A law firm has developed a free iPhone app, Data Breach 411, to help organizations with data breach notification compliance. The app provides links to 46 state laws, relevant federal statutes and other resources.
Breach notification compliance is challenging "because we don't have a national standard or a federal statute on data breach notification, but we have literally 46 different state [laws]," says Scott Vernick, a partner at the law firm Fox Rothschild, which developed the app. "We just thought that we would try to create something that would be useful to privacy professionals and in-house counsel who are trying to respond to breaches by putting information at their fingertips," he says in an interview with Information Security Media Group (transcript below).
In the interview, Vernick describes:
- The environment that created the need for the app;
- The features of Data Breach 411;
- How the app will be updated and upgraded.
Vernick is a commercial litigator who focuses on technology, intellectual property, health care, privacy and data security law. He regularly counsels multi-national and mid-sized businesses on how to mitigate risk and overcome the challenges posed by the multitude of state and federal laws and regulations dealing with IT security, privacy and data breach notification.
Meeting a Need
ERIC CHABROW: Take a few moments to outline the environment that created the need for the app.
SCOTT VERNICK: When you look around at the headlines over the last three or four years if not more, we live in a pretty challenging environment when it comes to data breaches. What I mean by data breach is situations in which either some cybercriminal from some place has hacked into a company and stolen information, or there's been a rogue insider at a company that has taken information improperly or unlawfully. Or, even something accidental that takes place that leads to the breach of information. In particular we're talking about consumer information or personal health information. So when you look back, whether you're talking about Citibank, LinkedIn, Sony, Target, Yahoo, there are any number of household names which have experienced data breaches, and the public shouldn't necessarily conclude that they haven't been doing what they need to do to safeguard information. It's just that we live in a very challenging environment where often the cybercriminals are one step ahead of what everyone is doing to try to prevent those things from happening.
Developing an App
CHABROW: How did the idea of the app itself come about?
VERNICK: We've been doing privacy and data security work for any number of years, probably well before there were actually formal practice groups at law firms. We did it back in the days when data security and privacy issues related to dumpster-diving, when criminals used to dive in dumpsters literally to fish out those copy pages from the knuckle-busters when people ran their credit card. Then the environment got more challenging. And it's challenging not just because of the sort of threats that companies face, it's also challenging because we don't have a national standard or a federal statute on data breach notification, but we have literally 46 different state [laws]. We just thought that we would try to create something that would be useful to privacy professionals and in-house counsel who are trying to respond to breaches by putting information at their fingertips.
So when you respond to a data breach, there are some usual steps that you go through. Obviously, you're trying to find out what happened and what was taken, and the next question that people are going to ask is: "Who do you have to give notice to? Do you have to give notice to consumers? Is there a state AG that you have to give notice to?" We wanted to put something at people's fingertips so that they could readily, at a minimum, look at the 46 different breach notification statutes and get a sense of what their reporting obligations were.
CHABROW: Did you have some kind of application on your servers that did that for you already?
VERNICK: No we went out and we contracted with a developer. We told him ... what the idea was and what we wanted to create. It was a very good team effort between the lawyers, the marketing group and the developer, and Apple as well, to come up with something that we thought would work and be simple and user-friendly. Again, with a few taps, once you download it, you can look to see what California requires, what Massachusetts requires - any of the 46 states. Obviously we'll push updates as breach notification statutes change, because they do change to include more reporting obligations. There will be an ongoing and current resource.
CHABROW: Do you plan an Android version?
VERNICK: The answer is yes. We're waiting to see what the uptake is and what kind of comments we get back from the user community with respect to this one. It's new at the moment. It's just been launched. We've had some very good feedback. We're waiting just to see what the [usage] is like and what additional comments we get from the user community.
Key Features of App
CHABROW: What features appear on Data Breach 411?
VERNICK: It has two or three components. One is, it gives you instant access to the state breach notification statutes that are currently in existence. Number two is, it gives you instant access to the federal rules on HIPAA and the HITECH Act, which are the federal statutes which govern what you have to do if you have a data breach that pertains to personal health information. It also gives you instant access to the rules regarding the Child On-line Protection Privacy Act if you are marketing to children, and that is obviously an area where you have to be particularly careful. And then finally, it gives you resources to some links to the FTC and some links to the credit reporting agencies, because often times some states require, depending upon the size of the breach, notification to credit reporting agencies.
As part of a breach notification, it's almost standard practice to offer people some form of credit monitoring for some period of time so people can determine whether or not their accounts have been subject to any financial fraud. ... When you're in that sort of emergent environment just after a data breach, we wanted to make this material readily available just to make people's lives easier.
CHABROW: Who is it marketed toward?
VERNICK: The people who we hope will use it are, depending upon the nature of the company, either in-house counsel or privacy professionals who are responsible for compliance and responding to a data breach. We expect that at smaller companies, business executives in the C-suite will use it, because those are typically ... the people who are on the front lines when it comes to responding to a data breach.
CHABROW: Who is responsible for maintaining and updating this?
VERNICK: We are.
CHABROW: What is the process to make sure that it is updated?
VERNICK: Here we have lawyers, we have members of our privacy and data security group, we have marketing professionals and we also have professionals in what we call our knowledge management department. ... Between those three sets of stakeholders, we're responsible for monitoring and updating any of the breach notification statutes when there are developments. It's likely that we will add more resources because some states have separate Internet privacy statutes - California would be a good example. We will want to add those particularly because those are becoming more robust all the time in terms of what they are requiring for companies that have a presence on the Web or presence on the internet. I think once we sort of see how this works in the first six months or so then we'll also talk about an Android version because we're already getting requests.
International Data Breaches
CHABROW: Will future versions of Data Breach 411 include how to respond to international data breaches?
VERNICK: That's certainly on the drawing table at the moment. The difficulty has been that what's happening in the European Union in particular is very much in flux at the moment. People thought there was going to be a pretty material revision to the [regulations] in Europe. I'm not sure that is going to happen now. ...
CHABROW: Anythng else you'd like to add?
VERNICK: We're really interested in getting user feedback; that is the most important thing. We try to put ourselves in the position of people who we thought would be able to make most use of it. We've gotten some very good feedback. People like the cool factor of it. ... People think it's great to have stuff they need literally at their fingertips and all in one place. What we're really interested in is getting user feedback so that we can make sure that it is working the way we thought it would work and working the way that it will be most useful to the professionals who would want to use it.