A data security incident can be daunting for an organization, quickly spurring it into full-blown crisis mode. Once an incident is discovered, IT and security personnel may work around the clock to attempt to identify and fix security vulnerabilities, assess and mitigate any damage from the incident, and report their findings and efforts to senior management. The organization’s attorneys may review the incident from a legal risk perspective and engage experienced outside counsel and forensics firms to better assess how the organization should respond to the incident in light of its legal and contractual obligations. The communications and customer service teams may need to respond to customer inquiries about system performance and strange system behavior, while IT personnel are following emergency protocols to attempt to strengthen system security and investigate the incident. In addition, the communications team may be involved in any required data breach notifications. Finally, senior management will need to analyze technical details and legal advice to make organizational decisions that may significantly affect the organization’s customers, reputation, and bottom line.
Organizations may be unaware that state breach notification statutes create time pressure following the discovery of an incident. Virtually every state in the United States has a breach notification statute. Such statutes define the term “breach” and specify who should be notified in the event of a breach, when such notifications should be made, and what details must be included in the notifications. Typically, state regulators and/or affected individuals have the ability to sue organizations that fail to comply with the statutes.
Most state statutes require organizations to notify affected individuals and, in some cases, state regulators in the “most expedient time possible” and “without unreasonable delay” after becoming aware of a breach. However, several states have prescribed specific timing requirements, including Florida, Ohio, and Wisconsin (notice to affected individuals within 45 days),1 as well as Vermont (notice to the state attorney general within 14 days and affected individuals within 45 days).2
Until recently, organizations victimized by an incident have not been subject to much litigation with claims from notification delays. Instead, regulators and affected individuals have focused on the effects of the breaches themselves. However, given the lack of success that plaintiffs have had in data breach lawsuits to date, plaintiffs may begin using the additional theory of notification delays in class actions more frequently. State regulators also may enforce their statutes more aggressively. Three recent cases demonstrate that organizations should be aware of their breach notification requirements—particularly the timing requirements—and be prepared to comply with them.
Notification Delay Lawsuits
Barnes & Noble (B&N)
A group of criminals stole customer credit and debit card information from sixty-three B&N stores across nine states. The criminals tampered with card readers located at the stores to capture the information. Six weeks after discovering the malicious activity, B&N announced the breach to the media and posted a notice on its website. B&N allegedly did not notify any of the affected customers directly, because it did not know which customers were affected. Customers brought a class action against B&N asserting several claims based on a failure to properly safeguard credit and debit card information. They also claimed that B&N violated Illinois’s breach notification statute due to its “untimely and inadequate notification of the security breach[.]”3
The court dismissed the customers’ claims regarding notification delays, as well as all of their other claims. First, the customers claimed that the delay or inadequacy of the notification increased their risk of identity theft or fraud. The court rejected this argument, relying on a recent Supreme Court case holding that for plaintiffs to have standing to bring a claim, they must have been actually harmed or “a threatened injury must be certainly impending.”4 The court held that “merely alleging injury from an increased risk of identity theft or fraud is insufficient to establish standing,”5 because the injury was not certainly impending.
Second, the customers claimed that a violation of the Illinois breach notification statute by itself constituted actual injury sufficient to convey standing. The customers argued that B&N violated the statute through its failure to provide direct notice. The court rejected this argument due to the clear language in the statute. The Illinois breach notification statute states that “any person who suffers actual damages as a result of a violation” may sue under the statute.6 Moreover, a violation of a statute alone, without an injury, generally is insufficient to confer standing.7 The court concluded that the customers failed to allege actual damages, so they could not bring a claim under the statute.
After rejecting all the other claims, the court dismissed the lawsuit.8 B&N allegedly did not provide direct notice to individuals following a data breach. Yet, potentially affected individuals were unable to successfully sue B&N for any violations of the Illinois breach notification statute.
Natural Provisions, a small health food store in Vermont, faced an investigation by state regulators after criminals stole customer credit card information from the company. After the police department notified Natural Provisions of the possible breach, the company allegedly did not take any action to fix the vulnerability for more than a month. The store also allegedly did not notify its customers or the Vermont attorney general within 45 days of the breach’s discovery.
The Vermont attorney general concluded that these actions violated Vermont’s breach notification statute, which requires notifying affected individuals within 45 days and notifying the Vermont attorney general within 14 days of the discovery of a breach.9 State regulators may not face the same standing requirements as plaintiffs in class actions, so their investigations and lawsuits seem to be more effective at present. Natural Provisions reached a settlement with the Vermont attorney general under which it agreed to pay a civil penalty, implement and maintain a comprehensive information security program, and implement specific data security safeguards.10 In this case, a company’s failure to comply with the breach notification statute resulted in successful government enforcement.
Citibank recently reached settlements with attorneys general from California and Connecticut due to delayed breach notification. Citibank’s online banking system had a vulnerability that allowed criminals to access account information for more than 360,000 customers. Citibank allegedly knew about the vulnerability and failed to patch it for almost three years, and allegedly did not finish notifying affected consumers until 32 days after discovering the breach. The Connecticut attorney general determined that the timing of the notice was not without “unreasonable delay,” as required by Connecticut’s breach notification statute.11 Likewise, the California attorney general concluded that Citibank “failed to expediently notify its California resident customers.”12 In both settlements, Citibank agreed to pay a civil penalty and provide free credit monitoring services to the affected residents.
Data Breach Response
The above cases demonstrate that state regulators and affected individuals are becoming more aggressive in ensuring that organizations provide breach notifications in a timely manner and within any legally mandated timelines. It appears state regulators may currently be more successful at enforcing the statutes than private citizens due to issues of standing. However, both regulators and affected individuals remain sources of costly litigation. Organizations should not take these cases to mean that they should hurriedly notify affected individuals in the event of any security incident, though. On the contrary, organizations should provide notifications only after careful consideration of the incident and the applicable breach notification statutes.
Typically, and with good reason, organizations will not provide notifications unless they are required to do so. Such notifications are costly. The Ponemon Institute’s 2013 Cost of a Data Breach Study found that, on average, a breach costs $188 per record.13 According to the study, the average breach affects 28,765 records, leading to costs exceeding $5 million.14 The Ponemon Institute estimates that the average costs of notification alone amount to more than $550,000.15 The factors considered by the study include the strength of the organization’s policies and procedures, the type of breach, and the quality of staff involved in the remediation.16 Of the seven factors noted in the study, one factor fully under the organization’s control after the incident directly affected the cost of a breach: the speed of notification. The study also found that if the organization notified data breach victims within 30 days of discovering the breach, the cost of the breach increased by $37 per record, or over $1 million on average.17
Senior management inexperienced with breaches might believe that once a security breach is discovered, notification is inevitable and should be made, especially with the specter of breach notification statute violations. However, the Ponemon Institute’s numbers show that organizations should not give in to the temptation of notifying affected individuals too quickly without sufficient understanding of the incident.
Experience shows that many security incidents look much worse initially than they do after a thorough forensic review of the incident. Therefore, it is likely in an organization’s best interest to wait until it has thoroughly investigated an incident before it concludes that a breach has occurred. In addition, some breach notification statutes have a narrow definition of “breach” that may not include the security incident that occurred. For example, some statutes state that a breach occurs only if data is “accessed” or “acquired” by an unauthorized person. Access or acquisition may not have occurred during an incident, and this is only apparent after thorough investigation. Most states do not require notification when encrypted data was involved. Therefore, properly analyzing the circumstances of the incident under the applicable statutes is an important step to take before notifying regulators and affected individuals.
Organizations will likely never have all of the knowledge they want before they need to make the decision of whether to notify regulators and affected individuals. So, how can organizations properly deal with security incidents quickly, but with good judgment? One effective method is for organizations to draft, implement, and regularly test an incident response policy before an incident occurs. The Ponemon Institute’s research shows that having a quality incident response plan in place at the time of the breach is worth $42 per record, or over $1.2 million on average. Incident response policies tend to be more effective if they are drafted and implemented with the help of outside experts. Incident response policies include detailed instructions for:
- identifying suspected incidents;
- responding to suspected security incidents from an IT perspective;
- bringing in outside legal and forensics experts;
- mitigating any damage from a security incident;
- documenting the security incident;
- reporting the response efforts;
- assessing the legal and business risks from a security incident; and
- determining any breach notification obligations under applicable law or contracts.
Following such a policy helps ensure that the organization methodically takes the proper steps during a crisis situation once an incident occurs. In doing so, organizations will be able to more quickly assess the incident so that they can provide notice in a timely, cost-effective manner when required.
1 Fla. Stat. §817.5681(1)(b); Ohio Rev. Code § 1349.19(B)(2); 9 V.S.A. § 2435(b)(1)&(3)(A)(i); Wis. Stat. § 134.98(3)(a).
2 9 V.S.A. § 2435(b)(1)&(3)(A)(i).
3 In re Barnes & Noble Pin Pad, No. 12-cv-8617, 2013 U.S. Dist. LEXIS 125730, at *4 (N.D. Ill. September 3, 2013).
4 Clapper v. Amnesty Int’l USA, 568 U.S. ____, 133 S. Ct. 1138, 1143 (2013). Please see our Eye on Privacy article discussing the case at http://www.wsgr.com/publications/PDFSearch/eye-on-privacy/May2013/index.html#4.
5 In re Barnes & Noble Pin Pad, 2013 U.S. Dist. LEXIS at *8.
6 815 ILCS 505/10a.
7 In re Barnes & Noble Pin Pad, 2013 U.S. Dist. LEXIS at *9.
8 See a more detailed analysis of the B&N case in an article in this issue of Eye on Privacy entitled “Barnes & Noble Dodges Suit over PIN Pad Data Breach.”
9 9 V.S.A. § 2435(b)(1)&(3)(A)(i).
10 Assurance of Discontinuance at 3, In re: Natural Provisions, Inc., No. 522-9-13-wncv (Vt. Super. Ct. September 5, 2013).
11 Complaint at 4, Connecticut v. Citibank, N.A., No. HHD-CV12-6044810-S (Conn. Super. Ct. August 29, 2013); CT Gen. Stat. § 36a-701b(b).
12 Complaint at 4, People of California v. Citibank, N.A., No. RG13693591 (Cal. Super. Ct. August 29, 2013); Cal. Bus. & Prof. Code § 1798.82.
13 2013 Cost of a Data Breach Study: United States, Ponemon Institute (May 2013).
15 For estimating the notification costs, the Ponemon Institute considered the costs of creating contact databases, “determination of all regulatory requirements, engagement of outside experts, postal expenditures, secondary contacts to mail or email bounce-backs, and inbound communication set-up.”
16 Id. at 8.