The Artful Balance of the Mandatory Confession: Data Breach Notification

By Shawn Dougherty March 10, 2014

Shawn DoughertyAlerting your customers and the world that you’ve recently been a victim of a data breach or loss event is fraught with public relations and legal challenges. From the moment the data loss event is discovered, the clock starts ticking. The business must balance the need to fully investigate the breach or loss with the need to comply with state laws requiring notification both to individuals affected by the breach and to government officials.

The difficult balance is illustrated in two different breach events that occurred in December 2013. Target confirmed its breach to the public in mid-December, four days after news broke online about the investigation into the breach. Neiman Marcus also learned of its data breach in mid-December but waited almost a month before revealing it to the public, when it confirmed an online news report.

While the Neiman Marcus delay might sound like a long time, revealing the information too early can affect sales during the busiest time of year. That business expense is in addition to costs that are likely to increase as the business struggles to control the message and any misinformation related to the breach as the investigation continues. A study last year by the Ponemon Institute showed that responding too quickly after a data breach can raise costs significantly for a company.

The mandatory confession is further complicated as the patchwork of 46 state laws plus separate laws in Washington, D.C., lay out a variety of different requirements and triggers. U.S. Attorney General Eric Holder has called for Congress to pass a federal law requiring businesses to notify the public and law enforcement about significant data breaches — something President Obama’s administration has long supported.

According to a CNN report, support has grown for the Personal Data Privacy and Security Act of 2014, a bill that Sen. Patrick Leahy of Vermont has proposed. The bill would require businesses to notify affected residents “without unreasonable delay” after the discovery of a security breach. While it provides no specific time frame, the bill states that businesses must report breaches affecting more than 5,000 people to law enforcement either 72 hours before notifying individuals or within 10 days of discovering the breach — whichever period is shorter.

Thankfully, many insurers offer policies that cover notification costs after a data breach. Those policies also often provide valuable legal and public relations advice that may help the company avoid further harm following the data breach.

If you want to learn more about data breach notification or any other aspect of cyber-liability insurance, feel free to e-mail me at sdougherty@iso.com. Also, make sure to follow me on Twitter @doughertyshawn.

Stay tuned for the next blog post in our Cyber Monday Series.


Shawn Dougherty

Shawn Dougherty is the assistant vice president of ISO's Specialty Commercial Lines Division. He is responsible for providing the overall direction, leadership, and client service for ISO's cyber liability (e-commerce), D&O (management protection), businessowners, crime and fidelity, financial institutions, employment-related practices liability, and professional liability (other than medical) insurance programs. He is also the ISO product manager for the Lloyd's Wordings Repository, an electronic database of policy wordings and clauses regularly used within the London market. Mr. Dougherty has worked at ISO since 1988.