Privacy and the Law: Alysa Hutnik of Kelley Drye
Your organization has been breached - how should you immediately respond? How should you not respond?

Alysa Hutnik, attorney with Kelley Drye in Washington, D.C., specializes in information security and privacy, counseling clients on what to do after a security breach. In an exclusive interview, Hutnik discusses:

Do's and don'ts following a data breach;
Privacy legislation trends for 2010;
What organizations can do today to prevent privacy/security challenges tomorrow.

Hutnik is an Associate with Kelley Drye whose practice includes representing clients in all forms of consumer protection matters. In particular, she specializes in advertising, privacy, and data security law. She frequently conducts workshops and gives speeches on advertising, privacy, and data security compliance. She is often quoted on these issues in major business and law journals and newsletters, and has authored numerous advertising, privacy, and data security articles. Ms. Hutnik was recently nationally recognized as a leading practitioner in the area of Privacy & Data Security by Chambers USA.

TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking today about privacy and data security law, and we are talking with Alysa Hutnik, an associate with Kelley Drye in Washington, D.C. Alysa, thanks so much for joining me today.

ALYSA HUTNIK: You are very welcome; glad to be here.

FIELD: Just as a little bit of context for our audience, why don't you tell us a little bit about yourself, your firm and the work that you do, please.

HUTNIK: Sure. We handle all sorts of consumer protection matters. So anything that the Federal Trade Commission, state attorneys general and private litigants bring -- usually class actions -- affecting consumers.

I focus particularly on privacy and information security concerns, so this would be business obligations to protect data, business obligations on how they use that data, how they disclose that data, the exchanges of that type of information with third parties.

FIELD: So, Alysa, what are the types of cases that you commonly would handle relevant to privacy and information security?

HUTNIK: Well, I can give you kind of a snapshot of my day to day. We counsel clients whose businesses obviously have employee data, they have customer data, they have prospective data, and we walk through what other obligations, based on existing law, on how they handle that data, how they protect that data. And then there are questions -- because consumer protection law has got a lot of gray areas. So what are the trends, what are the things that they should be thinking about and they should be doing to make sure that they are adequately handling that data in appropriate ways? There is the counseling aspect.

What we have seen more of in the past few years and really going forward is a much more active front representing clients as they have a data breach, and certainly walking them through all of those obligations to make sure that they take care of those obligations appropriately. And then there is the reactive sense where they are being investigated by the Federal Trade Commission or the state attorneys general for practices related to personal information, whether it is associated with a data breach, which we have done, or if it is associated with how they are just handling personal information of customers, or advertising issues, certain representations they have made about their practices that the Federal Trade Commission, for example, does not think is accurate or potentially may be misleading.

FIELD: Well, Alysa, at times this year with the Heartland Data Breach -- Chase Bank just reported one -- it seems like almost this is the Chinese Year of the Breach because it has just come up so frequently.

HUTNIK: And that has a lot to do more with those disclosure obligations. It is likely that the breaches were always happening. I think we are so much more aware of them now because of two things: One, the obligations based on 45 states, and they have to notify and it has increased public awareness that we now pay attention to this; , two, we have a whole lot more questions about breaches, which calls a lot of those facts and brings them into the public sphere as people are concerned about identity theft.

FIELD: Now one of the things that strikes me in your profile is that your counseling includes advising companies on what to do following a breach, and that just struck me as such a relevant question to our audience. When there is a breach, what should organizations immediately be doing?

HUTNIK: You know, that is such a critical question, and it is one that a lot of dollar signs, I think, hang on because we all have busy day jobs, right? And so there is one crisis to the next, and it is hard sometimes to prioritize or differentiate what is the more immediate crisis, is it somebody who is on the phone with you now or is it another issue that kind of bubbled up in an email?

With data breaches, sometimes it really does just bubble up from an email, and you can really minimize the company's exposure if you take news of a potential security breach very seriously and there is quick action to get to the root of the problem.

I will give you an example where you have a breach that, let's say, is a hacking incident into an application. As that news bubbles up and you can take quick action to at least cut it off line or cut off whatever the open portal is that is being exploited, that has the potential of having several days or potentially many more files of card number information for example, that is exposed. That can directly translate into a substantially reduced amount if you end up having to pay card reimbursement fees or fraudulent payments that you are responsible for by taking action a week earlier and rooting it -- you can actually save a lot of money.

So, quick the bottom line is really taking these issues seriously, knowing the right questions to know whether this is a serious data security breach or if it may not be. It may not be a big issue, but it is a good learning lesson because let's say very sensitive data was not at issue in one particular example, but it highlighted a potential vulnerability that should have safeguards modified and updated to prevent future more serious issues.

FIELD: So, the flipside of that question is what is it that organizations should not be doing immediately following a breach?

HUTNIK: Well, you know the flip answer is not taking it seriously, but that is not very helpful because it all depends on what the facts are and needing to know what to take seriously. So I think being well versed enough to be able to quickly have your teams -- and that is kind of a blend of what you should be doing and what you shouldn't be doing -- but if you have got the right stakeholders already in place, so you have got your task force on data breaches, so you have the right folks being able to look a certain set of facts and make an informed judgment for the company as to what are the next steps.

So by putting all of this responsibility on this type of issue on, let's say an IT part of the organization or just legal, I think you do a disservice to the company. It is really a multi-part effort to make sure you get to the right decision.

FIELD: And I suppose that you want to be the one talking to your customers before somebody else is.

HUTNIK: You always want to be. In a lot of these situations it doesn't always work that way. It may be that a customer found out first because their card was used fraudulently and they were pretty quick to call Visa, so you are better off if you can figure it out internally before an external source finds out and let's you know because by then, unfortunately, usually a lot of time has passed by, and that means that your company was more exposed during that time.

FIELD: You mentioned some of the state privacy legislation; you talked about the 45 states that have it, and two that come to mind immediately are Massachusetts and Nevada, which have got some new regulations that have either passed or are pending. Now what trends do you see here with the state legislation? And, I wonder if you envision national privacy legislation coming any time soon?

HUTNIK: Well, that is a good point. You raised Massachusetts and Nevada, and what we see there is the only change is you have got a few states that are now getting very specific on what they mean with data security safeguards. What we saw before that was that you had more general laws, like the FTC talks about unfair and deceptive practices, and really used that as the framework to say, 'Are your information securities unfair?' and have really kind of had this evolving, shifting standard without a lot of clarity.

Then you had Massachusetts and Nevada that said 'Here is what we mean by reasonable practices; you actually have a certain performance standard that you have to meet.' I think that model has had a ripple effect in what we are seeing, which is a fair amount of other states considering what other specific safeguards do we want to put companies on notice that they have to comply with? So I think you see Minnesota putting a cost reimbursement standard if you don't meet certain safeguard obligations -- that is one example. And I think other states are certainly going to experiment with a model that works for them.

So if anything, I see a lot more specificity among various states and probably a fair amount of experimentation on what that means. You have got a handful of states that already specify that if you are going to contract with vendors, service providers, that your contracts have specific safeguard language. The plus factor that I think looking forward we are going to see is states putting not just that performance contract standard, but some sort of oversight and monitoring aspect to that, so that is another potential area.

Your question as to national privacy legislation ... I think we are going to see it more in parcels. So there probably is going to be something on online marketing and a privacy bill that really addresses a lot of that. I am not confident we are going to see a federal uniform data security-type safeguard, and I say that because there are a lot of different jurisdictional buckets between health-type information where you have a HIPAA standard or financial information, and there are too many kind of variances there. So I think for the meantime we are going to see more of these specific data security obligations really come from the states.

FIELD: Now as you know, we have seen a lot of privacy trends this year. We have had high-profile breaches; we have got a new administration that seems to be paying a lot of attention to the cyber security and privacy. What do you see as some of the trends that you are going to track as we go into 2010 regarding privacy and information security?

HUTNIK: Well, I think the profile has certainly been lifted over the last year in data security, and it is has been partly because of the big cases. What we are going to see going forward is a lot more aggressive regulatory action. And what I mean by that are high-profile investigations, and more of them.

So for example I think you are going to see the FTC take a lot -- it has already had a pretty prominent role in this area, and I think that is just going to be more of the case. I think HHS is probably going to take a more active role with data security safeguards and data security breaches. As a result, you are going to see the awareness level a lot of companies paying attention when they see big settlement figures, or litigation for that matter, and see some monetary damages as a result.

That hasn't quite been the case; we have seen some example with monetary settlements, with some from the regulators, but mostly it has been with the banks and with the card associations. You add those monetary figures to those settlements, less more active regulatory investigations, and it makes it a very expensive issue for companies if they are not more proactive to make sure that their data security safeguards are up to par.

FIELD: Sure. Alysa, one last question for you; I know you spend a lot of time with organizations talking about information security and privacy, and I am sure you see lots of comments and themes. If you could offer organizations once piece of advice that might prevent them grief down the road when it comes to challenges in security and privacy, what would that advice be?

HUTNIK: I think there has just got to be such a better communication pipeline between legal and IT. I mean, data security stuff so often gets "this is an IT only issue," but the problem there is that there is not the same kind of mapping and prioritization in many cases because of budget constraints, because of people who carry a lot of roles in their one job, and unless there is a really good pipeline between what the business--having the business having a good sense of legally what they need to do and having legal know for the business end, what are our options to make sure we reach that objective.

I think you can get to that point where the company is adequately protected and the company knows what its obligations are. You just have such a missing gap among a lot of companies now as to what they are actually doing and what they need to be doing.

FIELD: Very well said. Alysa, I appreciate your time and your insight today.

HUTNIK: Oh, you are very welcome.

FIELD: We have been talking about privacy and data security, and we have been talking with Alysa Hutnik with Kelley Drye. For Information Security Media Group, I'm Tom Field. Thank you very much.

Around the Network