Lessons From the Epsilon Data Breach

The recent Epsilon Data Management, LLC data breach showed the significant impacts of the accidental disclosure of personally identifiable information (“PII”) as well as the speed with which these events can occur. Epsilon is a large distributor of marketing-oriented email messages for a number of well-known companies. In early April Epsilon suffered a data breach which appears to have involved such PII as names and email addresses. The final results and extent of this situation are not yet fully known, but companies can learn some valuable lessons from Epsilon’s situation.

The effects of this data breach have been substantial and are still being analyzed. Epsilon regularly distributed a huge volume of email messages, and thus the effects of this breach may be widespread.  Two United States Representatives sent a letter to Epsilon demanding information and one news service reported that the United States Secret Service is investigating this matter.

What can your company learn from the Epsilon situation? Here are a few key items:

1.  Have emergency response processes and procedures in place to deal with a data breach. These should be detailed and tailored to your company and your industry. After a breach occurs is not the time to construct a plan. Know exactly what your company will do if a data breach occurs. Speed is virtually always an essential component of a successful data breach response.

2.  The types of data and information that your company possesses are important factors, especially if they constitute PII. Know what kind of data and information that your company has and plan accordingly.

3.  Who controls or has access to data and information? This is critical, especially if a third party is involved. Third party data control and access has become more prevalent due to the increase in arrangements such as cloud computing and outsourcing. An essential part of the control of this process is to have carefully drafted documents in place with all third party participants. Remember that their problems can quickly become your company’s problems.  Carefully monitor who controls or has access to any data or information held by your company and enact and enforce appropriate safeguards and controls.

4.  Data breaches are controlled by a number of state and Federal laws and regulations. These laws and regulations often impose strict response requirements if a breach occurs. This can be further complicated if your company operates in certain industries or it operates in multiple states. Your company many also be subject to the laws and regulations of other countries, and some countries have very strict privacy and data breach laws and regulations. Know what laws and regulations apply to your company and what they require in connection with a data breach.

5.  Your company’s agreements with other parties or your company’s website privacy policy or terms and conditions may affect a data breach situation. Be aware of the potential impacts of all of these items as well as any associated compliance requirements.

6.  Know your industry. Some industries (e.g., banking; health care) have heightened concerns about the data that is collected by their participants, and in many cases there may be specific requirements for handling this data and responding to a data breach as well as increased potential liability. Get expert advice specific to your industry prior to a data breach.

7. Insurance coverage for data breach problems may be available. Consult a qualified insurance professional to determine if this type of insurance is available and if it will help your company to mitigate the effects of a data breach.

8.  Be very careful before providing any information or documents to any government agency, private individual or company in connection with a data breach, whether or not actual litigation or regulatory action has commenced. Get qualified legal advice to protect your company’s interests before providing information or documents to any party.

Data breaches are extremely serious and stressful events, and the associated liability can be very significant. Other problems, such as negative publicity, loss of customer confidence and brand damage often occur in these situations and can make the situation much worse. Compliance with all requirements and the speed with which a company reacts to a data breach are crucial items. Learn from the Epsilon situation and you may be able to make a bad situation better.

For more information, click here to contact Bob White.