It’s unfortunate, but power drills, hammers and screwdrivers won’t fix the data security problems that a lot of companies face. However, with its new “Data Breach Toolkit,” law firm Steptoe & Johnson LLP has introduced a different set of tools—based on legal experience—that may help companies get on track when it comes to combating data breaches, and mitigating their negative impact.
The tool kit has three sections. The first two, “Before a Breach Occurs” and “After a Breach Occurs,” contain specific checklists for companies to follow to make sure they are ready for whatever data breach threats might come their way. The final section is a road map that provides information about data breach statutes around the U.S.
The people behind the tool kit are members of Steptoe’s privacy and cybersecurity team, which is led by three partners: Michael Vatis, who has served as founding director of the Federal Bureau of Investigation’s computer crime program; Jason Weinstein, a former deputy assistant attorney general at the U.S. Department of Justice who supervised the Computer Crime and Intellectual Property Section; and Stewart Baker, a former first assistant secretary for policy at the U.S. Department of Homeland Security.
Weinstein told CorpCounsel.com that although high-level corporate decision-makers have become a lot more sensitized to the need for improved data security, they still have plenty of questions about this emerging risk area. “When you talk to them, one of things you hear all of the time is that a lot of them say they don’t know where to start,” he said. “The tool kit, in part, is designed to tell you where to start.” Weinstein added that although the kit isn’t a substitute for legal advice or forensic assistance, it can provide a helpful “road map” to addressing data security challenges.
The tool kit provides preparation and protection guidance for companies that want to mitigate the danger of data breaches before they happen in the form of a “Privacy and Security Assessment Checklist.” Vatis stressed the importance of preparing for the worst, explaining that even the companies with the best technological defenses have to assume, in this day and age, that they could experience a breach. “These hackers are just too sophisticated these days for any company to be sure they can keep them out,” he said.
Plenty of companies Vatis has seen have put pen to paper in order to create a detailed plan for dealing with a breach. However, he said, just mapping it out isn’t enough. Plans should be rehearsed involving every concerned party, from top management to outside counsel, to the communications department and the general counsel. “That’s why one of the things we have in the tool kit is doing an assessment via ‘tabletop’ or actual exercise,” Vatis noted.
The tool kit also lays out a list of priorities for an organization when the data breach they’ve been worrying about and planning for actually happens. This “Incident Response Checklist” identifies critical steps that need to be taken to stem the damage and move forward.
One of the initial ways an organization can move forward is by telling the right people and entities about the data breach. The third tool in the tool kit can help with this. The “Breach Notification Law Roadmap” contains detailed guidelines from 51 different jurisdictions in U.S. states and territories that each have their own set of rules for handling data breach notification. Especially for a company with customers and operations across many states, the lack of unified national law for notifications can make dealing with a breach even trickier.
According to Vatis, while there are a lot of similarities at the core of security breach notification laws state-by-state, there are also plenty of subtle differences. For example, he said, one state might require an organization that has experienced a breach to notify regulators first, while another might ask that the organization inform affected individuals first. “It’s in those details that it’s easy to go wrong,” said Vatis.
Weinstein said he urges companies that want to make sure they plan properly for data breaches to seek the help of knowledgeable outside counsel. Preparation work for a possible breach, he noted, is best protected under attorney-client privilege.