Legaltech News, June 2017 2 SS
“Some state attorney general websites actually publish
these notifications,” she said.
Then, there’s the definition of “personally identifiable
information,” also known as PII. Most states define
• Social Security number and name
• Driver’s license or state - or government-issued
identification card or name
• Credit card or debit card information
Some states, however, have expanded that traditional
definition, said Krasnow, to data like passwords, medical
information and health insurance information.
What Content to Include
Laws in 21 states require specific content for breach
notifications; in four of these, entities must also report
on identity theft mitigation and prevention services.
Other required information might include the date
of occurrence, date of awareness, the discovery and
whether to include information on regulators.
Still, even those in states without specific content
requirements may find themselves providing the same
basic information, Krasnow said: “When did this happen?
What happened? What are you doing in terms of helping
the affected individual? What steps can they take to
protect themselves? Who should they call or contact in
terms of regulators?”
Taney said businesses absolutely must plan ahead –
including what content they’ll need to pull together
given their customers’ location.
“Having the wrong content in a notification letter
can drive up call-in rates and complaints,” he said.
That will, in turn, increase the cost of the breach
How to Prepare a Breach Response Plan
First and foremost, said Braun, you must know what
information could be breached and where potential
affected individuals reside. Beyond that, it takes skill and
understanding to conduct a proper investigation and
“This is not simply an issue of having the right notice,” he
said. “You’re going to be making notification to a state
attorney general, the Federal Trade Commission, possibly
the FCC or other regulators, and you may have a lot of
explaining to do. And if, as part of your remediation
of the problem, you end up inadvertently destroying
evidence, that’s not a good thing.”
Next, Krasnow suggested having the appropriate contact
information in the event that law enforcement must
become involved. That might include information for the
nearest FBI branch office, U.S. Secret Service, and local
justice. And because law enforcement investigations can
help entities delay their breach notifications until they
can more fully investigate the situation, involving the law
could allow businesses to sidestep the notification time
period requirements in roughly a dozen states.
Finally, Taney said, businesses and counsel must ensure
they understand the data that was breached. For
example, does it include deceased records? Minors?
How old is it? Krasnow added that this includes whether
data is encrypted and how it is encrypted, as various
jurisdictions define encryption differently.
“The average breach in 2016 cost $221 per record, but
having a breach response plan in place can reduce the
cost by up to $56 per record,” Warren said. “What should
you have in place to make sure you’re being proactive?”
“The most important thing is to identify the people at
the company who are going to own the issue and make
a decision,” Braun said. “You need an outside source
to assist you with the investigation and remediation of
issues. It sounds like a cost, but it’s a cost-saver.”
Critical to this is understanding the information you have.
“Every piece of information is another liability,” he said.
Helping clients better manage the chaotic time after
a breach by bringing forward your knowledge of
cross-border notification – and the proactive steps they
can take to make this time easier going forward – will
be an essential way for counsel to stay competitive