Business Lessons Learned from the Equifax Breach: Week Two

Two weeks after one of the largest data breaches in history was announced, Equifax has come under fire for its breach response. First, reports that Equifax unnecessarily delayed reporting the breach surfaced. Then the efficacy of its website designed to tell victims whether they are a victim was questioned and its language caused consumers to worry about their rights. Next, reports were published indicating that Equifax managers sold stock between when the breach was identified and when it was announced. Now the qualifications of its Chief Security Officer are in the spotlight.

Businesses both small and large would be wise to draw lessons from Equifax's perceived missteps. We hope that you will find the discussion below useful. Be sure to also mark on your calendars for an educational and free-to-attend cybersecurity event taking place on October 4th. Registration is required and additional details about the event can be found here in the invite.

1. How Much Time Does My Business Legally Have to Respond to a Breach?

Depending on the type and scope of a breach, both state and federal regulations may dictate response standards. For example, Michigan law requires a business to provide notice of a breach "without unreasonable delay" to each Michigan resident whose personal information was accessed and acquired by an unauthorized person. It is the responsibility of the business that owns or licenses data, to determine whether the security breach is "likely to cause substantial loss or injury to or result in identity theft with respect to, one or more residents." This "risk of harm" approach is common among state data breach notification laws, and encourages businesses to send breach notifications if any risk of harm to individuals exists.

There are, however, circumstances when a business can delay sending notification. For example, in Michigan a delay is allowed if it is (1) necessary to determine the scope of the breach and ensure that the breach is no longer ongoing, or (2) law enforcement determines that notification will impede its investigation.

2. Should We Announce the Breach Before it is Legally Required to do so?

While legal requirements may dictate a minimum response time, it may be helpful to act faster than required to prevent damage to a business’s reputation and credibility. Customers, employees, and other businesses all understand that the time between a breach and its announcement can be the difference between successful criminal activity and prevention. As Equifax's response has shown, there will be no shortage of critics ready to talk about how a business's breach response was carried out. Of course, businesses leaders must weigh a quick response with ensuring that the breach is stopped and its scope is determined. One way to ensure a quick breach response is to have a written and practice incident response plan before a breach occurs.

3. Consider Other Reputational Effects of Your Breach Response.

Equally important as timeliness in a business’s breach response is how a business handles a breach. Although a response may be timely and legally adequate, skepticism regarding the systems implemented in response to a breach can be a business’s undoing. In today’s technology-driven society, the question is not whether a breach will happen, but instead, when a breach will happen. For this reason, it is necessary to have protocols and systems in place that are consistent and reliable. Employees should be trained both to prevent a breach and to minimize its reputational harm when one occurs.  

4. Consider Your Breach Response Team Now.

A key component of any breach response plan is the team assisting with its execution. In connection with an incident response plan, businesses should consider the role of key internal personnel, including who needs to know sensitive developing internal news, and when. Advance training and preparedness are paramount. It is essential that key employees who are expected to make statements and interact with the media are trained and available. However, it is likewise critical that frontline employees who may encounter questions from customers, media, and others receive adequate training as well. Establishing a dependable and trustworthy team can make all the difference in managing perceptions.

We recommend that all businesses take steps to protect their data and prepare for a breach now. If you are worried about the immediate and long-term steps you can take to mitigate your risk please contact a Foster Swift Attorney.