Turns out the best way to manage a data security breach could also save down time, ease reputation damage and avoid legal penalties and fines.
Attorneys from Fitzpatrick Lentz & Bubba in Upper Saucon Township spoke to about 40 participants at a Manufacturers Resource Center cybersecurity event Tuesday at MRC headquarters in Hanover Township, Lehigh County.
“Stop the bleeding,” said Kenneth R. Charette, an attorney with FL&B specializing in corporate, business banking and health care law.
Once discovered, it’s essential to shut down the data breach and begin to take investigative action.
Charette said the second step should be to hire or bring in data forensics professionals to gather information and isolate any malicious software and then to follow through with reporting the breach to legal authorities as soon as possible.
“You have to follow reasonable” reporting time tables, Charette said. While Pennsylvania does not specify time tables for reporting data breaches, 60 days are typical, he said.
Charette said Uber’s data breach, which exposed personal information of more than 57 million riders, was a case in point for prompt reporting.
“They not only waited for over a year, they tried to cover it up,” Charette said.
Waiting to report and trying to cover the breach could result in significant fines as well as damaging Uber’s professional reputation.
According to the Washington State Attorney General Office, a multimillion dollar consumer protection lawsuit would be filed against Uber.
“Other states have 30/60/90 day requirements, so it’s important to know if you have reporting obligations in other states,” Charette said.
That means a business doing sales in other states – or overseas – is also responsible for reporting data breaches there.
As laws change, here and abroad, knowing reporting criteria for other countries becomes important to ensure compliance and potentially avoid fines or penalties.
“Rules are evolving. If you are doing business with other states and countries and a breach occurs, know you will be required to comply with their regulations,” said Timothy D. Charlesworth, a FL&B shareholder and attorney specializing in corporate, business and banking, and international business and trade law.
Meanwhile, businesses should consider data breach insurance, which could help companies avoid out-of-pocket costs and damage to their professional reputations.
“Having a predetermined cybersecurity plan in writing may also help lower premium costs for insurance coverage,” Charette said.