Regulatory updates pertaining to data privacy and information security continue to be rolled out across the country. These changes have the potential to significantly impact obligations surrounding a data security event. Kevin Dolan, a partner at Mullen Coughlin LLC, recently shared an overview on what is happening in this space at CMMC CON 2023. Mullen Coughlin LLC represents organizations facing data privacy events and information security incidents. The firm provides proactive advisory compliance, incident response, and regulatory response services to their clients.
Regulatory approach at the state level
At this point, all 50 states have passed data security laws that require notification to affected individuals when there’s unauthorized access to, or acquisition of, their personally identifiable information. There is variance among the states in regards to the types of data elements that are being protected. Across the board and as a minimum, every state guards personally identifiable information (PII) like name plus social security number, driver’s license number, and financial account information.
“What makes it complex and what drives your obligations following an event, are the types of data that were impacted and what the states of residence of those impacted individuals are,” states Kevin. “More than half of the states in addition to individual notifications, also have a regulatory notification requirement, oftentimes requiring notification to a state attorney general following an event, depending on whether or not specific thresholds have been met consistent with numbers of affected individuals within those states.”
There is also deviation from state to state with respect to when notice must be provided to affected individuals or regulators, underscoring the importance of drilling down on the specific states of residents and specific statutes that are going to be implicated following an event. There are also varying approaches to requirements for attestations of compliance and or private rights of action amongst the states as well.
A sampling of state legislative trends
More states are becoming active in data privacy regulation and enforcement. This means that more states are requiring regulatory notification following an incident and in turn, more state attorneys general are launching some level of an inquiry requiring additional information following these notifications.
States are also expanding the definitions of “personal information” to now include biometric information, email address with password, passport number, health information, health insurance information, and more. It’s a growing list of what these regulators and legislatures are looking to as protected and potentially sensitive information.
A few states now provide affirmative defense for data breaches if an organization implements proactive industry recognized information security standards. This can potentially provide some relief to impacted organizations if certain industry recognized standards are in place.
Another development with significant implications following an incident is the fact that many states have now also passed industry-specific laws that will extend protection well beyond traditional understandings of PII. For example, a handful of states have now enacted privacy laws that protect student data maintained by educational vendors, educational entities or vendors, and require notification and action following an incident.
“We also have some positive trends for victim organizations in the opposite direction,” shares Kevin. “What we anticipate moving forward is a continued expansion of personal rights around data privacy through state level activity and legislation. Organizations across industries need to understand from a regulatory framework standpoint, issues such as ‘what is the entire framework of these regulations that are applicable to us as based on the industry that we occupy, and based on the types of data we are storing and adjusting?’ Then entities need to also understand how they are currently postured against those regulations. If there are gaps, they need to identify the steps that need to be taken to fill those gaps and ensure that they are as compliant as possible.”
Post-incident best practices
Here are some useful actions to help avoid or mitigate the impact of data privacy and information security events if and when they occur. Note, your customer, contractual or regulatory requirements for incident reporting are likely unique to your business but as a general set of guidelines here are some best practices.
Ensure experience on your incident response team.
Regularly test your incident response plan to ensure all team members understand how to proceed. Taking the time and devoting resources to do things like conducting tabletop exercises is crucial because you do not want to be in a situation where you’re testing out your plan and your team’s ability to execute on that plan for the first time in the midst of a crisis. Also make sure that the plan ties to your specific legal and regulatory framework.
Use counsel to establish attorney-client privilege.
Counsel directs forensics, notice drafting and other vendors so that, in the event of litigation or regulatory investigation, all documents and communications are not discoverable. Make sure that following an incident, you get external counsel there first to ensure that all appropriate steps are being taken to preserve future claims or privilege around the investigation and its results, and also to make sure that, you’re aware of all of the laws.
Do not use terms ‘breach’ or ‘PII’ lightly.
These are statutorily defined legal terms. The use and admission of which have consequences. From a messaging standpoint, following these events, language matters. Certain terms like breach and PII have entered the broader lexicon, and people use those terms freely, but they do have legal significance and legal implications. If you start using the word breach before you have confirmation on the types of information that were impacted, people are going to assume and imply that you’ve had unauthorized access to or acquisition of protected data when you may not be at a point where your forensics investigation has made such a conclusion.
Do not rush to go public.
There is typically a tremendous desire to go public fast if an incident occurs. Remember that an inability to answer questions that will inevitably follow can be devastating. Make sure you’re being transparent and communicative, and balance that against making sure that you’re not getting out in front of the facts. It is better to be right than to be fast in these situations.
Kevin adds, “It’s critical to understand your data from an organizational standpoint. Your entity should truly have their arms around the full scope of data that’s being held by and maintained by your organization. How long is it being held and for what purpose? Where’s that data located and how’s it being protected? That awareness can be key in mitigating organizational risk and also can be a beneficial tool in assisting in the response efforts following an incident.”
To understand the risks of not meeting compliance requirements from a business perspective, contact the experts at CyberSheath. We can help you meet regulatory compliance.