Tag Archives: Heather Buchta


Data breach: Not if, but when, experts warn

“It will never happen to us.”

That misperception puts businesses at risk for data breaches, expert say.

“The most common mistake is assuming your company won’t be breached because you’re not a large, multi-national company similar to the ones whose breaches are covered by the national media,” says Ari Bai, shareholder at Polsinelli. “In reality, however, every company is a target. Hackers, be they individual vigilantes, criminal organizations or nation-states, look for any and all data, and often the most accessible is that in smaller companies. Plus, small companies make for good ‘practice’ for hackers. Thus, when a company ignores the risk and does not set forth the proper protocols for protection and response, it is essentially asking to be breached.”

The 2015 Association of Corporate Counsel (ACC) Chief Legal Officers Survey revealed that one quarter of general counsel report their companies have been hit by data breaches. And according to the 2015 Cyberthreat Defense Report, more than seven in 10 respondents said their networks were breached in 2014, up from 62 percent in 2013. The average cost of a data breach in 2013 for companies in the Unites States was $5.85 million. The scariest part about the threat of a data breach is that experts agree that there is no way to completely protect a business from becoming the victim of a data breach.

“Once we develop a way to protect ourselves from something, the hackers are already using a new technique,” Bai says. “This is why preparation is so important. Liability for lack of preparation can financially devastate a company. You are going to get hacked — with preparation, you don’t have to lose lawsuits.”

Being prepared

Like any potential business catastrophe, limit a business’ risk of becoming the victim of a data breach starts with preparedness, according to Paul Stoller, shareholder at Gallagher & Kennedy.

“Every company should work with its legal professionals and IT staff to create and to implement a comprehensive data privacy and security plan, which will help to remove, or at least to reduce, the risk of many of the common causes of breach,” Stoller says.

Leon B. Silver, office co-managing partner at Gordon & Rees, says all companies, no matter their size, need to adopt data security as a core business practice throughout the organization and not look at it as something that is taken care of by one department or by an outside vendor.

“Policies on mobile devices, passwords and encryption are just part of an overall culture of data security awareness,” Silver says. “But be aware, a breach can happen.”

Heather Buchta, partner at Quarles & Brady says business leaders need to engage in some internal due diligence and ask themselves these questions:

• What internal policies are in place to protect data?

• Is there a policy against removing devices from the business location?

• Is there a policy to encrypt data?

• Even more basic, what kind of data does a company have?

“Risk of a breach increases as the volume of data a company has increases and oftentimes the data wasn’t even used by the business,” Buchta says, “which is creating an increased risk for no business purpose.”

Despite a company’s best efforts to lower its risk of a data breach, Buchta says today’s hackers are getting more sophisticated and businesses always have the added risk of employee error.

“The risk really lies in what was done ahead of time to try and prevent and breach and how the incident is handled afterward,” she says.

After the breach

While a business can be proactive in taking the appropriate steps to minimize risk and being well equipped to handle a loss or theft if data or information, there are no measures that provide a guarantee of security, Silver says.

“In fact, virtually every mid- to large-size company has already likely been breached, but the extent is either not known, or is not significant,” Silver says. “A big source of loss continues to be human error. That, coupled with continually evolving technology and more sophisticated theft/hacking measures equates to an ongoing need to stay ahead of the curve and simply arm yourself the best you can by adhering to and enforcing strict privacy policies following a thorough risk assessment.”

So what should you do if you’ve taken all the proper steps to reduce your risk of a data breach and your businesses is still victimized?

“The first thing is always to identify the source and to fix the issue that caused the breach so that there is not any further loss or theft of data,” Stoller says. “After that, the business needs to work with its IT professionals to investigate what caused the leak, to identify those persons who may be affected and to preserve evidence of what happened.”

Stella says it’s also imperative to work with legal professionals to determine a business’ legal obligations after a breach, including notifications to affected persons and government agencies.

“Don’t delay in investigating and don’t delay in calling in the experts,” Buchta says. “Businesses should have an incident response plan and that plan should identify the key players to investigate and manage a breach — legal counsel, IT forensics, operations/HR, public relations and the executive team.”

Because experts say a data breach is almost inevitable, it’s crucial for a business to develop and enforce sound privacy policies, including a response plan should a breach or loss occur, Silver says.

“Such policies will also need to evolve over time as technology continues to improve,” he says. “The bottom line is to expect the unexpected, think ahead, keep thinking ahead, and do your best to prepare.”

Advice from experts

Here is what Valley legal experts advise businesses to do to lower their risk of a data breach:

Ari Bai, shareholder; and Nick Verderame, associate, Polsinelli: “Start preparing now. Bring in technical and legal help to assess your data and risk levels, create technical protections, implement company procedures to protect against leaks, educate your employees and leadership, organize annual ‘fire drill’ tests and prepare a reaction and notification procedure.”

Heather Buchta, partner, Quarles & Brady: “Know your business. Know what data you have. Have an incident response plan in place in advance to facilitate the handling of an event when it occurs. Note I said, ‘when it occurs,’ not ‘if it occurs.’”

Leon B. Silver, office co-managing partner, Gordon & Rees: “Begin by assessing risk, including the availability of special ‘cyber risk’ insurance, which is not just for hacking and may provide coverage for both investigation and response costs, as well as defense and/or indemnity for third-party claims.”

Paul Stoller, shareholder, Gallagher & Kennedy: “The best practice for a business is to create and maintain a comprehensive data privacy and security plan. That begins with an audit of the business’s data and the development of policies and procedures to manage its confidential information. Then, it is essential to train employees on both the policies and procedure and the potential threats to the data’s security.”


New COPPA Regulations: Are You Ready?

Less than two weeks remain before the effective date of amended regulations for the Children’s Online Privacy Protection Act (“COPPA”). With the new and expanded definitions under the amended regulations, COPPA may have an impact on you now, even if it didn’t previously. If you haven’t already done so, now is the time to review your processes in anticipation of compliance, as the requirements become effective July 1, 2013.

COPPA was first passed in 2000, prohibiting website operators from knowingly collecting personally identifiable information from children under the age of 13 without notice and verifiable parental consent. However, as technology has continued to advance, the FTC has recognized a need to amend the definitions under the regulation to sustain the intent of COPPA. “Personally Identifiable Information” has been expanded to include (i) geolocation; (ii) audio, photo, and video files that contain a child’s image or voice; and (iii) persistent identifiers that can recognize users over time and across different websites or online services such as IP addresses and mobile device IDs. None of these items is traditionally (at least within the United States) considered to be personally identifiable; nevertheless, under the new regulations, a website operator cannot collect them from a child under 13 years of age without parental consent, and “collection” now includes even passive tracking.

There are a few limited exceptions to this prohibition under the new regulation: No parental notice or consent is required when an operator collects a persistent identifier for the sole purpose of supporting the website or online service’s internal operations, such as contextual advertising, frequency capping, legal compliance, site analysis, and network communications. Further, under the new definitions, “collection” of personal information now permits operators to allow children to participate in interactive communities without parental consent, so long as the operators take reasonable measures to delete any personally identifiable information before it is made public.

On the other hand, with the expanded burdens on the restriction of data collection come a bit more flexibility, as the new regulations also expand the acceptable types of verifiable parental consent. The new definition of “verifiable parental consent” expressly contemplates electronic scans of signed parental consent forms, video-conferencing, the checking of government-issued IDs against known databases, and requiring a parent to use alternative payment systems such as debit cards and electronic payment systems in connection with a monetary transaction.

The new regulation also closes a loophole that had previously existed with use of third-party ad networks by expanding the definitions of “operator” and “website” to include third-party data collectors. For example, third parties will no longer be permitted to use plug-ins on kid-directed apps to collect personal information from children without parental notice and consent.

In addition to the change to the current definitions, the new regulations impose tighter data security obligations, focusing on the release of data to third parties and on stricter processes for data retention and deletion. The FTC now requires reasonable steps to ensure children’s personal information is released only to companies that are capable of keeping it secure and confidential. Finally, the regulation requires reasonable procedures for data retention and deletion to help ensure information is not kept longer than reasonably necessary and to ensure it is securely deleted.

On a final note, if you have previously applied to be, and have been approved as, a member of a COPPA safe harbor, be prepared for an audit. The FTC is requiring enhanced oversight of such organizations by requiring the self-regulatory safe harbors to audit their members.

With each new wave of internet sophistication and technology, we will likely continue to see expansion of the applicability of COPPA. More and more entities are building their business models off of “big data” and the collection and use of such data online. With that kind of business, however, comes the privacy regulations, and the FTC considers COPPA a useful tool in its toolbox to continue to enforce online data privacy.

Take a deep breath and dive into the definitions — the fully revised rule can be found at 16 C.F.R. Part 312 (http://www.ftc.gov/os/2012/12/121219copparulefrn.pdf). Contact your data privacy counsel to help you sort through the new definitions and see what your obligations might be under the new regulatory scheme. The earlier you can sort through your potential compliance issues, the sooner you will be able to minimize any potential liability and exposure, and thus protect your business, its assets, and its reputation.

For more information on data privacy issues of all kinds, contact Heather Buchta at (602) 229-5228 or heather.buchta@quarles.com, Cameron Robinson at (602) 229-5285 or cameron.robinson@quarles.com, or your Quarles & Brady attorney.