After a Data Breach: Notifying the Exposed

Jared Wade


February 1, 2012

Data breaches now seem like something no company can avoid. No matter how strong the security, cyber infiltrators have shown time and time again that they can get into nearly any network. The key has become detection and ensuring that anyone who infiltrates your system is not there long. This means that more companies will have to go through the public disclosure process that is being mandated by both the state and federal government whenever private customer information is exposed.

To get a better perspective on the world of notification requirements, we spoke with Jim Whetstone, who heads the U.S. technology and privacy division at Hiscox, a specialty insurer based in Bermuda.

RM: Why is the federal government taking an increased interest in mandating notification requirements for companies following a data breach?

Jim Whetstone: If I give a cleaning lady an access code to my house to come clean when I'm away, there is an expectation that she is not going to share it with anyone. In the technology world, it seems like we're asked to -- and willing to -- give out our credit card numbers to just about anybody who asks. And we have this assumption that they're treating it the same way. When they don't, it is the equivalent of that cleaning lady accidentally allowing a bunch of other people to get access to my garage door code.

Now, the government is stepping in to say, "Look companies, if you've allowed somebody access to that garage door code, you need to let that person know that it's been disclosed. You owe that to them."

RM: Is this affecting companies' actions?

Whetstone: When the related cyber-insurance products first came out, we had heard rumors about some large companies that had significant breaches in the past but never told anybody. I think that's exactly why regulators -- first at the state level and now at the federal level -- are stepping in. They're saying, "We can't assume that companies are going to do the right thing and let people know when there has been a breach, so we're going to tell them they have to let people know."

I think that's the exact role of government: to protect consumers and to protect investors in this type of situation. It's an obligation of governments to make sure that, where companies and entities aren't doing the right thing, lawmakers would step in and place the onus on them.

Obviously companies are going to have to respond. Their 10-K [annual reports] are going to have to be updated appropriately. It puts focus on this exposure to the point that these companies will start to improve their handling of this data.

RM: What sort of challenge do disclosure requirements pose for companies?

Whetstone: Think about a situation where someone breaks into my car and steals a laptop out of the back seat and there was some sensitive information on the hard drive. Odds are, that person took that computer and sold it on eBay and had no idea that information was on there. Whether or not we have evidence that the person was aware of the data, these regulations require that I notify those individuals. In the past, I would have just gone to my IT department and told them my laptop was stolen and -- maybe -- filed a police report.

Now, you have to incur the cost for notifying individuals, the forensic analysis, the call centers. Those are costs that companies in the past didn't have to incur and now they do -- for an event where you don't even know if the [thief] knew the information was on the computer.

RM: So you may be paying all this money for what is essentially a non-event?

Whetstone: Possibly a non-event. And depending on what information is on there, if it's Social Security numbers, I've talked to enough plaintiffs' attorneys that said those are the events they look for so they can file class action lawsuits on behalf of the affected individuals.

Again, there was no evidence that the information was used or that there was financial harm, but lawsuits still get filed. That adds the costs to defend against those. And then there's the regulators. There may be an attorney general who says, "OK, you had an event dealing with Social Security numbers. I'd like to look into that."

RM: And we could be talking about hundreds of thousands of dollars or more?

Whetstone: It depends on the size of the event. Just the forensic analysis on a lost laptop, I've been told by some forensic firms, can cost $10,000 or more. If you're talking about a hacking event, for instance, then it could be hundreds of thousands, if not millions, just for the forensics analysis -- let alone the costs to notify and set up credit monitoring services.

RM: Then comes the subsequent investigation and legal proceedings?

Whetstone: A defense attorney I talked to said that if it's a multi-state class action suit that's been filed, just to get that dismissed can cost millions of dollars.

RM: In that sense, are we being too careful in trying to notify everyone whenever there is a breach?

Whetstone: Possibly. I think the intent of some of these regulations is to impress upon these companies that you need to do a much better job of protecting the information so you don't have these events. And I think the more that is published about how much it costs to satisfy these regulations and respond to these events, I think companies will do more of a risk assessment of whether or not they should be investing in encryption.

Had that laptop in my back seat been encrypted, I wouldn't have to notify anybody. Was it worth $15 to encrypt that laptop instead of having to pay thousands -- or potentially millions? That kind of analysis is going to be happening more and more, I would think.

Jared Wade is a freelance writer and a former editor of Risk Management.