Mr. Brill. “You really start to look like you don't know what's going on.”

Another factor is cost. “People tend to over-notify when they act precipitously,” Mr. Doernberg said. “Studies have shown an almost universal relationship between the speed with which a company notifies the affected individuals and the cost of notification,” because often “forensic investigation reveals that much less information was actually affected by the breach,” he said.

Observers note that according to a study by Traverse City, Mich.-based Ponemon Institute L.L.C., the total cost of a data breach is $214 per compromised record, although that includes expenses such as credit card monitoring, forensic investigations, legal costs and revenue loss costs.

Richard J. Bortnick, a member of Cozen O'Connor P.C. in West Conshohocken, Pa., said if there is a statutory requirement to make a notification, most insurers will cover it under their policies, although not if the notification is voluntary.

There also is the danger of providing the information too late. Particularly onerous, say observers, are states including Connecticut and Massachusetts that have five-day reporting requirements. California has a five-day reporting requirement on health care-related breaches. It is “pretty hard to get your hands around” the issue during that period of time, said John F. Mullen Sr., an attorney with Nelson Levine de Luca & Horst L.L.C. in Blue Bell, Pa.

Ms. Nugent said, “A lot of the regulators have the view that all breaches are the same, that there should be a time period within which certainly anybody should be able to provide notification, but the reality is that every breach is different, and some are much more complicated than others. And so what may sound reasonable from a regulatory or legislative standpoint may not work very well in the real world.”

“It's the proverbial, "It depends,'” said Laurie Schwarz, senior vp for Lockton Cos. L.L.C.'s global technology and privacy practice in San Francisco. Factors including the size of the company, its industry and the type of event that occurred can affect the process, she said.

Meanwhile, Eric Goldman, director of the High Tech Law Institute at Santa Clara University in Santa Clara, Calif., questioned the value of data breach notifications altogether.

There is “rarely anything viable consumers can do in response to the notification,” he said. “It just increases their angst without improving their lives.”