Posted: Sep 4, 2018
Comments: 0
Author: Lou Grilli

Understanding and managing the risks associated with the changing world of data security, and being prepared for breaches and how to respond, have become business necessities. This three-part series, based in part on a presentation given by Michele L. Cohen, a principal with the law firm Miles & Stockbridge P.C. at Trellance’s immersion 2018 conference, outlines the balancing act between convenience and data, and provides a framework for preparing for breaches and what actions to take in response. Part 1 focused on what is at risk; what causes breaches, and the fact that breaches are inevitable. Part 2 focused on planning and preparing documentation for the inevitable. This Part 3, will explore three areas that require special attention: the legal considerations regarding breach notification; the contracts an organization has with vendors who have access to data; and having the right insurance coverage.

The popular ride-sharing app Uber disclosed in November 2017 that hackers had stolen 57 million driver and rider accounts. What was more disconcerting was that the company had kept the data breach secret for more than a year after paying a $100,000 ransom. According to Stateline magazine:

The state of Pennsylvania sued Uber for waiting more than a year to alert drivers and customers that their personal information had been hacked; the state’s attorney general argued that the ride-hailing company had violated a state law mandating that companies notify people affected by a data breach ‘without unreasonable delay’. Suits were also filed against Uber by Los Angeles and Chicago for violating their laws that defines how quickly consumers must be notified once a data breach is discovered. Pennsylvania’s phrase “without unreasonable delay” is typical of many states, as is “in the most expedient time possible”. 

Breach Notification

There currently is no comprehensive federal scheme for breach notification although there are certain federal statistics applicable to certain categories of data (for example Gramm-Leach-Bliley and HIPPA). But currently 49 states (and various U.S. territories) have data breach laws, with varying requirements (with California just enacting what may be the most comprehensive personal data privacy legislation in the country). The organization must understand the data breach laws for each state where it has members and employees.  For example, some states have laws on notification based on where the data is stored, and some based on where affected individuals live. Further states have varying definitions on what constitutes personal data. These nuances will impact breach notification requirements. Some states require credit monitoring for affected members. And some states provide “safe harbor” if the organization maintains a notification procedure that is consistent with state guidelines – and follows them. Even if you have only a handful of members in a state with a requirement that you did not meet, there is possibility of legal and regulatory risk.

Initially, most states require the first breach notification within a set period, often as little as within 72 hours of the organization learning of the breach. However, it may take much longer than that for the data forensics to fully determine the extent, magnitude, and time-frame of the breach and for the organization to reach who is impacted and the correct notice recipients. There are many other considerations – for example if the data that was breached was encrypted, but the key is safe, does that constitute a requirement for notification? Even if it is not a requirement, should an organization still provide notification? This is an area where outside council can help shed light on best practices.

Vendor Management

In the Target breach that occurred in 2013, Security researchers discovered that the hackers had gained access to the Target network through a compromised user account at a third-party HVAC vendor. Best Buy was also among a number of large retailers, including Kmart and Sears, to have its data breached due to vulnerabilities with its chat app, which it used for customer engagement from the provider [24] Those vulnerabilities were identified as the cause of breaches which occurred between September and October of 2017, before being corrected. 

Vendor Management is an important element to consider when developing breach preparation documents. Knowing the systems and data elements that vendors have access to is the first step. Also, knowing how each vendor uses that data, what their processing practices are, what their administrative safeguards consist of, and what technical safeguards are in place, are all part of the due diligence process that must be done.

Considerations for vendor contracts include:

  • Warranties
  • Indemnities
  • Limitations on liability
  • Default Remedies
  • Vendor’s Insurance Coverage
  • Cooperation regarding data breach notification and response
  • Audit Rights

When a breach happens, if it is determined that the vendor was somehow at fault, then contractual considerations become paramount. It is helpful to have worked with legal counsel to draft contracts with strong protections in place prior to a breach. And if a vendor does not agree to contract provisions that protect your organization, then at the time of renewal, look for one that does. 


Insurance is an additional backstop against liability when it comes to data breaches, and the market is continuously changing as data breaches become more widespread. Also, changing privacy laws are resulting in increased litigation and a desire for proactive coverage. So, it is important for an organization to know what coverage is in place, and what could and should be obtained. Cyber liability coverage, for example, is a very specific coverage that has restrictions. It is easy to void the policy by failing to understand and implement basic data security measures or for not notifying the carrier of the incident in a timely manner or as required under the provisions of the policy.

Insurance relating to data breaches comes in many forms:

  • Technology/Professional Errors & Omissions
  • Media Liability
  • Security and Privacy Liability
  • Privacy Regulatory
  • Data Breach Event
  • Loss of Income/Extra Expense/Digital Assets
  • Extortion Threat
  • Property Damage and Bodily Injury

Policies vary greatly in their coverage of acts/omissions of the vendor, and at all levels of the organization and the vendor’s organization. The bottom line is that someone in the organization should be responsible for reading the current policies for coverage AND exclusions and translating that knowledge into specific steps to be taken in the Internal Response Plan (IRP). It may be beneficial to work with an experienced risk manager and broker for this process. 

Employee Training and Involvement 

All the safeguards in the world are ineffective if there is one vulnerability left open, and there often is – the human element. Phishing attacks that prey on susceptible employees, like e-mails that look like they came from the CEO; an IT staff not understanding the importance and timeliness of implementing a security patch, or a laptop with network access stolen but not reported.  It is important that security needs are prioritized from the top, with a sincere support by the Board and Senior Management. Planning for the inevitable is equally as important. On-going employee training and communications will assist the organization in establishing an environment where employees understand the risks of data breach and providing tools for preventing mistakes. Having plans and procedures that are consistent with industry best practices will be helpful when responding to regulators and lawsuits. 


Data breaches are a constant threat in today’s environment.  While an organization should always strive to manage its data security practices to avoid a breach, it is equally critical to have a plan in place for when a breach occurs. Your members are more likely to forgive the breach if they feel that the organization acted responsibly to prevent the breach, and took appropriate actions after the breach to mitigate the situation and risks to their data. 

For assistance with vendor management, contact the experts at Trellance at

Lou Grilli

Lou GrilliLou Grilli

Lou is the AVP of Product Development & Thought Leadership at Trellance. In this role, he is responsible for managing the organization’s product portfolio, as well as providing leadership on industry trends related to data analytics and payments.

Other posts by Lou Grilli

Full biography , Contact author

Please login or register to post comments.


Featured Stories