YourABA: June 2013
YourABA September 2013 Masthead

What you need to know about minimizing data breaches

The 21st century has been called the cyber age, a period following the 20th-century technological revolution that ushered in the widespread use of computer information systems. Because computers and computer networks have been responsible for unsurpassed economic growth, they have also become the targets of criminals.

Panelists at the Annual Meeting program “Preparing for the Inevitable: What Every Company Should Know About Minimizing Data Breaches” discussed the process by which companies respond to cyberattacks.

While panelists agreed on the need for preparedness and a comprehensive response to a cyberattack, divisions over the timing of reporting to authorities and customers were apparent.

Hadley Etienne, a special agent with the FBI, described the bureau's response process to a suspected information breach. The FBI has recently hired more than 150 computer scientists and broadly monitors hackers online, including on popular hacker online forums. Etienne said that the “most important thing is to preserve computer evidence,” which is why the FBI will sometimes wait 24 hours before notifying a business that its systems have been compromised. On the other hand, the “worst thing is when [hackers] start to show the information online to other hackers.”

That makes delaying informing companies of a breach a potentially dangerous proposition. Linda Clark, the general counsel of Reed Elsevier, expressed disagreement with the FBI's timetable. “I don't want a 24-hour window — I want a five-minute window,” Clark said. Reed Elsevier's incident response plan calls for immediately freezing information in the event of a breach. Even working with law-enforcement agencies like the FBI requires care. “We are very protective of any [client] content that could be deemed to be privileged or confidential,” Clark said. “We have to be sensitive to what information we can share,” which is why Reed Elsevier has “embedded relationships with law enforcement so we can respond proactively.”

Etienne countered that sharing information with law enforcement “benefits the community at large.”

Panelists also discussed the responsibility to notify consumers of a data breach. According to Alfred Saikali of Shook, Hardy & Bacon LLP, there are 46 different data breach reporting requirements across the states. Saikali believes that government regulation has not caught up to the Internet because some of those consumer notice laws require actual letters to be mailed out.

Eva Velasquez, of the nonprofit Identity Theft Resource Center, argued that emailed notices to consumers are fraught with complications, including the possibility of a phishing attack where individuals are prompted to provide their private information to a fraudulent website. Velasquez said that companies should “give as much information” as possible to consumers. Returning to consumers several times with little actionable information results in a loss of confidence among the company's consumer base.

"What you Need to Know About Minimizing Data Breaches" was sponsored by the Section of Litigation.

Additional resources from the CLE are available on the ABA Section of Litigation's website.

Back to top


Shades of Rashomon:
2 views of 48 hours in the life of a client


Practical encryption: 3 tips for the average lawyer


Meet new ABA President James R. Silkenat


Plan in advance to handle crisis communications

Review of the billable hour finds few signs of life

Encryption, complex passwords are best ways to protect client data

How to better serve corporate clients

5 women lawyers honored with 2013 Margaret Brent Awards

Legal career counselors share 10 tips on how to achieve work-life goals

Law firm leaders explore what millennial lawyers think about diversity and inclusion

DOMA, Prop 8 rulings leave web of employment benefits laws to untangle

What you need to know about minimizing data breaches


Dues reminder


Be prepared when disaster strikes