© 2009 Hogan & Hartson LLP. All rights reserved. Christopher G. Cwalina Vice President and Assistant General Counsel, Intersections Inc. Carol A. DiBattiste.

© 2009 Hogan & Hartson LLP. All rights reserved.

Christopher G. Cwalina Vice President and Assistant General Counsel,

Intersections Inc.

Carol A. DiBattiste Senior Vice President, Privacy/Security/Compliance/Government Affairs,

LexisNexis Group

Christopher WolfPartner and Co-Chair of Privacy and Data Security Practice Group,

Hogan & Hartson LLP

IAPP Privacy Academy 2009

Into the Breach: Dealing With the Aftermath of a Data Breach

2© 2009 Hogan & Hartson LLP. All rights reserved.

Our focus today

• Beyond the basics of the data breach laws – how does one translate the experience companies have had in handling a breach into practical tips to reduce or manage risk?

• The litigation and regulatory enforcement following breaches have lessons for future targets, what are they?

• We all have heard that a company must be prepared in advance to handle a data security breach but what does that really mean, in practical terms?

3© 2009 Hogan & Hartson LLP. All rights reserved.

What we plan to cover

• Briefly, what is the current legal landscape regarding data security breach notification?

• Also briefly, what are the prospects for legislative and/or regulatory developments in the coming months?

• What have we learned from the breach litigation so far and what does this experience suggest on how to manage a breach in light of the claims that have been brought?

• Take-away strategies for preventing breaches and minimizing claims

4© 2009 Hogan & Hartson LLP. All rights reserved.

The current legal landscape

• A major aspect of managing the aftermath of a data security breach is complying with all of applicable statutes, so knowing the intricacies of the laws is important

• Alabama, Kentucky, Mississippi, New Mexico and South Dakota are the only remaining states without a data security breach notification law

– For most companies, the absence of a state statute does not mean the affected residents of the state will not receive notice

• There are variations in the laws as to what triggers a notice

– Approximate 35 states have some form of “risk of harm” standard before notice is required

• Some statutes cover both computerized and paper data (Alaska, Hawaii, Indiana, Massachusetts, North Carolina, Wisconsin and under the HITECH Act)

5© 2009 Hogan & Hartson LLP. All rights reserved.

Current Legal Landscape:Timing of the Notice

• Most laws provide that notice must be made in the most expedient time possible and/or without unreasonable delay.

– Some laws provide that this notification may need to be made after conducting an investigation or after notifying other bodies, such as the Attorney General or law enforcement authorities.

– Florida, Ohio and Wisconsin require notification no later than 45 days following discovery of the breach (consistent with law enforcement needs or requests for delay and/or measures to determine the scope of the breach).

– Maine law limits to seven days the time that breach notification may be delayed following a determination by law enforcement that providing notice will not compromise a criminal investigation.

– HITECH Act requires notification no later than 60 days following discovery of the breach (“Discovered” is when it becomes known or it should reasonably have been known.)

6© 2009 Hogan & Hartson LLP. All rights reserved.

Current Legal Landscape: Other Important Variations

• Non-owners – custodians -- of data that has been breached, must notify the owner or licensee of the data

– Great variation among the laws as to when notification must be made to data owners

• In some states, and in some circumstances, notification must be provided to the Attorney General, State Police, “primary regulators” and/or consumer reporting agencies

• A dozen states and Puerto Rico detail the required contents of the notices: Massachusetts prohibits details; Others require details of incident, type of personal information involved, direction to remain vigilant and other information (e.g., Maryland requires the phone number of the Maryland AG)

• Written notice required; telephone notice allowed in 16 states; e-mail allowed in certain circumstances (with advance consent pursuant to E-SIGN Act)

– Various provisions for substitute notice

7© 2009 Hogan & Hartson LLP. All rights reserved.

Legislative Developments

A busy Summer

• July 1: Alaska and South Carolina breach notification laws went into effect

• July 9: Missouri enacted a data breach notification law, the 45th state to do so 

• July 22: Senator Leahy reintroduced federal data security bill

– Would require notification of: major media within any state where more than 5,000 individuals are affected by a breach; consumer reporting agencies if more than 5,000 individuals are affected; and the Secret Service if more than 10,000 individuals are affected or if the breach involves a federal database, national security officials or a database containing information on more than one million people.

• July 27: North Carolina amended its breach notification law to require notification of the state attorney general, with content requirements

8© 2009 Hogan & Hartson LLP. All rights reserved.

Three federal data security bills this year

• Senator Feinstein reintroduced one in January

• Senator Leahy introduced his in July

– Businesses that collect, use or access the SPII of more than 10,000 individuals would be required to implement a comprehensive data security and privacy program

• Exemption for financial institutions subject to the Gramm-Leach-Bliley Act (GLB) and covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA)

– Notification provisions would not preempt existing state data breach notification laws with respect to solely in-state breaches, but would supersede provisions of federal law or of state law relating to notification by a business engaged in interstate commerce. 

• And Congressman Bobby Rush introduced HR 2221 in April

– Strongly supported by the FTC

9© 2009 Hogan & Hartson LLP. All rights reserved.

Details of HR 2221 (for review at your leisure)

• H.R. 2221 (the Data Accountability and Trust Act), introduced by Congressman Rush in April

– requires those possessing electronic data that contain personal information to take steps to ensure that the data is secure pursuant to regs to be promulgated by FTC

– establishes notification procedures when a data breach occurs.

• companies do not have to initiate such notices if they determine that "there is no reasonable risk of identity theft, fraud or other unlawful conduct." 

• timing: “as promptly as possible” “without unreasonable delay”

– “and consistent with any measures necessary to determine the scope of the breach, prevent further breach or unauthorized disclosures, and reasonably restore the integrity of the data system” – no express “law enforcement request exemption”

• notice can be through written notification or e-mail if the primary method of communication with the individual is by email or the individual has consented to receive such notification and notice is consistent with E-Sign with respect to consumer notices

– provision for substitute notice in certain circumstances

• Content requirements:– a description of the personal information that was acquired by an unauthorized person;

– telephone number that the individual may use, at no cost to such individual, to contact the person to inquire about the breach of security or the information maintained about that individual;

– notice that the individual is entitled to receive, at no cost to such individual, consumer credit reports on a quarterly basis for a period of 2 years, and instructions to the individual on requesting such reports from the person;

– toll-free contact telephone numbers and addresses for the major credit reporting agencies; and

– a toll-free telephone number and Internet website address for the FTC whereby the individual may obtain information regarding identity theft.

– Encryption exception and provision for FTC to specify other exempting technologies

10© 2009 Hogan & Hartson LLP. All rights reserved.

More on HR 2221 (more for review at your leisure)

• Grants FTC power to impose civil penalties for violations and authorizes State Attorneys General to enforce. No private cause of action.

• Requires information brokers to submit their security policies to the FTC in conjunction with a security breach notification, or on FTC’s request.

– Directs the FTC to require information brokers to establish measures which facilitate the auditing or retracing of access to, or transmissions of, electronic data containing personal information.

– Requires information brokers to: (1) establish procedures to verify the accuracy of information that identifies individuals; (2) provide individuals whose personal information it maintains a means to review it; (3) place notice on the Internet instructing individuals how to request access to such information; and (4) correct inaccurate information.

• Prohibits information brokers from obtaining or disclosing personal information by false pretenses (a/k/a pretexting).

• Preempts state information security laws.

• Status: On June 3d, the Subcommittee on Commerce, Trade and Consumer Protection sent the bill to the full House Energy and Commerce Committee.

11© 2009 Hogan & Hartson LLP. All rights reserved.

Litigation and Regulatory Precedents So Far

• Breach notifications often trigger investigations by state attorneys general and by the FTC

– HITECH Act creates new vehicles for breach investigations

• Civil actions face hurdles where there is no damage proximately caused by the breach

– But creative plaintiffs are working hard to chip away at the precedents

– Cost of litigation high regardless of eventual dismissal as cases often are proceeding past the motion to dismiss stage to allow development of record to explore damage issue

• B2B lawsuits on the rise, pursuant to state statute, contract and common law

– Note recently filed lawsuit against CardSystems’ auditor, Savvis Inc.

12© 2009 Hogan & Hartson LLP. All rights reserved.

Litigation and Regulatory Precedents So Far

• Case study: TJX – breach announced in January 2007 involving as many as 94 million credit and debit card numbers

• In June of this year, TJX agreed to pay $9.75 million to settle investigations by 41 state attorneys general

• Under the agreement, TJX will pay $5.5 million in settlement fees, plus $1.75 million to cover the cost of the states' investigations.

• In addition, the company will provide $2.5 million to establish a new Data Security Fund that states will use for data security initiatives

– Research will be funded on the benefits of technology, developing best practices or model laws, and establishing consumer outreach programs

• In 2007, TJX settled consumer and bank lawsuits

• TJX also has settled with VISA and MasterCardIn August 2008, 11 people charged with federal crimes in connection with the breach (accomplished by exploiting vulnerable wireless networks)

• In January 2009, one of the defendants, Maksym Yastremskiy, 25, of Ukraine, sentenced to 30 years in prison for spearheading the sale of stolen TJX data.

13© 2009 Hogan & Hartson LLP. All rights reserved.

Lessons from the Litigation

• What have we learned from the breach litigation so far and what does this experience suggest on how to manage a breach in light of the claims that have been brought?

– Important to have an effective public communications strategy

– As to business partners and customers, early notice pays off

– With respect to federal and state regulators, keep them informed

– Cooperate with regulators

– Insurance coverage may help

– And, fundamentally, minimizing the risk of a breach and having a plan if one occurs is the best way to deal with possible litigation

14© 2009 Hogan & Hartson LLP. All rights reserved.

What can be done before a breach occurs to minimize the risk of a breach?

• Causes of a breach: Lost or stolen media, insider wrongdoing, customer fraud, malicious code, inadvertent disclosure

• Issues: Data storage, network security, third-party interactions, human error

• Focus of attention:

– Data minimalization

– Knowing what PII and SPII you have

– Physical, technological and administrative safeguards

– Portable data Issues

– Third Party Issues

– Data Desctruction Issues

– Awareness and auditing

15© 2009 Hogan & Hartson LLP. All rights reserved.

What does it really mean to “be ready” for a breach?

• The need for a written plan

• Having a team in place to respond

• The importance of training

• Understanding with Third Parties

• Having Law Enforcement Contacts

• Consent for E-Mail Notification

• Plan to Document Breach Response

• Review and Update of Plan

16© 2009 Hogan & Hartson LLP. All rights reserved.

Into the Breach: Lessons Learned

• Notice issues – contents, timing, recipients, means of delivery

• Law enforcement issues

• Credit reporting agency issues

• Insurance issues

© 2009 Hogan & Hartson LLP. All rights reserved.

Christopher G. Cwalina Vice President and Assistant General Counsel,

Intersections Inc.

Carol A. DiBattiste Senior Vice President, Privacy/Security/Compliance/Government Affairs,

LexisNexis Group

Christopher WolfPartner and Co-Chair of Privacy and Data Security Practice Group,

Hogan & Hartson LLP

IAPP Privacy Academy 2009

Into the Breach: Dealing With the Aftermath of a Data Breach

18© 2009 Hogan & Hartson LLP. All rights reserved.

Questions and Answers

19© 2009 Hogan & Hartson LLP. All rights reserved.

Abu Dhabi

Baltimore

Beijing

Berlin

Boulder

Brussels

Caracas

Colorado Springs

Denver

Geneva

Hong Kong

Houston

London

Los Angeles

Miami

Moscow

Munich

New York

Northern Virginia

Paris

Philadelphia

San Francisco

Shanghai

Silicon Valley

Tokyo

Warsaw

Washington, DC

www.hhlaw.com

Christopher Wolf202-637-8834

[email protected]