Data breaches will continue to occur, and when organizations are targeted, they may be subject to multiple state and federal laws requiring public disclosure. But as David Balser explains, how and when to reveal a breach isn’t a cut-and-dried issue.
When a company discovers that it has been a victim of a data breach, it is essential to act quickly. In particular, an issue of critical importance is when and how a breached company discloses the data breach to customers, business partners, regulators and the general public.
With respect to public-facing statements specifically, it is critical to be mindful of how such statements could be used against the company in any future litigation or regulatory investigation that may arise out of the breach. In some cases, the most beneficial statements from a business or public relations perspective may have the potential to create exposure in and complicate subsequent litigation.
There are obvious benefits to waiting until a company has a complete understanding of the cause and scope of the breach before making a public disclosure. But there are a host of statutes that require notification to affected individuals within a particular time period and provide a private right of action to assert a claim if the breached company fails to give the required notice.
These statutes currently exist in all 50 states and vary in how quickly they demand notice to be made to impacted consumers. For example, Washington requires notice within 30 days of discovering the breach. (Wash. Rev. Code § 19.255.010 et seq.)
Other states adopt a less clear-cut standard requiring “immediate” notice or notice with a “reasonable” timeframe. For example, Georgia requires that notice “be made in the most expedient time possible and without unreasonable delay.” (Ga. Code Ann. § 10-1-912.)
And while many of these state statutes allow a company to delay notice to determine the scope of the breach and ensure that impacted systems are remediated, they do not permit the breached company to delay notice until it has investigated every fact that could be relevant to how and why the breach occurred — facts that will be key to assessing liability in any future litigation.
Read more articles about data breaches
Moreover, the patchwork of state and federal notice laws, which impose different notice deadlines and content requirements, makes a company’s response efforts even more challenging. In short, a breached company must provide notice quickly to avoid violating notification laws, while at the same time avoiding the risks associated with making incomplete or inaccurate statements about the facts of the breach.
Further, the language used in public disclosures can significantly impact future litigation, as illustrated in recent decisions involving plaintiffs’ Article III standing to assert data breach claims in federal court.
The issue of standing has become increasingly important in data breach cases. And at least at the motion-to-dismiss stage, there can be a critical distinction between plaintiffs who allege that their personal information was stolen versus those who merely allege that their data may have been stolen. For example, in a recent case in Arizona, the court focused on the precise language of the notice sent by the breached company to consumers and found that the plaintiff had failed to allege an injury for purposes of standing because the notice said only that the “Plaintiffs’ personal information ha[d] been potentially accessed.” Thus, when a company sends notice to consumers but has not determined that their personal information was, in fact, stolen, including appropriate caveats in the notice may dictate whether the consumers even have standing to sue the company in federal court (or state courts bound by an Article III analog).
Breached companies should also be wary of including language in notices or other public disclosures that arguably amounts to an admission of fault. While a company may have legitimate business and PR reasons for wanting to simply admit that it made a mistake and apologize for any inconvenience caused by the breach, statements of this kind can be problematic in future cases where the company is defending itself against liability and may need to take positions in tension (or inconsistent) with the company’s earlier statements. Statements like “we’re sorry we let you down” and “we failed to provide the level of service our customers expect” could be used by plaintiffs to paint the company as negligent or worse.
In a similar vein, there is also an inherent tension between warning customers that they are at risk and to take appropriate steps to address that risk and not suggesting that future plaintiffs in a lawsuit were, in fact, harmed by the breach.
In that regard, it may be difficult to strike the right balance between doing what is right for customers and avoiding creating additional legal exposure. For example, by telling customers they are at risk and should monitor their credit reports and institute security freezes (language which is required by some state notice statutes), a company may arguably be telling future plaintiffs to incur “injuries” that may support negligence and other claims. Even if it turns out that the risk of harm from the data breach was low (or even non-existent), plaintiffs could argue that they spent time and incurred costs trying to protect themselves at the direction of the company. Such “injuries” have, under certain circumstances, been sufficient to establish plaintiffs’ standing to sue and to support their claims, at least at the pleading stage of a case.
Finally, statements made in the aftermath of a data breach can have meaningful implications for a company’s ability to protect key documents under the attorney work product doctrine. For example, if the company references its outside cybersecurity or forensic firm’s work in its public disclosures about the breach — for example, by stating that the firm confirmed the scope of the breach and that all vulnerabilities had been remediated — it may be more difficult to protect that firm’s written findings later in discovery.
That is because in many jurisdictions, a report may only be protected as work product if the primary purpose for its creation was to assist the company in defending against anticipated litigation. Relying on the report to support the company’s public statements about the breach (an arguable business purpose) may give plaintiffs’ counsel fodder to argue that the primary purpose behind the report was business, and not legal, in nature.
All of the complicated issues discussed above highlight why it is critical to engage outside counsel immediately upon discovering a data breach. Moreover, the speed at which key decisions must be made after a breach emphasizes the importance of having a well-established and rehearsed incident response plan in place before the breach occurs.
It is also a best practice to involve litigation counsel (both in-house and outside counsel) in the formulation of key post-breach communications — including SEC filings, press releases, statutory notices to consumers, responses to governmental inquiries and any other statements that will end up in the public domain.
Once a harmful statement has been released, it is impossible to take it back. Relatedly, a breached company should involve its litigation counsel early on to think ahead about the types of claims the company might have to defend against if litigation ultimately ensues.
After all, it is imperative to understand the potential theories of liability in order to ensure the company’s public statements are appropriate and consistent with positions it may need to take in future litigation.