April 15, 2019

What are my notification obligations for a breach of only administrator credentials?

Hypothetical:  

Your company has been subject to a successful cyber penetration that results in compromise of an internal, administrative server.  The compromised server exposed certain security features, which included administrator passwords, but customer and employee data remains secure.  In this situation, with no personal data compromised, how do you determine what your notification requirements may be?

Key Considerations:

  • How thorough was the investigation?  Most data breach notification laws at the state level require the affected entity to conduct an investigation to determine whether the confidentiality, integrity, or availability of personal information can reasonably be believed to have been compromised.  As such, it is incumbent on your organization to be able to demonstrate to regulators, and other potentially affected individuals or entities, the steps taken to determine that personal information was not compromised.  Audit trails and forensic reports may provide such assurances, but should be prepared and shared thoughtfully with an eye towards maintaining any applicable privilege. 
  • Is your company in a regulated industry?  While a breach may not require notifications to individuals or state regulators, you should look to the regulations that govern your industry for more particular requirements.  Some regulations, like HIPAA, contain breach notification requirements that may differ from your obligations under state law.  Further, publicly-traded companies may have a duty to disclose breaches to the SEC and investors, even if personal information is not compromised.  The SEC, FTC, and HHS have all published guidance on regulated entities’ breach response and notification obligations.  Finally, financial services companies operating in certain states may have a duty to report to state regulatory bodies, such as the New York Department of Financial Services.
  • Do you belong to particular industry groups?  If your Company belongs to certain industry groups, such as an  industry-specific Information Sharing and Analysis Organization, you may have reporting obligations regardless of the information that was compromised.  Check the terms of your membership in any groups to which you belong for those reporting obligations, but consider having counsel review such reports to protect any applicable privilege.
  • Have you reviewed your contracts with customers, vendors or other third parties?  Review contracts with your vendors, customers, and other partners.  In some cases there may be an obligation to notify these parties of a breach, but such notifications must be carefully crafted to avoid disclosing confidential information or waiving applicable privileges.