Issue Archive: November/December 2008

The Letter of the Law: Data Breach Notification Statutes Expose Gap in Incident Response Plans

Thoughtful and thorough planning have improved the preparedness of many organizations. However, lurking in the recovery scripts and details of many data breach incident response plans (and related business continuity programs) is a wide gap which must be filled for an organization to be prepared.

What is this key weakness? It is the lack of a predetermined capability to produce, mail, and monitor written notifications to the individuals whose personal information has been compromised in a data breach.

How did we miss it? The reason may be that legal requirements on businesses suffering data breaches are relatively new phenomena. July 1, 2003 was the effective date of the first state statute, in California, requiring written notification in the event of data breach. Many other states have been added to the list, with 10 states enacting statutes in 2005, 17 in 2006, nine in 2007, and nine in 2008 and beyond. Therefore, it is likely that your state will have notification requirements and that you may not be familiar with those rules.

Overlook this exposure and the implications may be severe and far reaching. In addition to suffering potential damage to its reputation and brand resulting from negative publicity, an organization may be subject to substantial penalties for not satisfying the requirements of this growing body of state and federal laws requiring written notifications. Improper handling of a crisis communication with customers, employees, patients, and others may expose a business to adverse legal ramifications. Add to that, the likelihood that lack of proper planning will result in substantial incremental costs of processing notifications on an emergency basis.

Consider this scenario: Your organization has operations in seven states, but its customer base resides in 22 states. The total number of households represented by the customer base is 350,000. You experience a confirmed data breach, due to the loss by a storage vendor of several unencrypted data tapes. Personal information, comprised of data elements useful to identity thieves such as Social Security numbers, bank account numbers, and driver license numbers, has been released. All 22 states in which your customers reside have data breach notification requirements, and the provisions of each of those laws vary greatly in terms of who must be notified, what information must be included in the notices, and the time frame for notification.

Ask yourself if your organization has in place a structured mechanism and relationships with capable and experienced vendors to properly respond in the legally required manner to an incident such as this. What follows is additional information intended to provide guidance as you take the necessary steps to close this gap and address this exposure.

The Rising Tide of Data Breach Incidents
Data breach incidents are increasing at an alarming rate. Not a single day passes without the confirmation and reporting of another shocking breach. These incidents are frequently followed by a great deal of media attention. Breaches impacting a large number of stakeholders, or those that occur at a well-known business, university, school system, or governmental agency receive plenty of undesirable publicity.
Statistics from the Identity Theft Resource Center (ITRC) as of October, 2008, help to illustrate the growing problem (see sidebar, page 33). The ITRC breach list is a compilation of breaches confirmed by various media sources, and notification lists from state governmental agencies. To qualify, breaches must include personal identifying information that could lead to identity theft, especially the loss of Social Security numbers.

This epidemic of breaches has privacy officers and planners taking a hard look at ways both to minimize the risks, and to preplan for a response in the event a client company gets the bad news. Some things are certain:

1. As the amount of individuals' personal information stored on companies' data bases, and the number of devices on which that information is stored, both continue to explode, data breaches will increase in the future.
2. Certain organizations will continue to experience a disproportionate number of breaches - e.g., financial services (11.7 percent of recorded breaches) and educational institutions (21.2 percent of recorded breaches).
3. As the number of breaches grow, so will the number of companies that become legally obligated to notify those adversely affected by the breaches.

The State of Statutes
Since the 2003 California statute, 44 states, plus the District of Columbia and Puerto Rico, have enacted data breach notification laws. Only six states, plus the U.S. Virgin Islands, have yet to follow suit. It is likely that these remaining states will follow suit or, alternatively, that a federal law may supersede this present "crazy quilt" of state laws.
California was the trailblazer, with many its law used as a starting point by many of the states that followed. Although similarities exist between the laws enacted in the various states, it is the substantial number of differences and variations which pose challenging problems for incident response planners. Without one overarching legislative mandate to follow, responsible parties are forced to familiarize themselves with many different notification requirements, time frames, inclusions, exclusions, and formats to fulfill the letter of the law (see sidebar, page 34).

It is important for continuity professionals, and those responsible for incident response plans, to familiarize themselves with the state or states' laws with which they will need to comply should a breach occur. A thorough review of the individual state notification requirements will likely reveal that the organization was not aware of the many and various rules which will have to be followed.

Expect each state's rules to vary relative to required procedures to follow in the event of a breach, what constitutes a breach in each jurisdiction, the time frame for compliance with notification of interested parties, the format of the required notification, the requirements to notify state authorities, the obligation to provide identity theft monitoring to impacted parties, and so on.

The more you know now about your unique circumstance, the more effectively you will be able to respond when the incident response plan is pressed into service.
It's Where They Are…

It is critical for planners to understand that the state statutes which will apply in your compliance efforts will be those laws for the various states of residence of your customers or other affected parties (e.g., employees), not just the state(s) where you do business.

That is a critical distinction to take into consideration while reviewing the incident response plans in place today in your organization. In the case of most enterprises, the applicability of multiple states' laws significantly expands the scope and seriousness of this issue, and will complicate your efforts to correctly respond to a data breach declaration.

Have you thought about all of the states in which your customers may reside? Revisiting the previous scenario, the organization has operations in seven states; however, the customer base actually resides in 22 states. It will be an important planning task for the entity to determine where the customers live, and understand the requirements in all those jurisdictions.

An organization with operations in the Mid-Atlantic States may not have considered that customers who reside in the Sunbelt states during cold winter weather create an additionally challenging obligation to fulfill.

It's Not That Easy
Incident response and business continuity plans contain a great deal of useful information to be referenced in the event of a declaration. It is common to maintain a listing of vendors that are known to the organization for their ability to fulfill certain needs when called upon to do so.

In the event of a data breach requiring written notification, a complex series of events must begin. The data transmission, notice production, processing, mailing and monitoring of a data breach notification to your stakeholders is a specialized process requiring professional skill and significant infrastructure. This is not the time to contact cold a printing vendor on a contact listing with the challenge to undertake this complicated process.

Getting back to our scenario, your notification will need to reach all of the 350,000 parties in your customer base. The impacted households may be spread across 22 states. Add to that, you may have only a short period of time from confirmation of the breach to send the notices within the rules of the various states. There may be as many as 22 different variations of that letter being sent.

This task is no simple bulk printing job. To be successful, a substantial amount of preplanning by internal resources and/or competent third-party vendors is necessary in order to be ready to properly respond. Many organizations are now entering into service agreements with organizations specializing in this type of crisis communication.
What to Look for

Crisis communication vendors must be able to act as trusted advisors that help your team to improve your incident response plans. You should be confident in counting on them to review your plan, the states of residence of your message recipients, your processing environment, and data formats, among other operational issues, and know how to build smoothly-functioning bridges between their capabilities and your situation.

A reliable vendor must have clear and well-defined process work flows to manage your event, and a demonstrated track record of capability to process high quality notifications, in large quantities, to a broad audience, in a short period of time. They must have securely designed production facilities, enable secure communication between their organization and yours, and know proven techniques to minimize duplication and postage costs when processing your notification.

It is best to deal with an organization that has provided these types of services for a number of years, and is able to demonstrate its financial stability.

Lastly, it is important to deal only with a vendor that will never solicit your customers. Many vendors try to leverage a relationship with you to get access to your end clients to sell them some service. Deal with a vendor that is interested in serving only you.

An overview of the service capabilities to expect from your relationship with a specialty crisis communication partner may include the following.

Planning and Set-up

• Review states in which business is subject to notification statute
• Store client sample notification letter formats
• Determine parties authorized to declare an event / sign letters
• Establish teams, contact, communication, and file transfer protocols
• Conduct mock notification printing and mailing test
• Suggest revisions to crisis communication plan

Provisioning of Production Capacity

• Guarantee predetermined production quantities and time frames
• Breach Declaration and Notification Production Services
• Establish breach declaration and notification production options
• Initiate the notification process, produce / mail the required documents,
• Follow up status of undeliverable items, and report back to management

Periodic Testing

• Establish a change management policy and procedure
• Conduct periodic testing of the
  program

Other Common Services Available

• Call center support and post-breach survey services
• Website information management
• Secure storage of materials
• Return mail management

Closing the Gap in Your Plan
The best place to start is to review your current data breach incident response plan to determine the status of your preparedness efforts. You will be asking such questions as:

• Do we have a mechanism to produce data breach notifications to constituents?
• Have we determined the states of residence of our stakeholders?
• Are we up to date on the compliance rules dictated by the many state statutes that apply to us?
• Have we prepared sample letters, which follow specific state guidelines, and included them in our plan documentation?
• Have we reviewed the deadlines for notification on a state-by-state basis?
• Have we determined the format and look we want for such communications, and have we predetermined who will sign the correspondence?
• Do we have legal counsel, familiar with notification statute review our letters and compliance documentation?
• Have we made provision for identity theft monitoring services which may be required by state statute?
• Have we formulated our processes, work flows, and security measures to communicate the customer information efficiently and confidentially to the print vendor that will be processing this communication?
• Have we tested our plan, and our ability to prepare such notices in advance of an actual event?
• Have we considered entering into an agreement with a print vendor which specializes in this service to clients?

Once you have asked the above questions, and other related ones, to your team, you will have a clearer picture of possible gaps in your organization's ability to meet the "letter of the law". From this point, an action plan must be developed to resolve the issues which surface during this discovery process. You may be able to resolve many of your deficiencies with internal resources.

However, considering the complexities of this compliance effort, it may be necessary for the organization to reach out to a competent crisis communications vendor for help. Now is the time to undertake this review, and conduct these necessary preplanning steps.

It is important to identify that a gap may exist in our incident response plan due to the growing number of laws being enacted to protect the stakeholders that we serve on a daily basis. The time is now to take action to bridge this gap. After the breach is confirmed is much too late.

Thomas E. Schwartz is president of Immersion, Ltd. He can be reached at (866) 377-8210 or via e-mail at tom.schwartz@immersionltd.com. Thomas J. Kristofco is president of Business Continuity Concepts. He can be reached at
(814) 695-5262 or via e-mail at tkristofco@businesscontinuityconcepts.com.