ACE USA Podcast Released June 24, 2010 How to Respond When Sensitive Customer and Employee Data is Breached, Stolen or Compromised Moderator: Richard Tallo Senior Vice President, ACE North America Marketing & Communications, ACE USA Panelists: Toby Merrill Vice President, ACE Professional Risk, ACE USA John Mullen Attorney, Nelson, Levine, DeLuca & Horst Mark Greisiger President, NetDiligence Hello, I m Richard Tallo, of North America Communications, at the Philadelphia headquarters of the ACE Group of Companies. Welcome back to the second of two podcasts ACE has produced to discuss how companies can learn how to prepare for, and deal with data breaches. In our first broadcast ( Preparing for the Inevitable Data Breach: What to do Before Sensitive Customer and Employee Data is Breached, Stolen or Compromised ), we discussed the steps that organizations and their risk managers need to take in order to put together an effective crisis response plan. To briefly recap, these steps were: Naming a specific senior manger to take charge following a breach; Identifying computer forensic specialists before the event, to determine what has been compromised in a manner that preserves the chain of custody and other stakeholders; Structuring proper service provider contracts; Pre-negotiating notification, call center and credit monitoring services; and Looking into privacy liability insurance. Spending a few thousand dollars on legal counsel up front can potentially save the organization millions in defense costs on the back end. Today, we ll move beyond crisis management planning and look at how companies can respond following the breach of sensitive consumer or employee information. Once again, I m joined by: Toby Merrill, National Privacy Product Manager for ACE USA; John Mullen, a partner with the law firm of Nelson, Levine, DeLuca & Horst; and finally, Mark Greisiger, President of Net Diligence, a data privacy and security firm. I d like to start today s discussion by asking Toby how he would handle the following scenario: It s Monday morning at 10 a.m., and a major credit card company has just alerted you that they noticed a suspicious pattern of charges they suspect was caused by a serious breach at their company. Can you tell us what should occur in the first hour after that phone call?
Well, Rich, hopefully management has already put in place an incident response plan in advance of the breach, outlining who inside and outside of the organization needs to be involved and what steps need to be taken. In either case, the company needs to first assemble a crisis response team to determine exactly what happened and begin delegating responsibilities. At the very least, the first action items need to include: Engaging a forensics team to determine the extent of the breach, including the number of records affected and the type of information that has been exposed. Assessing the severity of the breach as early as possible to determine the best course of action. For example, a breach of 10 or 20 credit cards should be classified very differently than a breach of a few thousand social security numbers. What are action steps for the next phase? Engaging a legal firm to counsel senior management on the organization s legal obligations around a number of issues, such as state notification requirements and litigation holds. Spending a few thousand dollars on legal counsel up front can potentially save the organization millions in defense costs on the back end. Then, depending on the severity of the breach, the organization should bring in crisis management consultants to review the situation and to advise on the best means of communication with the public, should it be required or recommended. Thanks, Toby. Mark, why are computer forensics so critically important at this stage? Many companies that have not properly examined the nature of a breach before disclosing have found that they may have disclosed a little bit too soon. First, it is critically important that you get a snapshot of the security breach event. You will need to determine what internal computer servers have been impacted by this event, when and where the attack occurred, and what prudent controls were in place at the time of the incident. Next, you are going to need to identify the individuals who could have potentially been affected by this event. Computer server logs should be reviewed to verify important information, such as: How the company s servers were accessed as well as when and how often this illegal access occurred; Whether the culprit actually accessed the customer s information and employee data; What type of data was accessed and when; and Where the victims physically resided to determine the proper course for notification. Another key point is, depending on the applicable state notification laws, a company may not be legally required to notify customers or employees whose sensitive information has been comprised. Many companies that have not properly examined the nature of a breach before disclosing have found that they may have disclosed a little bit too soon. This past year, I worked with several clients that experienced a real life data breach event impacting their customer data. And in many of these instances, they found they did not have a duty to notify because either the data impacted was limited, for example, no public identifiable information was impacted, such as a combined name with social security number, or the data was encrypted and thus the laws of Safe Harbor may apply. 2
Thanks, Mark. John, can you discuss the key ingredients of an effective media message? And, how should the news that sensitive consumer data has been comprised be communicated to both affected customers and the public? Rich, ideally a simple, clear, company statement by a senior executive should include key facts of the incident that are known at that time, what is being done to address the breach, in what timeframe, and it should conclude with confirming that appropriate steps are being taken actively. It s always best to tell your story up front, stressing open communication within the organization and making yourself available for participation in news stories as appropriate, taking care to work with trusted media sources. Thanks, John. Are there other best practices to consider when communicating to key audiences? Yes, they include the following: Keeping to the basic facts of the breach and not overstating the facts; Showing empathy and concern for the affected individuals; Reassuring key audiences and stakeholders that the response to the privacy breach is being handled properly and that assistance is being offered to those affected; and Finally, accepting responsibility for the incident while taking care not to admit negligence. That s important. Thanks, John. Mark, is it always necessary to provide credit monitoring services to affected customers? Rich, it depends on the situation. A lost laptop with encrypted data is much different than a hacking attack where compromised information is being used for real identity theft purposes. The most important issue is determining the type of data that has been lost. If the data compromised is medical data or credit card information, than credit monitoring services may only provide limited assistance for the customers that were affected. However, if customers social security numbers have been compromised, which is the holy grail of data, then credit monitoring services will be an appropriate response. Another consideration is whether there is any concrete evidence of actual fraud. A laptop that went missing for two days and was returned by a trustworthy citizen may not warrant the additional costs of credit monitoring. It is important to note that there are currently no state notification laws on the books requiring that credit monitoring be offered. This is not a mandatory offering. However, research has demonstrated that individuals who are offered free or subsidized services, may perceive the company more positively and are less likely to participate in a class action lawsuit. But credit monitoring services can be expensive, which is a key reason why pre-planning is so important. Thanks, Mark. Would you share some best practices for offering credit monitoring services? First, a prudent step is to offer those customers whose data has been compromised a free credit check, such as from the ftc.gov site. If a free service is not available, rates should be negotiated in advance of a data security breach event and the company should talk to a number of different providers before a making a final selection. A company should also try to find the most economical way to manage its costs. In many cases, choosing a provider that charges for redemptions only and not on every offer made is a better value since we only see between 10 and 25 percent of offers redeemed. And finally, if a third-party service provider was responsible for the breach you may be able to seek indemnity. 3
Toby, we ve spent time focusing on best practices for companies. Can you share lessons learned from companies that have experienced data breaches? Of course. The three biggest mistakes I have seen companies make after a breach are really related to a lack of preparation: First, without a crisis response plan in place, the company is forced to make rash decisions due to a lack of direction and leadership. A company responding to a breach should consider its culture and reputation, and how it is perceived by its customers. Senior management needs to agree on this prior to developing an appropriate response. Another common mistake I ve seen is when companies have not taken the time to properly screen forensic, legal, and public relations as well as notification vendors prior to the breach. Not doing this may often result in a company making hasty decisions and hiring inexperienced firms or grossly overpaying for these services. The third mistake I have seen companies make is the tendency to over-notify, as Mark mentioned earlier. In some instances there have been a number of notifications that could have been significantly reduced, and in some cases, eliminated entirely had management taken the time to hire a qualified attorney who knows the intricacies of the various privacy regulations. Toby, are there any instances where a company may choose to notify even after they ve determined they are not legally obligated to do so? The organization s decision to notify could mitigate its liability from class action considerably. Absolutely. There are three major areas where this has been the case: First, many organizations reputations are built on their open culture environment, such as universities. The organizations may risk more by hiding the incident than any pending litigation might bring. Second, there are a number of foreign jurisdictions, such as Canada, that have yet to pass notification legislation. [Note: Alberta has become the first province to add a data breach notification requirement into its legislation. The new measures were added into its Personal Information Protection Act (PIPA) on May 1, 2010 and are now law]. And many of the notification laws are very limited in the type of information that triggers the obligation to notify. For example, a breach of a customer s e-mail address may not trigger a notification requirement but could be used by a hacker to obtain more sensitive information. In each of these instances, the organization s decision to notify could mitigate its liability from class action considerably. Thanks, Toby. John, can you talk about the actual financial damages suffered in the real cases that you have been involved with? Of course. Incidents of data loss can be very costly for companies, especially those organizations that fail to take their legal duties seriously up front. Prior to any lawsuit being filed, there are expenses that can include notification to affected customers, call centers, and service offerings to reduce damage to the customer or employee base, litigation expense and e-discovery costs. If a customer files a lawsuit, costs will escalate. 4
Should there be a lawsuit, legal cases tend to fall into three basic categories: First, the Federal Trade Commission, considered the most active government authority currently policing the data loss world, can elect to pursue statutory damages based on a fines per record type loss situation. These can be expensive to pay and even more expensive to defend against as anyone who has ever gone up against the government in a lawsuit knows it s a very time consuming and very expense. The second type of case is a suit related to financial institutions. Should a company lose significant amounts of data, particularly with credit card information, most banks, regardless of best practices, will replace those credit cards. However, there is a fee involved in credit card replacement it is how many dollars per credit card to replace it. And, with lost records often in the millions, the amount claimed by financial institutions to replace those cards will be substantial. The third type of lawsuit -- and by far the most expensive and problematic -- are those that are called class actions. These are brought in the guise of customer and employee lawsuits. Class actions are generally brought in federal court, and although the industry has been relatively successful in defending against them, fighting certification of classes, because they lack the requisite damages required under the law, the data breach context is tricky and that trend seems to be eroding in the courts. Thanks, John. From our discussions, it s apparent that preparing a formal response plan is a necessity for a company. In the heat of a crisis, you don t want to be caught unprepared. As we ve been discussing during this broadcast, an open and measured response can also help retain goodwill with customers and reduce the potential for legal liability down the road. I d like to thank Toby, John and Mark for joining us today. On behalf of everyone at ACE, thanks for joining us. NetDiligence : www.netdiligence.com is a cyber risk assessment services company. NetDiligence also offers a unique post data breach response service called service erisk Hub www.eriskhub.com to fully support & assist clients with their inevitable data breach crisis incident. For the past decade NetDiligence has established itself as a leader for performing due diligence cyber risk assessments on behalf of majority of P&C insurers in US & UK that offer cyber liability coverage. Our clients also include well-known names in banking, brokerage, mortgage, insurance, clearinghouse, and other financial service sectors. NELSON LEVINE deluca & HORST: With seven offices from New York to Denver, NLdH is devoted solely to helping build and protect the insurance industry's business practices and clients, providing comprehensive legal services in the areas of reinsurance, regulatory, complex litigation, class action, coverage, subrogation, bad faith consulting and insurance fraud. For more information, please visit the NLdH website at http://www.nldhlaw.com/. ACE USA is the U.S.-based retail operating division of the ACE Group of Companies, headed by ACE Limited (NYSE: ACE), and is rated A+ (Superior) by A.M. Best Company and A+ (Strong) by Standard & Poor s. ACE USA, through its underwriting companies, provides insurance products and services throughout the U.S. Additional information on ACE USA and its products and services can be found at www.aceusa.com. The ACE Group of Companies provides insurance and reinsurance for a diverse group of clients around the world. Product highlights are summaries only; please see actual policy for terms and conditions. Products may not be available in all locations and remain subject to ACE Professional Risk s underwriting criteria. The views expressed by Messrs. Merrill, Tallo, Mullen and Greisiger are their own and do not represent those of ACE USA, any of The ACE Group of Companies, Nelson Levine or NetDiligence. The material presented in this podcast is not intended to provide legal or other expert advice as to any of the subjects mentioned but is presented for general information only. You should consult knowledgeable legal counsel or other experts as to any legal or other questions they may have. Any references to insurance are also intended for general information only. For actual terms and conditions of any insurance, please refer to the policy. Coverage may not be available in all states. Copyright 2010, the ACE Group. All rights reserved. 5