Presented by: Jason C. Gavejian Morristown Office jason.gavejian@jacksonlewis.com 973.538.6890 } Unauthorized use of, or access to, records or data containing personal information Personal Information (PI) typically includes First name or first initial and last name in combination with: Social Security Number Drivers License or State identification number Account number or credit or debit card number in combination with access or security code Biometric Information (e.g. NC, NE, IA, WI) Medical Information (e.g. CA, VA) PI typically maintained by employers? Human Resources-Applications, FMLA, Disability, etc. Accounting-Payroll documents Benefits-Health, Vision, Dental 2 1
} Fines, Penalties, Settlements: State Attorney Generals Vary By State Multipliers: Michigan permits civil fines of not more than $250 per failure (each person), with a maximum of $750,000. Length of notification delay: Florida imposes fines when notification is not provided within the statute s mandated time frame (45 days). Calculate the fine as $1,000 per day for the first 30 days, and $50,000 for each 30 day period thereafter with a maximum fine of $500,000. Health and Human Services Penalties and settlements in the millions of dollars } Private Cause of Action 14 states have some form of private action 3 } Employment Context Loss, Theft, Improper Access, Inadvertent Disclosure Laptop iphone, Droid, ipad, Tablet, Blackberry Thumb Drive, Hard Drive Email Shared Documents } Other Instances Click/Turn On News 4 2
Need to take a number of steps to address the incident: Identify The Internal Team Who Will Be Handling The Incident Executives/management level employees Too much involvement must be managed carefully Adhere to existing internal procedures/data Incident Response Plan, document steps taken Data Incident response/hipaa Notify/Coordinate with insurance carrier 5 } Finalize the investigation and review results To respond to the incident and complete the required notifications, you will need to determine some key information: Nature of incident Date incident occurred Date incident was discovered Number of persons affected: Total number of affected persons - how many residents of each state were affected. Names of persons affected (LA only) Contact person: Who will be the contact person in the notification letter. Does not have to be the same person for all notifications-could be multiple persons Signatory of notification letters: Same as bullet above 6 3
Where is this information available? A review of activity logs on the company systems or backup tapes related to this employee Conducting a formal interview with the employee/others to help learn more about what information might have been saved on the device Consider also: The projects the employee worked on, the life of the device, how long the employee has been with the company. More information here may shape the steps that need to be taken below Careful of unreasonable delays to the notification 7 } File police report } Litigation hold } Data Security Agreements Review and confirm there is a data security agreement in place with the vendors that will be assisting Work with your insurance carrier as they may have preferred vendors 8 4
} Determine whether this is a reportable breach State breach notification statutes and regulations 46 states have a data breach notification requirement Definitions vary state by state Residency of the affected individual is key Risk of harm trigger What is it? How can you make this decision? Document your decision Employee Relations Concerns? 9 } Verify persons affected and contact information before and after sending notifications Last known mailing addresses Check all data bases for current information, not just the personnel or payroll files. For former employees, consider looking at COBRA or retirement plan records. If you are are unable to obtain accurate contact information additional measures may be advisable/required. Even after letters are sent, you will need to have a system for collecting and addressing letters that were undeliverable. 10 5
Determine whether credit monitoring services will be offered State laws do not require entities to provide credit monitoring services in the case of a data breach Protection? (e.g. only names and medical information, but not social security numbers or financial account numbers) Peace of mind for those affected, especially employees? Company image to state agency investigator Review the services agreements with the vendor(s) and coordinate with the vendor(s) to obtain language to include in the notification letters 11 } Set up call center Why/Why Not Size of the breach Review services agreements with the vendors and include the appropriate contact information in the letters Lead time Develop a script for call center employees to use when responding to questions about the incident Public Relations Develop an escalation process to address situations where the call center is not able to resolve a caller s concerns 12 6
} Coordinate with public relations (PR) department You will want to have public relations involved to review all communications - ensure consistent overall messaging Notice to statewide media Depending on state and number of persons affected What if no PR department? Who will handle this? Human Resources? Legal? Both? 13 } Connect with letter fulfillment company Using a vendor to finalize and send the notices to the affected individuals - similar concerns regarding vendor agreements Consider the number of persons affected and the cost of notification Substitute notice provisions. This usually involves providing notice by all of the following email, posting on website, and notification in state wide media. 14 7
} Prepare and send breach notifications Federal law HIPAA or SEC regulations/guidance (public companies) State law Notice to individuals - Risk of harm/employee relations Specific content and timing requirements Notice to state agencies If breach notice is required to be provided to residents of the state, some states require notice be provided to certain state agencies in the state Notice to credit reporting agencies May need to notify the consumer reporting agencies of the breach (Transunion, Equifax and Experian) Notice to owner of data. If you are not the owner of the data but maintain it on behalf of another, your obligation generally is to notify the owner 15 } Be prepared for complaints and agency inquiry Complaints with the FTC or the state Attorney General s office concerning the handling of the breach notification or the obligations to safeguard the information in the first place Consider the following: Ensure a complaint process is in place and effective for responding timely Review existing data privacy and security policies and procedures to ensure compliance and have them at the ready to be responsive to agency inquiry. Be sure appropriate parties are involved in the response 16 8
17 9