Legal Notification – One Size Does Not Fit All
By: Lewis Brisbois' Data Privacy & Cybersecurity Team
Medium, large, supersize... even fast food meals come in different sizes. After all, we want to be able to choose what is right for us and what meets our specific needs. Legal representation for cybersecurity incidents is no different. It should be customized to fit each client’s particular situation, addressing the nuances of the event and ensuring that the response is proportionate. There is no one size fits all approach to legal notification, especially where consumers or clients of the affected entity need to be informed.
When a data security event occurs, the first consideration should be the legal factors. However, analysis of the various statutes and regulations does not always provide a definitive conclusion as to how the matter should be resolved. This is where a true holistic evaluation becomes important. For example, following a data security incident that occurred at a domestic violence shelter, it was determined that, from a legal standpoint, notification was not required. However, the shelter believed that to protect the community it served, notification was the right thing to do. Before making a final decision, we consulted Jason Maloni, Principal of JadeRoq, LLC, who helps clients comply with privacy disclosure laws while preserving the critical relationship that they have with their communities. Together, we weighed the risk of a third party discovering an abuse victim had sought assistance from the shelter against the possibility of misuse of that victim's personal information. After much discussion, the shelter eventually decided not to notify due to the possibility of it causing more harm than good. Instead, the shelter obtained dark web monitoring services, out of an abundance of caution, to ensure there was no misuse of its information.
In another instance, a data hosting company (MSP) was the victim of a ransomware attack. Because of the attack, the MSP’s servers were encrypted, and its customers’ data was inaccessible. Those customers in turn could not access their data and meet their day-to-day business demands. Initially, the MSP, concerned about its reputational risk, was cryptic in communications with its clientele. Unfortunately, this caused significant strain on the business relationships the company had worked so hard to develop. As a result, the MSP changed strategy and became more transparent with its clients, a decision which served to be more beneficial to both sides in the end.
Having choices allow clients to opt for the one that works for them in their unique position. As these cases demonstrate, different circumstances call for different solutions to lead to the best outcomes. And sometimes engaging a communications expert can help.
For more information on this subject, contact the authors of this post. Subscribe to this blog to receive email alerts when new posts go up.