Employee Retaining Stored Patient List on Personal Laptop Triggers Data Breach Obligation

An employee of East Bay Perinatal Medical Associates in Oakland, CA, retained on his personal laptop, a patient list that he had prepared as part of his job. The list did not contain PHI information but it did contain PII information. The Berkley Police discovered the list during an unrelated investigation and notified EBPMA that it was on the computer. This action — alone — was sufficient to trigger the notification requirement of the California data breach notification law, at great expense and frustration for EBPMA.

Do you still think that your company isn’t at risk for a data breach? If so, go ahead and get familiar with the image below — this is the first page of the template for the notification that EBPMA had to send out!

Notification

Employee Viewing Information Without Authorization Triggers Data Breach Notification Obligation for Credit Union

An employee of Golden State Credit Union viewed member account information, containing Personally Identifiable Information (PII), without having the requisite authority to view such accounts. This action — alone — was sufficient to trigger the notification requirement of the California data breach notification law, at great expense and frustration for the Credit Union, which offered credit monitoring services to those affected.

Do you still think that your company isn’t at risk for a data breach? If so, go ahead and get familiar with the image below — this is the first page of the template for the notification that Golden State had to send out!

Golden State Credit Union Breach Notification Template

Golden State Credit Union Breach Notification Template

Why every CIO needs a cybersecurity attorney (my comments on why this is my favorite article ever)

Wow, this article seriously just made my day.

I will apologize in advance to my friend and CSO writer and Michael Santarcangelo (@catalyst), but this may very well be my favorite article — anywhere — of all time! And, thank you, Tom Hulsey (@TomHulsey), for sharing it with me! As for you, Ms. Kacy Zurkus (@KSZ714), all I can say is, great job on this article!

Why is it my favorite article?

Well, if the title of the article did not give it away (yes, there’s a reason we attorneys are the 2nd oldest profession … we’re pretty close to the 1st …), then consider these snippets:

“Distinguishing the technical experts from those responsible for legal obligations and risks will help companies develop better breach response plans. Understanding the role of an external cybersecurity firm will only help.” (Have I not been preaching the need for breach response plans??? See Why Your Company Needs a Breach Response Plan: Key Decisions You Must Make Following A Data Breach (Aug. 3, 2015) and More Posts)

“But even with a seemingly impenetrable security system in place, you still need an attorney focused on cybersecurity issues. Sure, internal counsel can help you minimize your company’s legal risks. But partnering with an external firm boasting security expertise can also help the CIO navigate through several unfamiliar legal areas, such as compliance with local, state and national privacy laws and security requirements, civil litigation over data and privacy breaches, and corporate governance.” (ahhh yes, music, sweet music to my ears!)

“’The breadth of industries who need this type of counsel has exploded,’ says Amy Terry Sheehan, editor in chief of the Cybersecurity Law Report.” (preach it sister Amy, preach it!)

“Because every company now has data online – including personally identifiable information (PII), trade secrets and patent information – Sheehan says, ‘There is an increased need for specialized expert attorneys in cybersecurity and data privacy. Even attorneys who are working on mergers and acquisitions need to know the cybersecurity laws. (I could not have said this any better myself, dang Kacy, you are good!)

“Because time is not a friend in any breach situation, companies that have cyber security attorneys on retainer are better positioned to quickly and efficiently respond to incidents.” (mmm hmm, as I write this, there is a leader of a company who did not know my name or know what a “cybersecurity attorney” was on Monday of this week … today (Thurs. morning), I am his new best friend and he calls me more than my wife does!)

“CIOs are clearly responsible for the technical aspects of cybersecurity, of course, but as Sheehan says, ‘negotiating with the government or a complicated investigation that requires more manpower’ demands the expertise of a cybersecurity attorney.” (exactly — those who are looking back with 20/20 hindsight, following a breach, are not technical people, they are lawyers: agency regulators, state attorneys’ general, judges, and plaintiff’s lawyers — you need a legal perspective for this)

“’To not have a cybersecurity attorney on retainer is foolhardy at best,’ because organizations need somebody who is a specialist in what Thompson identifies as the four main areas of concern: breach scenarios, personnel policies, cyber liability insurance and working with government.” (exactly!)

“Maintaining privilege is paramount in the aftermath of a breach, but understanding the differences between a possible incident, an actual incident or a breach will drive the company’s response. Cybersecurity attorneys work with organizations to develop their incident response plans, which determines who speaks to whom when and about what. ‘The plan should be very basic and the attorney is a key part in designing the plan,’ Thompson says.” (privilege can be a huge issue — and as for those Incident Response Plans, definitely use the KISS method)

“Additional risks exist around response time in the aftermath of a breach. According to Sheehan, ‘You’ll not have valuable advice in advance of a breach, which presents litigation risks, and litigation is becoming much more common – it’s filed immediately after a breach, and counsel is involved in mitigating litigation risks.’” (what you do pre-breach can have a huge impact on how you are impacted post-breach, from a liability standpoint)

There is a lot more delicious medium-rare red meat (filet mignon, to be exact) in this article so go read it — NOW! Why every CIO needs a cybersecurity attorney | CIO.

Why Your Company Needs a Breach Response Plan: Key Decisions You Must Make Following A Data Breach

Companies must be prepared for a data breach. It is just a fact of life, plain and simple.

The developing standard of care requires that companies give some thought to how they will respond when the inevitable occurs — and they really, really, really should have a written Incident Response Plan in place. This is part of the basic “blocking and tackling” that I often help companies with, before there is an incident, and, in the big scheme of things, it is not an expensive process.

Remember the lesson of my video: you don’t drown from falling into the water, you drown from failing to get out. This is a big part of how you get out!

Recently, I read an excellent article that discusses Incident Response Decision Making, by Chris Pogue. Pogue discusses 7 key decisions that a company must make following a data breach.

Some of these 7 key decisions are not only things that may be planned out ahead of time, but they are also things that should be included in a written Incident Response Plan. Then, when the inevitable occurs, you are not running around trying to think of what to do–IN A PANIC! 

Instead, you already have a plan in place and are ready to execute that plan, carefully and methodically, to protect your company. And, by the way, the answer to the first question is ALWAYS YES!

  1. Should We Retain External Legal Counsel?
  2. Should We Bring In External Forensics Experts?
  3. Should We Engage Law Enforcement?
  4. How Should We Respond to Media Enquiries?
  5. What Should We Tell Our Executives, Investors, and Board of Directors?
  6. What Should We Tell Our Customers?
  7. Should We Pursue or Protect?

Incident Response #3: Decision Making by Chris Pogue (@cpbeefcake)

Cybersecurity & Data Breach: You Don’t Drown From Falling Into the Water

“You don’t drown from falling into the water, you drown from not getting out.” Think about that — and think about how that applies to cyber security and data breach issues facing companies in today’s cyber world. Here, in my first ever video blog post, I explain this issue with more detail.

Businesses Beware: You need to understand and adopt EMV / Chip-and-PIN Technology

“Visa, MasterCard, Discover, American Express and their banking partners have set a government-enforced deadline of Oct. 15 for a “liability shift” that, for the first time, would make merchants liable for fraudulent charges that result from using point-of-service readers that can’t read chip-and-pin EMV cards. The issuers have been implementing the technology, but it’s still up to companies including Home Depot, Target, Neiman Marcus and others to implement it or be held responsible for fraud resulting from continued use of magnetic strips.”

This quote comes from, Chip-and-PIN Procrastination Is Endangering Your Credit Card, an excellent article that goes into great detail to explain this technology, why you need it, and why the security benefits outweigh the inconvenience factor.

Blue Goose Cantina Data Breach

Presentation tomorrow – Collin County Bar Ass’n Corporate Counsel Section – here’s the question:

“What do I talk about?”

No, it’s not that I don’t have anything to say — for goodness sakes, you all know that I always have something to say!

Blue Goose Cantina Data BreachThe problem I am having is that I had planned to talk about cyber risk compliance and the key elements of what a good cyber risk compliance program needs to include and why. Interesting topic, right? :)

But tonight I saw where a local restaurant that just may be my favorite Tex-Mex place of all — Blue Goose Cantina — had a data breach last week. What was interesting is that they announced it via Facebook at what seems like a very preliminary stage. So, I am thinking I just may make this the focal point of my presentation and use it as an ad hoc case study.

Leave me a comment and let me know what you would rather hear?