Data breach logs

Data breach logs

Any well-managed business computer system should log both attacks and actual breaches in real time and maintain a data breach log. If it does not, management should seriously consider replacing their IT management or service provider. There appears to be a great deal of hand wringing in the blogosphere among attorneys who are concerned about the recent requirement by Canadian authorities that corporations maintain logs of the data breaches which occur at their companies.

“Breach logs” may create a liability “roadmap” subject to discovery

Many companies are now experiencing their second or third significant breach along with dozens of minor incidents, creating a history of cybersecurity performance ripe for examination, as it should. Along with their apparently unfettered and unrestricted right to collect personal information and data from users, companies which take advantage of the Internet to earn income and create wealth for their stockholders should not be heard to complain that they have a concomitant responsibility to protect the personal information they collect from unauthorized third parties.
Regulators and class action plaintiffs are always looking for quick, inexpensive ways to gather that evidence and some commentators quite properly observe that a breach log may prove to be one of the most important documents in the investigation of any data security breach.
The U.S. Federal Trade Commission in a proceeding against Wyndham Worldwide Corp. wanted to know what lessons the company learned from its first breach, and whether a failure to heed the appropriate lessons contributed to the subsequent breach. Class action plaintiffs can be expected to use evidence of prior breaches of data security to show negligence.

Privilege and data breach logs

Where in-house or outside counsel retains a forensic consultant following a data breach, there is a presumption of attorney-client privilege or attorney work product prepared for litigation. A 2015 decision in Genesco Inc. v. Visa Inc. et al., (3:13-cv-00202, USDC MD/TN) confirmed that the work product of cybersecurity consultants and communications with those consultants are protected by attorney-client privilege and/or the work product doctrine when counsel retains the consultants for the purpose of obtaining technical assistance to enable counsel to render legal advice to a client.
It is obvious that any organization should designate legal counsel as the lead in cybersecurity activities following a data breach.
However, the existence of a data breach log may provide law enforcement, regulators, and class-action plaintiffs with the information they need without the usual protection of attorney-client privilege.
Unlike the forensic report commissioned by legal counsel, there is little to suggest that production of a breach log can be withheld on privilege or work product grounds. The breach log is a corporate record that should be maintained in the regular course of business.
A company which does not maintain a breach log faces the substantial probability that failure to maintain a breach log is prima facie evidence of negligence per se.

A dangerous management philosophy

Historically, many companies have made a business decision at the highest levels of management that unless compelled by some specific statutory or regulatory mandate, they will not disclose the existence of a data breach. Many companies still routinely deny media reports of newsworthy data breaches for as long as possible.
Any business, not for profit organization, or professional practice which handles data that is presumptively confidential and about which there is an expectation of privacy has a non-delegable duty to investigate every data breach and not only mitigate the damages from that particular breach but take affirmative action to prevent another occurrence of a similar breach. Even though hacking has become ubiquitous throughout cyberspace and resulting data breaches are inevitable, they must be addressed as they occur and the same hack should not be allowed to happen.
The existence of a breach log is both a danger and opportunity for management. It is dangerous if it records a pattern of failure to observe industry best cybersecurity practices; but it also represents an opportunity for management to consider cybersecurity vulnerabilities. However, it is certainly reasonable to allow every custodian of secret and confidential information who observes industry-standard best practices with respect to cyber security a “free pass” from a data breach which could not be prevented at the time using reasonable best practices consistent with the nature of the information compromised. If a data breach occurs, then the custodian of the data has a complete prima facie defense based on compliance with industry accepted standards for data security.

Which Breaches Must Be Logged?

At the present time the common law of negligence imposes a non-delegable duty of care on the part of custodians of private, privileged, confidential information to protect that information. Legislation and administrative regulations which mandate a specific course of conduct create a presumption that what is not regulated or prohibited is permitted. This is particularly unfortunate with respect to data security breaches. The legal landscape, however, becomes an uncharted miasma as soon as the legislature enacts statutes and regulatory agencies promulgate rules about data confidentiality and directly or indirectly address data security.
Instead of retaining lawyers to interpret statutes and regulations, the most cost-effective policy for any company dealing with information which should not be subject to broadcast disclosure is to observe industry cybersecurity standards and implement industry-standard practices for data security. There are no alternatives.

Companies at risk for failure to maintain a breach log

Any company, no matter how large or small which collects and maintains confidential personal information about which there is an expectation of privacy should maintain a breach log. Failure to maintain a data breach log may create a presumption of negligence. If the company collects private and confidential information through a website even with a stated and declared privacy policy which must be accepted before access to the website is granted, there are serious questions about whether that privacy policy disclaimer will absolve the company from liability for the release of confidential information as the result of a breach of data security.

The Cloud

As more and more companies and many professional firms such as attorneys, accountants, and healthcare practices respond to the siren call of storing data in the “Cloud” and rely upon Cloud-based systems and services, the issue arises whether Cloud-based service providers and storage companies have a duty to maintain a breach log and whether they must make that breach log accessible to those individuals and companies which use their services.
Users of cloud-based storage, systems and services should insist that their cloud-based service provider maintain a breach log for the data and systems utilized by the user. Arrangements should be made for active notice of data security breaches which may affect the data and systems of each user. The user should also inquire as to the extent of insurance coverage and insurance protection should a data breach occur which compromises the cloud storage, systems, and services of the user.
If the cloud storage and system provider cannot or will not provide such information and maintain an active breach log for the protection and benefit of the user, the company should look for another cloud service provider or develop their own “private” cloud. Failure to do so may become prima facie evidence of negligence per se in the event of a data breach which compromises confidential company information.