Criminal or Regulatory Investigations May Be the Way Get Companies to Disclose Data Breaches Promptly: Cybersecurity Trends

How many states have data breach notification laws?  You might be surprised – answer below.  Regardless of that, companies still don’t always notify customers and other individuals and entities affected promptly, leaving their data exposed potentially for months.  Maybe it will take criminal and/or regulatory enforcement actions to change that.

In Legaltech® News (Charges From Botched Data Breach Responses Put the Heat on Corporate Execs, written by Devin Chwastyk), the author notes that many organizations indifferently fail or deliberately avoid notifying customers of a breach of personally identifiable information. A 2017 paper studying the economics of information security concluded that more than 60% of U.S. data breaches go unreported. The study, Estimating the Size of the Iceberg from Its Tip: An investigation into unreported data breach notifications by Fabio Bisogni, et al., explains several reasons for such non-reporting:

  • Many companies fail to even detect the incident or lack logs sufficient to establish that it resulted in unauthorized access to personal information.
  • Some state laws permit companies to forego notification if they find little risk of harm to the affected persons.
  • And, some companies simply decide not to notify and instead to bear the risk of private lawsuits, regulatory enforcement actions, and the potential of incurring significant reputational damage, later, in favor of the immediate savings of not having to pay for the notification process and the prospect that the incident may never become public.

But two recent criminal and regulatory enforcement actions may drastically alter the calculus for companies weighing whether to issue notifications following a data breach.

First, on Aug. 19th, a criminal complaint was filed in California federal court against Joe Sullivan, former chief security officer for Uber Technologies. Federal prosecutors allege that Sullivan obstructed justice and wrongfully concealed a felony when he withheld and concealed from the Federal Trade Commission his knowledge of a 2016 hack of Uber’s systems that purportedly resulted in hackers obtaining personal data of more than 57 million Uber drivers and passengers.

The breach wasn’t publicly disclosed until more than a year later (I wrote about it then) and Sullivan allegedly participated in an effort to cover up the 2016 breach by paying the hackers through the company’s bug bounty program and securing nondisclosure agreements from them, all while Uber already was under investigation by the FTC for an earlier 2014 data breach. Wired Magazine called the indictment was a “warning shot,” the “first direct example in the United States of a corporate executive facing criminal charges and prison time … over a data breach response.”

Sullivan faces several years in prison on each of the criminal charges. Rather than go down alone, Sullivan, meanwhile, argues that it was Uber’s legal department that was responsible for deciding whether, and to whom, the 2016 breach should be disclosed.

Second, the New York Department of Financial Services on July 22, filed charges against First American Title Insurance Company in the first action seeking to enforce the department’s cybersecurity regulation. First American allegedly had a problem in the file-naming conventions used for its online document management system, which allowed users to bring up documents, without authorization, merely by changing digits in the document ID number that made up part of the URL address for each document. The unsecured documents contained Social Security numbers, driver’s license images, and bank account numbers and statements.


First American allegedly learned of this lapse of data security in December 2018, but failed to recognize the severity of the problem, and so left unsecured more than 700 million documents (many containing nonpublic personal information) until May 2019. Indeed, the Department alleges that First American’s own penetration tests warned that thousands of these documents had been indexed by Google’s search engine.

Because First American failed to follow its own internal policies and neglected to conduct a risk assessment and otherwise adequately respond in a timely manner to the serious vulnerability, the department has levied charges against First American carrying penalties of up to $1,000 per violation, with the charges suggesting that each exposed record could constitute a separate violation, leaving the company facing maximum potential exposure of billions of dollars.

Will potential criminal charges or potential penalties in the billions of dollars spur companies to disclose data breaches promptly?  We’ll see – many organizations tend to have a short memory on these types of things.

BTW, all 50 U.S. states have data breach notification laws (plus DC, Guam, Puerto Rico and the Virgin Islands).  And, if you’re a lawyer, ABA Formal Opinion 483 discusses lawyers’ obligations after an electronic data breach.  You’ve been warned!

Also, just a reminder that next Wednesday, September 9th at 2pm ET (1pm CT, 11am PT), Ipro will conduct the webinar Legal SWOT Analysis: Identifying Opportunities & Threats for eDiscovery, Cybersecurity & Data Privacy During the Pandemic.  I’ll be presenting, along with two of my favorite people(!) – Tom O’Connor, Director of the Gulf Legal Technology Center and Jim Gill, Content Marketing Manager (and blogger extraordinaire) for Ipro.  Should be interesting and a lot of fun!  Don’t miss it, click here to register!

So, what do you think?  Are your surprised at the extent of coverage of data breach notification laws in the US?  Otherwise, please share any comments you might have or if you’d like to know more about a particular topic.

eDiscovery Today will resume posts on Tuesday, September 8th. Have a great Labor Day everyone!

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Leave a Reply