Cyberlaw

The High Cost of Reporting a Non-Reportable Data Breach

Can a company be sued for reporting a data breach in which the data was never used and destroyed?

In May, cloud provider Blackbaud was the victim of a ransomware attack designed to lock it out of accessing its own data and servers. The company notified law enforcement, used its own cybersecurity team and hired outside consultants, and successfully prevented the attacker from blocking access to the system and “fully encrypting” the files—ultimately expelling the threat actor from its system. Blackbaud noted that the hacker had “removed a copy of a subset of data from our self-hosted environment” but that “[t]he cybercriminal did not access credit card information, bank account information, or Social Security numbers.”

In the case of Blackbaud, similar to the case of Uber, the company decided to pay the hackers. While it does not appear that the company paid the hackers for their silence, Blackbaud “paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed,” and the company noted that, based on its investigation and that of law enforcement and the nature of the incident, “we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly …”

In short, the company suffered a ransomware attack that included a partial data breach (breach of a subset of its data). Blackbaud recovered from the ransomware, secured the data and had reasonable assurance (not sure how) that the data, while breached in the sense that there was “unauthorized access” to the data, was not used or transmitted to anyone else and was destroyed.

Under these circumstances, a data breach disclosure to customers and to various Attorneys General is probably both legally required and unnecessary. Indeed, Blackbaud did make such a breach disclosure. In return, the company was sued in a class action filed on behalf of its customers.

Why We Have Data Breach Disclosure Laws

When it comes to both data breaches and data security incidents, I start my analysis with the Apollo 13 rule. When flight director Gene Krantz (Ed Harris) is told that the capsule is coming in shallow and asked if mission control should tell the astronauts, Krantz asks, “Anything we can do about it?” to which he is told no. His reply? “Then they don’t need to know, do they?”

The original purpose of the data breach disclosure law (California SB 1386) in 2002 was to provide a mechanism for notifying consumers (principally credit card and bank customers) that their information may have been compromised so that they—the consumers—could check their accounts for unusual activity, and if found, “charge back” the fraudulent charges, cancel credit cards or change banking information. It was to permit consumers to mitigate harm. It was not because of a simple “right to know” of a broken promise to protect confidentiality, punish the company that had the data breach, allow consumers to choose among vendors based on security practices or even—as a result of a desire to avoid bad publicity—encourage better security practices. It was to permit consumers to mitigate harm.

If the purpose was to require disclosure of “bad practices,” then it would not have focused exclusively on bad practices that resulted in breaches. If the purpose was to disclose broken promises, it would not focus only on broken promises that resulted in a breach and on those that involved personal information, as opposed to any other kind of sensitive data. And if the purpose was to allow consumers to choose among companies based on security practices, it would require publication and certification of those practices and not breaches. Indeed, in some ways, the more vigilant you are in detection, the more likely you are to notice a breach.

With that purpose in mind, a reasonable question can be posed whether it is useful (not legally necessary, but useful) to notify customers about what might be called a “controlled data breach.” A controlled data breach is a breach in which there has been unauthorized access to the protected information BUT where there is substantial and credible reason to believe that the breach has not and will not result in any actual or potential harm to the data subject. No harm, no foul.

To be clear, under most data breach disclosure laws, the question is binary: If there’s a breach, you must disclose. However, some laws contain provisions that permit a company to refrain from making a disclosure if there is a “no harm” breach.
Here’s an example under HIPAA/HITECH: A lab sends a patient’s records to the wrong doctor. The doctor calls the lab and reports the error, and agrees to delete/destroy the missent file. Is that a data breach? Yup. There was unauthorized access to PHI. Is the lab required to report it? Nope, not under HITECH. The regulations under that law require notification of breaches that ‘‘pose a significant risk of financial, reputational, or other harm to the individual.’’ If the “breached” entity can show no actual risk to the data subject (and document why) then no breach notification is required. Some state data breach disclosure laws similarly require reporting only of breaches that are likely to cause harm or substantial harm. Alabama, Alaska, Arkansas, Connecticut, Delaware, Washington DC, Florida, Hawaii, Iowa, Louisiana, Mississippi, Missouri, New York, North Carolina, Oregone, South Carolinaa, South Dakota and Washington all have statutes that require data breach disclosures only if there is a likelihood of harm or “substantial harm” to the data subject. Assuming good faith by Blackbaud, and assuming that the breach is actually controlled and not likely to cause harm or “substantial harm” to the customers, then, in those states at least, no data breach disclosure was actually required.

But Blackbaud disclosed the “breach” nonetheless, and such a disclosure was inevitable. It’s not only logistically impossible to disclose a breach in one state and not another, but as a practical matter, once you disclose a breach, you might as well just rip off the Band-Aid and disclose it to everyone.

Now, one can reasonably question whether any company can be “assured” that an unauthorized access of information is not likely to result in disclosure of information. Can you trust or even verify that data hasn’t been used or disclosed? Moreover, in light of the Uber indictment of Joe Sullivan, the Blackbaud executives had actual knowledge of the commission of a felony (the ransomware and theft of the file). Even if a data breach disclosure was not required under the various laws, in theory, the company could not take affirmative steps to “conceal” and not disclose the hack—steps that might include paying the cybercriminals’ demand with confirmation that the copy they removed had been destroyed. That might be misprision of a felony. So Blackbaud disclosed the breach to everyone but did not offer credit monitoring or other “remediation” services since, in its reasonable opinion, no “remediation” was necessary.

For that, the company was sued.

Which proves my adage about data breach investigations and responses: There’s no right way to do it. Your job is to pick the least wrong way and hope things work out.

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

Recent Posts

Symmetry Systems Ramps Up Hybrid-Cloud Data Security with $15 Million Series A Funding

ForgePoint Capital and Prefix Capital Double-Down on Data Store and Object Security as Lead Investors Symmetry Systems, provider of cutting-edge…

5 hours ago

What is Threat Management?

Threat management is a process that is used by cybersecurity analysts, incident responders and threat hunters to prevent cyberattacks, detect…

9 hours ago

Building Strong Defences: The Intricacies of Effective Bot Mitigation – Part 1

Learn how you can assess a bot mitigation provider's ability to detect and stop bots in our new technical blog…

10 hours ago

The Importance of User Roles and Permissions in Cybersecurity Software

How many people would you trust with your house keys? Chances are, you have a...

10 hours ago

Tax scams: Scams to be aware of this tax season

The post Tax scams: Scams to be aware of this tax season appeared first on Click Armor.

10 hours ago

Apple OTP FAIL: ‘MFA Bomb’ Warning — Locks Accounts, Wipes iPhones

Rethink different: First, fatigue frightened users with multiple modal nighttime notifications. Next, call and pretend to be Apple support.

12 hours ago