Why States' Breach Notification Clocks May be Running Slow
Many state breach notification laws have strict timelines in place around when companies must provide notification, but the time it takes to get there could be extra padding on that deadline.
October 25, 2019 at 08:00 AM
3 minute read
Earlier this week, virtual private network service provider NordVPN formally announced that one of its third-party data centers in Finland had been hacked back in March 2018. The confirmation arrived shortly after rumors began circulating online about the unauthorized intrusion, but more than a year after the actual incident itself.
Since personal data was not compromised during the hack, NordVPN was sparred the burden of having to comply with any one of a number of state breach notification laws dictating the timelines companies need to abide by for alerting impacted parties about a cyber intrusion.
However, while most of those states typically place those notification windows around 60 days or less, there are several factors that can impact if and when that clock starts running.
"I wouldn't say any of these deadlines get extended. The question is whether they get triggered or not," said Mark Schreiber, a partner with McDermott Will & Emery.
Successfully determining the answer to that question can on occasion be incredibly complicated —and time-consuming.
Michael Waters, a shareholder at Polsinelli, used the example of a company that finds malware on its system and is forced to confront a series of questions, such as what that malware does, how it got into the system and what else the person who put it there may have been able to access.
"Oftentimes just because you know that there's been some sort of data incident doesn't mean that you know that a 'breach' [has occurred]," Waters said.
Per Schreiber, some states do allot organizations the time to perform the necessary forensics to determine the nature of the cyber intrusion that occurs.
For the company's legal team or counsel, that typically means working their way through a series of long flow charts to determine what state breach laws may or may not have been triggered.
While that process usually begins immediately, the time it requires is difficult to quantify since forensic results emerging in parallel can often change the answer. "There's not a single bright line to how long the process takes," Schreiber said.
Still, organizations shouldn't be tempted to use that process to indefinitely postpone the notification process. Waters indicated that states are typically not prone to viewing ignorance as bliss.
"They will often ask questions about when did the incident occur, when did you become aware that there was a breach and other timeline items. So it is important that the organization address these things promptly," Waters said.
But if a company like NordVPN finds itself without any legal obligation to disclose the breach, why come forward at all?
Schreiber indicated there can sometimes be strategic reasons for companies to come forward of their own volition, whether it's because news has started to leak indirectly or they simply want to be proactive.
"I haven't seen too many voluntary notifications, but sometimes it happens," he said.
Waters, on the other hand, pointed to data gray areas like usernames or passwords, which are only considered personal information under the auspices of some states. Some may consider it to be their fiduciary or moral obligation to let people know those items may have been compromised.
"A lot of time the calculus is going to be around, what is the impact going to be to individuals if we don't provide notice?" Waters said.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250