P2P

29 I L T A N E T . O R G A data breach is like a bad car wreck. It can occur due to an unforeseeable event like being hit by a drunk driver, or it can be a completely preventable injury like falling asleep at the wheel. Either way, the harm has been done and Hippocrates cannot help. What to do next? If you are able to ask that question, it likely means you have stopped the bleeding. Now it is time to notify the family and start your recovery. Recovering from a data breach is a multifaceted endeavor. There are compulsory measures pursuant to the laws and regulations of relevant local, state, federal and international jurisdictions. Then there are steps that, while not legally required, you ignore at your organization's peril. Among the most time-consuming activities after identifying the full corpus of potentially compromised data is determining who the individual data subjects are and who among them, if any, are legally entitled to a notification that a breach occurred. Further considerations include ascertaining whether data belonging to any commercial partners might have been exposed and which ones you might want to notify as a demonstration of transparency and goodwill. This can go a long way in ensuring your business relationships remain intact. Lastly, it is not hyperbole to say any proprietary information extruded could be extremely valuable to competitors. Giving them the benefit of the doubt that they would never actively try to steal your company's confidential material and hoping they will ignore anything now available is probably not an effective mitigation plan. Once you have identified the data that has presumably been exposed, it is the unfortunate reality that you will need to review it. How quickly and how thoroughly depends on the requirements of the regulations that apply and an examination of the probability and scope of risks associated with any delay. If multiple jurisdictional rules cover the data breach, it may be fair to say that your process should follow the ones that are most arduous. In the United States, the California Consumer Privacy Act (CCPA), as one of the strictest privacy laws in the country, may be an appropriate framework absent confirmation that the breach is limited to data subjects in another state. Internationally, the European Union's General Data Protection Regulation (GDPR) has with good reason triggered significant concerns for most transnational corporations over potential fines for noncompliance with its complex rules and strict notification requirements. A recent example in a nonbreach context is the nearly $900 billion fine levied by Luxembourg's data protection authority against Amazon, which it accused of improperly using the vast amount of individual information it has amassed. While Amazon argues that the fine is improper because, according to its public statement, "There has been no data breach, and no customer data has been exposed to any third party," 1 the implication is that companies would expect hefty fines in the event of a regulatory violation that does involve a data breach. While the fines associated with data breaches have not reached the level imposed on Amazon and other major corporations in other contexts, they should be no less concerning. A Swedish conglomerate that owns the H&M retail chain was penalized for inadvertently providing companywide access to all of its sensitive human resources data about individual employees. This breach lasted only a few hours and was not an external one; however, the Hamburg Commissioner for Data Protection and Freedom of Information chose to impose a $41 million fine on H&M. 2 Appropriate mitigation procedures can potentially lead to reduced fines, whereas failure to properly adhere to notification requirements could be disastrous. With these and other incidents shedding light on the financial ramifications of a data breach, it is critical that your team take immediate action in such an event, and it is

• Cover