Dealing with a data breach

Steps commonly undertaken when employee or customer information is stolen

Most people loathe the annual ritual of filing a tax return. Compounding that unpleasantness, a number of filers attempting to file a tax return only are notified by the Internal Revenue Service that someone else has already filed a return on their behalf and collected the tax refund.

We have fielded several calls from employers who have had multiple employees report that they were unable to file their tax returns because someone had stolen their identity. Here are steps commonly undertaken when a group of employees makes such a report.

Investigate for a breach

The first step is to conduct an internal investigation to determine if the company is the source of the data leak. Information technology professionals examine logs searching for malicious patterns. Circumstances might warrant hiring an outside security consultant to conduct this review. If there is evidence that the employer’s systems were hacked, the key questions to answer include:

• How was the system hacked?

• What changes are necessary to stop the attack?

• When did the attack occur?

• How much data was exposed or taken?

• What categories of data (names, address, email address, account numbers, social security numbers, credit card information, private health information) were taken?

• How many employees are at risk of identity theft?

Notify law enforcement

It is a good idea to notify the U.S. Secret Service, because that agency might be able to determine if this particular hack fits into a larger pattern. Companies should also consider notifying local law enforcement to file a police report, as this might provide some assistance to employees who later discover they are victims. Some credit monitoring service providers offer discounts if a police report has been filed.

File an insurance claim

Companies should also call their insurance company to determine if they have cyber insurance. The products vary, but they often provide coverage for, among other things: legal and other costs associated with sending notices to affected individuals; costs of providing credit monitoring for employees; and defense and indemnification for liability.

Send the required notices

Almost every state has passed a statute requiring those with knowledge of a data breach to provide notice to the affected individuals. Unfortunately, these statutes are not uniform.

Some states’ statutes do not specify the content of the notices, but merely mandate that notices are sent. Other states’ statutes require several key pieces of information appear in the notice.

Because of the differences in statutory requirements, it is important to quickly develop a list of the states in which the affected individuals reside. Then, notices need to be drafted to meet the specific requirements of those states. Because most of the statutes include civil or criminal penalties for noncompliance, some care is required to ensure that the notices contain all the required information.

A handful of states, including New Hampshire, require that a separate notice be sent to a public official, frequently that state’s attorney general. In addition, some states mandate that companies provide notice directly to the credit bureaus, if there is a significant number of affected individuals in those states (a common threshold is 500 individuals in that state).

If law enforcement undertakes an investigation of the data breach, they might request that the company delay sending notice to the affected individuals, because public dissemination might hamper the investigation. Companies should get this request from law enforcement in writing. When the notices are sent to the affected individuals, it is recommended to state explicitly that notice was delayed at the request of law enforcement.

It is also prudent to create a record that the notices were received. Some statutes permit transmission of the notices by electronic means. If email is used, the company should obtain a read receipt and maintain a record that each message was read. If traditional mail is used, it is wise to use registered or certified mail to obtain proof of delivery. Cyber insurance often covers these expenses.

Although this article framed the tasks in terms of dealing with a breach of employees’ information, the same concept applies if customers’ financial data is stolen. Companies are advised to develop a written response plan even if they have not yet been subject of an attack. Employers should also investigate cyber insurance just as they consider general liability insurance, because the benefits of coverage can be substantial.

Finally, all companies should examine their own security protocols and undertake reasonable measures to protect their information, including training their employees to prevent against future hacks.

James P. Harris, a shareholder at the law firm of Sheehan Phinney Bass & Green, can be reached at 603-627-8152 or

Categories: Business Advice, Legal Advice