A planned data breach response is imperative and will save millions of dollars in litigation and forensic fees. Enigma Forensics CEO & President, Lee Neubecker engaged in a video discussion with Privacy Expert, Jackie Cooney from Paul Hastings Law. These experts provide solutions for many clients who seek operation privacy and cyber security. A planned data breach response can save companies millions of dollars.
The transcript of the video follows
Lee Neubecker: So, I’m here with Jackie Cooney from Paul Hastings, and she’s their privacy expert here. Can you tell me a little bit about your practice and how you help your clients?
Jackie Cooney: Sure, so I am the senior director of the Privacy and Cyber Security Solutions Group, here at the law firm. We’re kind of a unique part of the law firm, in that we’re very much integrated into the legal practice, but what my group does is really provide solutions for clients to operationalize privacy and cyber security requirements.
Lee Neubecker: So what happens when a company suspects they have a issue? What do you typically advise your clients to do if they’re concerned about a potential breach?
Jackie Cooney: A potential breach, so that’s a good question, and I get these calls actually pretty frequently, maybe even on a weekly basis. Hey, we think something has happened to our data, what do we do? And there’s a few threshold questions that I ask. Number one, do you have cyber insurance, and have you called your cyber insurance company? Because often cyber insurance companies will cover you, but only if you use their counsel and you use their forensic experts. So, it’s important for you to understand what your coverage is there. Now, if you don’t have those kind of limitations, or you don’t have cyber insurance, and hopefully most of your clients do have some coverage, or if Paul Hastings is on the approved list of those cyber insurance vendors, then we go onto step two. So, that first question, 30 seconds, one minute, do you have cyber insurance, have you called them yet? And what I typically like to do is say, okay, give me the two-minute version of what happened, and then I can pretty quickly decide, okay, this is a purely cyber incident or this is a cyber incident that has some privacy implications. And then there are questions that go from there. And, of course, if there’s something that has privacy implications, that there’s a lot of regulations that you have to worry about that require notification, too.
Lee Neubecker: So, can you tell me a little bit more about some of the new regulations that face companies that operate in the U.S., related to data breach requirements
Jackie Cooney: Sure.
Lee Neubecker: and responsibilities?
Jackie Cooney: So, in the United States, if you’re talking about a U.S. company that operates only in the United States, and those are becoming fewer and fewer. Most companies are international, or becoming international, or have an international market. But if you’re talking about a incident that happens in the United States, U.S. only, it’s important to remember a couple of things. Depending on the type of information, there might be federal laws that are implicated. So, if it’s financial information, there’s requirements for reporting under Gramm-Leach-Bliley. And if it’s medical information, specifically, protected health information, if your an insurance carrier or health care provider, there might be reporting under HIPAA. And even if you don’t fall under any of those federal statutes, there are 50 states that all have different breach notification requirements. And, for instance, there are 14 that have medical information as the threshold for having to notify people for breaches. So, it’s important to understand, in the United States, because we’re sectoral, and because our laws are federated among the states, that there are a lot of different places where you might have to notify. If it’s international, of course, the thing on everybody’s mind right now, is GDPR, the General Data Protection Regulation, which has breach notifications requirements in there and they’re pretty onerous. Here’s the thing, companies have a responsibility, not only to provide you with things like a privacy policy that tells you what they do with your information, but they also have a responsibility to not do things with your data that you wouldn’t expect, even notwithstanding the privacy policy. They shouldn’t be doing things that violate your trust.
Lee Neubecker: Well, you explained that very well. I thank you for being on the show today and this was really informative.
Jackie Cooney: You’re welcome.
Lee Neubecker: Thanks.