CD: Could you provide insight into cyber and data breach developments over the past 12 months? How do we generally define what constitutes a breach?

Taney: It has been a busy 12 months in regards to data breach regulations. Just recently, Alabama and South Dakota joined the other 48 states and now have notification requirements as well as regulatory notification dates being set for Canada, the EU and Australia. US notification requirements force organisations to notify individuals whose data was compromised within a certain time frame after discovering the breach. A data breach is defined as a confirmed incident in which sensitive, confidential or otherwise protected data has been accessed or disclosed in an unauthorised fashion. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.

CD: Once a breach has been identified, what initial steps should a company take? What regulator and consumer notification requirements might be triggered, for example?

Taney: Once a potential data breach has been identified it is critical to move quickly, as the date when the incident was first uncovered could be the date when all of your notification requirements will be due. Quickly pull your response team together and notify your insurance broker or carrier, if insured. Getting in touch with your attorney is also critical, as it allows all findings during the investigation to be part of attorney-client privilege.

Jul-Sep 2018 issue