When Cybercriminals Attack, Privacy Laws Mandate Speedy Response

Target. Home Depot. Sony. Yahoo. MedStar. The U.S. Office of Personnel Management. The National Archives. The Democratic National Committee.

Every day brings fresh reminders that corporations, government agencies, and other organizations are vulnerable to cyber intrusions. There have been thousands of them in the United States during the past decade involving the breach of nearly a billion records containing sensitive information.

Sometimes the goal is disruption or embarrassment. In the business world, the most common motive is to steal confidential personal identification information, bank and credit card account numbers, and intellectual property. For the victim companies, the costs can be staggering. The data breach at Target cost the company approximately $148 million to resolve. Even smaller intrusions can lead to class- action lawsuits, shareholder derivative suits, and enforcement actions.

When a business suspects its network has been compromised, the typical first step is for its IT department to determine the source of the attack, assess the duration and scope of the intrusion to learn whether the intruder has left a “backdoor” on the system to permit future access, and then secure the network as quickly as possible. But the technical response alone is not enough, because state data breach notification laws impose additional requirements. Compliance with those laws is an indispensable part of responding to a cyberattack in a way that makes matters better rather than worse.

Notification Procedures Under PIPA

Maryland is one of 51 U.S. jurisdictions to have enacted laws requiring businesses that fall victim to unauthorized disclosures of personal information to communicate with the persons whose information may have been compromised. The Personal Information Protection Act (PIPA) requires a business retaining consumer records to notify a consumer who resides in Maryland if his or her personal information is compromised. Any financial institution that complies with the federal Gramm-Leach-Bliley Act (which requires notifying customers of information-sharing processes and safeguarding sensitive data) or business that complies with notification procedures imposed by other federal or state regulators is considered to be in compliance. Otherwise, the PIPA requirements apply.

PIPA broadly covers corporations, partnerships, associations, and sole proprietorships, including not-for-profits that own or license “personal information,” an individual’s first name or initial and last name in combination with a Social Security account number, driver’s license number, bank account or credit card number, or individual Taxpayer Identification Number. An encryption “safe harbor” provides that data is not covered “personal information” if it is encrypted, redacted, or otherwise made unusable.

Information from public records or made available by consent is not protected “personal information.”

Unless those exemptions apply, PIPA requires businesses that own or license personal information of Maryland residents to maintain security practices appropriate to the nature of the information and the business, both for themselves and for third-party contractors who handle personal information.

When There is a Data Breach

What happens when a business covered by PIPA discovers or is notified of a breach of the security of its system?

There’s no escaping the need to employ IT experts to assess the situation. A business must promptly investigate to determine the likelihood a Maryland resident’s personal information has been compromised. If investigation indicates misuse of personal information has occurred or is reasonably likely to occur, the business must notify the individual as soon as possible; a third-party vendor must notify the business that owns or licenses the personal information. Notice can be delayed only at the request of law enforcement or if necessary to determine the scope of the breach, identify affected individuals, or restore the integrity of the system.

Notice must be given in writing, unless the individual has consented to service by email or the case warrants service through a combination of email, a website posting, and notice to statewide media. The notice must describe what was compromised and include contact information for the business, toll- free numbers for credit reporting agencies, the FederalTrade Commission, and the Maryland Office of the Attorney General (OAG). Failure to take these steps can lead to civil and/or criminal penalties.

Before sending out notices, a business must send the OAG a copy of the notice and describe the breach, the number of Maryland residents affected, the compromised information, and the steps being taken to restore the system. The OAG posts a brief description of the matter on its web page. So far in 2016, it has posted information about 497 reported breaches. The list makes for sobering reading. Breached businesses include health care providers, banks and financial services firms, hotels, insurance companies, restaurants, professional services firms, and universities.

For a business that discovers a data breach requiring notification, compliance with Maryland’s law is only the first step. No federal statute covers the entire country. Rather, businesses can find themselves facing a bewildering array of laws from 46 other states, the District of Columbia, Guam, and the Virgin Islands. No two laws are identical. Just for starters, some state laws contain broader definitions of “personal information” that include biometric data or DNA profiles. States have different thresholds for the extent of intrusion requiring disclosure and different rules for the content and timing of notices. Enforcement and penalty provisions differ, too.

Today’s businesses understand effective cybersecurity programs involve dozens of separate issues: asset management, data governance policies, risk assessments, cybersecurity training, information protection, backup procedures, access control, incident detection, prevention technologies, penetration testing, incident response plans, and recovery exercises. Sadly, even the most meticulous planning is not always enough to prevent an attempted intrusion, but it can help mitigate any negative effects.

Stuart Berman joined the firm’s Litigation practice after serving 28 years in the U.S. Department of Justice, including 23 years at the U.S. Attorney’s Office in Maryland. As the Computer and Telecommunications Crime Coordinator for many years, he investigated and prosecuted computer intrusion cases, working closely with the FBI and Secret Service cybercrime squads. As Chief of the Greenbelt Branch Office, he supervised cybercrime prosecutions. For more information about cybercrime issues, contact Stuart at (301) 657-0729 or [email protected].