The current trend in class-action litigation makes thinking like a litigator imperative when working on what to do before and if a data breach occurs.
The announcement of yet another business suffering a data breach is fast becoming ho-hum news. Unless, that is, you happen to be one of the 175,669,297 individuals reported by the Identity Theft Resource Center (PDF) as having sensitive personal information stolen. The organization keeps a running tab of identity theft reports, and as of November 3, 2015 there have been 641 reported data breaches in the US in 2015.
As the number of breach incidents climbs so does the number of class-action lawsuits. For example, banks affected by Target's high-profile data breach have banded together and recently won approval to continue with their lawsuit. Reuters quotes Charles Zimmerman, one of the lead lawyers representing the banks, as saying, "This important ruling brings financial institutions one step closer to collectively holding Target accountable for its unprecedented data breach."
As to why the surge in class-action litigation, Paul G. Karlsgodt, a partner at BakerHostetler, writes on Practical Law (PDF), "Data breaches affecting the personally identifiable information of individuals provide an attractive target for class action litigation because they often arise out of a single event of data exposure and provide a large pool of people for a potential class, which increases the settlement value of a case."
Think like a litigator
According to Cynthia Larose and Meredith Leary, members of the law firm Mintz Levin, when it comes to dealing with the legal aspects of data breaches, organizations must be able to explain in the aftermath that actions taken before and during the data breach were reasonable. To do that, both attorneys say responsible parties within the company need to plan ahead and think like litigators, which to them means abiding by the following.
1: Fail to plan equals plan to fail
Have a plan in place for what is going to happen if there is a breach, and what has been done to prevent it. Without a plan, it will be difficult to comport yourself if and when a data breach occurs.
2: Big problems first, small problems later
Creating a perfect security plan is a good idea. However, perfect is far from practical and could stop or delay the implementation of a security plan — something the the Federal Trade Commission frowns upon, especially if a data breach occurred during that time.
3: The criticality of the tone at the top cannot be overstated
Upper management must show by example to employees and vendors alike that complying with training requirements and security standards is an important company objective.
4: You cannot prevent idiocy, but you can train
The members of the Data Privacy and Security Practice at Mintz Levin find it impossible to prevent people from doing things — like clicking on links — they shouldn't. Larose and Leary stress that training will lessen mistakes and raise employee consciousness. Moreover, when company officers are asked how a breach could happen, they can explain that everything possible, including training, was done to lessen the likelihood of being a breach victim.
5: Make good email practices your fight song
From a litigator's perspective, good email practice is of ultimate importance, especially for the company's legal and compliance officers. Incriminating emails when making decisions about data security or worse yet when a breach occurs can skewer or crucify the company.
6: Say what you mean and mean what you say
A policy that is not followed is excellent fodder for cross-examination for regulatory insight, because they know things are in place, you know what to do, yet are not doing them.
7: Avoid inconsistencies wherever possible
The left hand needs to know what the right hand is doing. This is another area where litigators and plaintiff lawyers will try and take advantage.
8: Know what your peers are doing
If the company is taking a different approach and there is a good reason, make sure to document the process and decision why to use the different approach.
9: Document close calls
If you have a close call, document your decision and carefully consider whether you want privilege to apply or not and why. This is all about protecting the company.
10: Imagine your story being told to the world
Think about your story being played on a movie screen or covered in excruciating detail on the front page of The Wall Street Journal. Every decision made should be reviewed later with the benefit of perfect hindsight. It is important to think about if and when extraneous records are created. For example, would it be better to write an email or call and talk about a sensitive issue? It's something to consider should litigation arise.
Data security is a new area of litigation. The US federal government does not have a unified set of data security regulations. Moreover, what is on the books only protects certain types of data in specific industries (Graham-Leach-Bliley, COPPA, HIPAA, etc.). Worse yet, there is only a patchwork of statutes and regulations at the state level.
Adding "think like a litigator" to the checklist of things to do when planning for or in the midst of a data breach seems like good advice.
Note: Cynthia Larose wrote the blog post Data Breach Planning in 10 Easy Steps: How to Think Like A Litigator, and Meredith Leary comments on each of the 10 steps, which were paraphrased from the company's presentation Tricks, But No Treats: A Halloween Visit to the Frightening World of Data Security Litigation.