Our CISO Lee Neubecker, CISSP, MBA, recently spoke with expert Jackie Cooney about data breach notifications. Cooney, who serves as the Senior Director of Paul Hastings LLP’s Privacy and Cyber Security Solutions Group, is a seasoned veteran when it comes to assisting organizations with data breach prevention and response needs. A transcript of this interview is available below.
Jackie Cooney: Sure, I’m the Senior Director of the Privacy and Cyber Security Solutions Group here at the law firm. We’re kind of a unique part of the law firm in that we’re very much integrated into the legal practice but what my group does is really provide solutions for clients who need to meet cyber security requirements.
Cooney: A potential breach? That’s a good question, and I actually get those calls quite frequently, maybe even on a weekly basis. “Hey, we think something has happened to our data, what do we do?” And, there’s a few threshold questions that I ask, number one “do you have cyber insurance, and have you called your cyber insurance company?”
Often times cyber insurance companies will cover you but only if you use their counsel, and you use their forensic experts, so it’s important to know what your coverage is there. If you don’t have those kinds of limitations, or you don’t have cyber insurance, but hopefully most of your clients do have some coverage, or if Paul Hastings is on the approved list of the cyber insurance vendors, then we go on to step two.
So there’s that first question – do you have cyber insurance and have you called them yet – and then typically what I like to do is say give me the two-minute version of what happened, and then I can pretty quickly decide if this is a purely cyber incident or if this is a cyber incident that has some privacy implications. Then there are questions that go from there and, of course, if there’s something that has privacy implications then there’s a lot of regulations that you have to worry about that require notification.
Cooney: So, in the United States, if you’re talking about a U.S. company that operates only in the United States – and they’re becoming fewer and fewer, most companies are international, becoming international or have an international market – but if you’re talking about an incident that happens in the United States, U.S. only, it’s important to remember a couple of things.
Depending upon the type of information there might be federal laws that are implicated. If it’s financial information, there are federal requirements for reporting under Gramm-Leach-Bliley, if it’s medical information, specifically protected health information, if you’re an insurance carrier or health care provider, there might be reporting clients under HIPAA.
Even if you don’t fall under any of those federal statutes, there are 50 states that have different breach notification requirements. For example, there are 14 that have medical information as the threshold to have to notify people for breaches. So, it’s important to understand, in the United States, because we’re sectoral, and because our laws are federated among the states, that there are a lot of different places where you might have to notify.
If it’s international, of course, then the thing on everybody’s mind right now is the GDPR, or General Data Protection Regulation, which has breach notification requirements and they’re pretty onerous.
Cooney: You’re welcome.