One of the biggest mistakes a company that experiences a data breach can make is to downplay the size of the breach and its effect on the victims, said attorney Jamie Sheller at the HB Litigation Conferences Second Annual NetDiligence® Cyber Risk & Privacy Liability Forum on June 9 in Philadelphia.

Sheller, an attorney with Sheller, P.C. said that downplaying the magnitude of a breach “inflames the victims” and “inflames the courts” when the real statistics are revealed to the government.

John Mullen of Nelson, Levine, de Luca & Horst in Philadelphia, said that companies need to assume there’s going to be litigation when a data breach takes place.

He suggested that companies be sure to make the “right deals with the right vendors” to provide credit monitoring to victims before a breach takes place and to avoid “panic buying” when it does.

 

“Even if you provide the best package [to victims] you’re not going to stop anyone from suing you,” he said.

Panelist Richard Bortnick, of Cozen O’Connor, said there are three typical scenarios in data breach cases—first, where the company assumes the risk of the breach before it occurs; second, where the company purchases data breach insurance coverage; and third, where the company has done nothing to prepare for a breach.

He said that the last scenario occurs in the “majority of cases.”

Bortnick also stated that the issue of cyber security is “in the cross-hairs of the federal government,” not only of the United States, but other countries throughout the world.

“This is a global, international problem,” he said.

Enforcement

Lisa Sotto of Hunton & Williams said that much has changed recently with regard to enforcement of privacy and data security.

“A decade ago we had very few laws in this space.  Now we have literally hundreds at the state level and several at the federal level,” said Sotto.

She said that a lot of “new players” are surfacing in the arena of privacy and data security.

“The Department of Commerce, for example, which was dormant for about 10 years on this issue, has entered the fray in the last year in a very big way.  The FTC, which has always been active in this space, is re-invigorating its efforts.  We’re now witnessing significant HHS activity, following a period of inactivity during the first nine years or so of HIPAA’s enactment,” said Sotto.

“At the state level we are seeing significant AG interest in this space.  From about 2005 to about 2008 or ‘09, I received only a handful of AG inquiries for breaches that we reported – and we’ve handled more than 800 breaches.  In the last year or two, we have been getting inquiries from state AGs in droves.  That doesn’t mean there are hundreds of enforcement actions, but there are many inquiries,” she said.

Statutory Activity

Sotto said that she is seeing a “huge amount of activity” on the statutory side.

“In Congress, there are half a dozen or more bills on the privacy front, some of which are comprehensive, others of which are pinpointed.  On the state side, there is significant activity and there’s no question the states are leading the federal government by the nose.  The states are far ahead and they are able to act much more quickly than the federal government,” she said.

Cyber Security

 

“In my experience, generally, the biggest threat to a company’s cyber security is employees,” Ronald Raether of Faruki, Ireland & Cox said at the conference.

“I’ve noticed that people in my firm and people employed by my clients, are all going out on Facebook—and we all know about the threats that Facebook and others like it can present. So, it’s a big issue that we’re struggling with, finding that balance between having good policies in place and realizing that employees are going to go out on these sites,” said Raether.

He said that another way that companies can address cyber security issues is to educate and train their employees to prevent attacks.

“For example, Customer Service Reps (CSRs) are trained to be helpful. It’s very easy to manipulate a CSR to provide a password or to reset a password and send it to an email address that’s not associated with the account. If I’m a hacker, I may have to call 10 people before I find the CSR that’s willing to circumvent the policies because they want to be helpful to me,” said Raether.

Another issue that companies should address is regarding portability, especially when laptops, phones and portable devices are concerned.

“There are a lot of issues with laptops, but a common overlooked concern comes up when the employee takes their laptop home and their children get on it and access the Internet. Children don’t have a concept of what is and what isn’t secure on the Internet, and they most definitely didn’t sit in on their parent’s company’s security training,” Raether said.