A Q&A with John Mullen, Nelson Levine de Luca & Hamilton, LLP
The hours and days following the initial discovery of a breach are full of confusion and chaos. However, companies can save themselves from a lot of trouble later on down the line if they stay focused. We spoke to lawyer John F. Mullen Sr. of Nelson Levine de Luca & Hamilton, LLP in Blue Bell, PA, about dos and don’ts for companies in this situation—mostly don’ts.
The following is what he came up with:
- Don’t assume a breach won’t happen to you. It’s going to happen and you need to be insured. Even if you’re not a big multinational company that’s attracting hackers you are likely to have someone working for you who could accidentally leave their laptop with TSA at the airport and land you in a data leak situation.
- Don’t kid yourself. This was a breach. I’ve seen companies in the aftermath of an incident who don’t want to come to terms with the reality so they bury it. They put off dealing with it. They rationalize. It doesn’t help.
- Don’t rush to judgment. Meaning, don’t start sending out notice until you know how many people are involved. To the extent possible, don’t start responding until you have all of the facts.
- Don’t assume that the first factual answers you get are accurate. In all my years in the business, I have never encountered a case where the original version of the story ends up being the absolute story. The truth is always more complicated. See above.
- Don’t let your self-insured retention cripple you from taking the right action. In other words, don’t be cheap. If you’ve got a million-dollar problem, don’t let your 50,000-dollar checkbook force you to cut corners. At the end of the day, it’s just going to delay the action and compromise the situation.
- Don’t hire your favorite M&A lawyer for a breach case. This may sound self-serving but it’s also true: This is a specialty area of the law and you want a person who is an expert in this area to represent you.
- Don’t do what I call “panic hiring.” Yes, you have limited time to take care of the response, but don’t just hire the first vendors you meet. That’s the equivalent of walking into a car dealership and handing them your checkbook and asking the salesman to write in the price. You may be panicked but if you don’t hire the right people, they will take advantage of that and you’ll pay out of the nose. This is another reason to have cyber insurance, as many of the insurers have negotiated favorable rates with needed vendors.
- Don’t over-notify people when notice is required.
- Don’t ignore your vendor due diligence. If you’re handing off your data to a company to do your processing and they lose the information then you will likely still be held liable. Make sure the company has the insurance and capital to handle that kind of loss so you don’t get stuck.
- Don’t forget to create a response plan ahead of time.
10.b Don’t run a response by committee.
If you’ve got five people in charge, then no one’s in charge. Have a senior manager who handles decision-making and money spending in charge. If not, people will sit around looking at each other and it will take much longer to complete everything that needs to be done. - Don’t rush through any of the process. Yes, there’s a time element involved—typically 45 to 60 days. But I can’t tell you how many clients come to me and say they want to give notice tomorrow. I always have to slow them down because inevitably they will find out they were more exposed than they thought, and then everything they did would be wrong and they’d have to do it all over again.
- Don’t fight with regulators, and don’t let your lawyers fight with regulators. Picking fights doesn’t help anybody and if you get on their bad side, regulators will put you through years of hell. Show that you’re willing to bend over backward to work with them and things will usually go well.
- Don’t forget e-discovery.
Not saving your data up front can get you into big trouble down the road. - Don’t assume you can win the class action suit.
Clients come to me assuming they will win because there aren’t “sufficient damages,” but the courts are swinging the other way now and that is no longer the case.
In conclusion…
In assisting insurance companies in dealing with their data breach insurance claim incidents—on average about one per week, and no two events look the same—I find it amazing how many times we come across clients who trigger not one but several of the issues listed in Mr. Mullen’s list. The good news is that many businesses are starting to follow (albeit slowly) a prudent breach response roadmap, demonstrating that they have learned from either their past mistakes or by seeing other organizations (their peers/competitors) deal with a publicly reported incident.