Breached or soon to be breached . . . plan anyway (Part 3)

Planning for a breach is a business requirement whether you have been breached or not.

Understanding and managing the risks associated with the changing world of data security, and being prepared for breaches and how to respond, have become business necessities. This three-part series, based in part on a presentation given by Michele L. Cohen, a principal with the law firm Miles & Stockbridge P.C. at Trellance’s immersion 2018 conference, outlines the balancing act between convenience and data, and provides a framework for preparing for breaches and what actions to take in response. Part 1 focused on what is at risk; what causes breaches, and the fact that breaches are inevitable. Part 2 focused on planning and preparing documentation for the inevitable. This Part 3, will explore three areas that require special attention: the legal considerations regarding breach notification; the contracts an organization has with vendors who have access to data; and having the right insurance coverage.

The popular ride-sharing app Uber disclosed in November 2017 that hackers had stolen 57 million driver and rider accounts. What was more disconcerting was that the company had kept the data breach secret for more than a year after paying a $100,000 ransom. According to Stateline magazine:

The state of Pennsylvania sued Uber for waiting more than a year to alert drivers and customers that their personal information had been hacked; the state’s attorney general argued that the ride-hailing company had violated a state law mandating that companies notify people affected by a data breach ‘without unreasonable delay’. Suits were also filed against Uber by Los Angeles and Chicago for violating their laws that defines how quickly consumers must be notified once a data breach is discovered. Pennsylvania’s phrase “without unreasonable delay” is typical of many states, as is “in the most expedient time possible”.


continue reading »