Anatomy of a Data Breach Response

Published In INSIGHT - Spring 2018
By Nathan A. Adams, IV*©2018
Studies suggest that the median number of days it takes to discover a data breach is 146. The Federal Trade Commission (FTC) requires financial institutions, including colleges and universities, to adopt a comprehensive written information security program (WISP) to deploy on day 146. There is no time to be lost to catch the crooks and notify the victims. The FTC rule contained in the Gramm-Leach-Bliley Act does not ordinarily apply to churches, but it is setting a standard that churches would be wise to consider.

Suppose hackers gained access to your computer system 146 days ago. They typically establish a foothold first, then work to “escalate” their privileges to gain broader access to files, conduct internal reconnaissance, and take or impound the data. Whose confidential information and what records might they take? Donor, employee, member, visitor, missionary, vendor and parish, or denomination data may be on file, along with their personnel and payroll records, credit card information, bank account, membership, intellectual property, and other records. 

A WISP helps organizations deploy resources quickly first to identify and evaluate the extent of the compromise, remove the attacker, notify law enforcement, then undertake remediation efforts. The program calls for a chief information security officer to coordinate deployment of the incident response plan and team. When the program functions best, organizations catch hackers in the act by, for example, examining network traffic and electronic logs, and generally with the assistance of forensic consultants remove the hackers from the environment.

About half of the time, organizations do not learn about a breach until weeks later. Sometimes law enforcement calls or a do-gooder scanning the dark web discovers your organization’s W-2s for sale. Other times, government agencies contact employees or donors inquiring about fraudulent applications or tax returns filed in their name. A credit card company may ask about excessive charges and several employees or members may report it to the church.

Once your church confirms that a data breach has occurred, state statutory law may require reporting. If the data pertains to non-residents, multiple state reporting laws may be implicated. Churches may need to notify law enforcement and state attorney general offices (AGOs). Usually, AGOs will want to know details about the data breach, including how and why it happened, what policies you had in place to prevent it, and the remediation steps that the church is taking. 

Under state law, the church may need to notify all persons whose information was compromised. The church may not have all of the affected persons’ addresses, so the church will need to retain a vendor to obtain current street addresses. Paying for credit monitoring for affected individuals is standard. The church will want to offer this and have a call-in number for individuals with questions. Responders will need a common FAQ sheet. Media may become involved, so the church will want to have a media strategy, as well.

As part of a WISP, organizations typically retain forensic experts, public relations professionals and lawyers. Each plays a critical role. Institutions without incident response plans may have to adopt a plan, once law enforcement becomes involved. Lawyers schooled in cyber breach incidents are essential to ensure reporting goes smoothly. Subject to various caveats, they may also shield sensitive communications and investigatory documents pursuant to the attorney-client privilege. Breaches risk public enforcement actions including fines and penalties and private class actions, so lawyers will eye mitigation strategies.

The average cost of a data breach in the United States last year was about $245 per record. The average aggregate cost was $7.35 million. The cost to churches is likely to be less, but even without civil or criminal liability, fees and costs add up quickly for credit monitoring; fraud restoration services; address locators; mass mailings; call centers or notification screeners; forensic, legal and public relations consultants; and computer system modifications. 

Consequently, cyber insurance has become a critical additional coverage, but its quality varies widely even at a similar price. For example, not all cyber insurance policies cover (i) vendor liability as when a vendor is responsible for the breach, (ii) breaches caused by employees or insiders; and (iii) fines and penalties imposed by public agencies (especially if out-of-state). The best policies often require minimum computer technology, compliance reporting, and WISPs. Lawyers schooled in cyber incidents can assist with identifying coverage gaps.

Indemnification is another type of “insurance” that churches may require by contract of vendors with access to the church’s sensitive information. If a vendor is responsible for a breach, it should pay for it. By contract, churches may require vendors to implement and maintain safeguards against data breaches. For employees, a term of employment should be adhering to data safeguards including keeping passwords private. Not all employees need access to sensitive data either. Minimizing the amount of sensitive information that a church collects is also a wise strategy.

Prevention of cyber breaches is always cheaper than investigation, notification and remediation. Here again, lawyers schooled in cyber incidents, working in cooperation with church IT professionals, can help a church put together a WISP and compliance protocol that will protect data and, in the final analysis, money and the church’s reputation. Successful plans include employee training, regular testing and monitoring to identify vulnerabilities, program adjustments, record retention (and destruction) policies, and enhanced security for sensitive information.

*Nathan “Nate” A. Adams, IV is a Partner with the national law firm Holland & Knight LLP. He can be reached at