When it comes to a data breach, “our role doesn't begin in the courtroom,” Massachusetts Assistant Attorney General Sara Cable said Thursday at SC Congress Boston, encouraging members of the audience to work with her office in the aftermath and even before one occurs.
The Massachusetts AG's office receives hundreds of breach reports each year, with 2,423 reported in 2014. Since 2008, 5,182,968 residents in the state have been affected by the 9,869 breaches reported to the AGO. And Cable said by the end of 2015 she expects that number to be “well north of the 10,000 mark.”
While there was no common thread that emerged from the breaches “humans are a recurrent theme,” Cable said, from what she referred to as the “Homer Simpson ‘Doh!' moments” to intentional acts committed to do harm. "You need to set up systems to assume humans will try to [penetrate] them," she said. "You have to have redundancy built in."
She added that the breach reporting pattern indicated that “the pace of breaches outpaces a company's ability to report” with multiple attacks occurring in a short time period. “The breaches start to cluster around this period.”
Cable noted that the AG's office tries to take a reasonable approach to such incidents. “The law doesn't say ‘Thou shalt never be breached,'” she said. “It's not a strict policy regime.”
But she acknowledged that companies sometimes don't understand what prompts an AGO investigation and occasionally can feel like the law is not evenly applied, Cable noted that certain elements are more likely to trigger the AG's interest. Among the triggers: a breach that results in ID theft or monetary loss to the consumer (the AGO's charge is to protect consumers); the breach was preventable; the company in question didn't notify the AG of the breach or there was a long delay between the breach and a notification and the incident had a large impact on Massachusetts.
Cable also offered a handful of tips for “dealing with regulators.” First, she said, disclose breaches before the press or someone else does it.” Exceeding bare legal requirements can go along way in assuaging regulators' concerns as can proactively sharing details of the breach such as what happened, who was affected and how the situation is being remediated.
Additionally, organizations should inform regulators of any mitigating circumstances or context and offer to share lessons learned. “I can then communicate them in a general way to the public,” she explained.
Cable said that despite the number of breaches reported, the Massachusetts AG has only prosecuted about 20 cases — the low number is in part a result of the office trying to use its resources wisely on the most egregious breaches.