Mar 5, 2015

By: Stephanie Barnes, Regulatory Counsel, Food Marketing Institute 
Legal 2015 Website Logo

Data breaches are a growing concern and how to best respond to such an event is a constantly evolving topic. That’s why we sat down with Christopher Cwalina from Holland & Knight to get to know him better before his presentation at the upcoming 2015 FMI Legal Conference, March 22 – 24 in Savanna, GA. 

1. What is your favorite thing about the grocery store?

This sounds like a trick question.  I mean, what's NOT to like?  Ok, maybe long lines aren't great when there's a threat of snow, but other than that, I love going to the grocery store (except I stay away when I'm hungry so there's that too).  My local grocery store has a Starbucks so I pick up a cup as I walk through the aisles –usually on the weekend.  My favorite thing is when there are samples to try.   

2. How can merchants protect their operations and customers’ data from a potential data breach?

On the technical front, merchants can utilize protective measures, such as encryption and salted hashing of data to help shield against a breach.  Merchants should also ensure that they have sound policies in place regarding data access, such as limiting access to a “need to know” basis for the role of an individual or unit (or vendor) as well as enhancing access requirements.

Similarly, merchants should implement contractual constraints on its third-party vendors (e.g., mandating the right to audit the vendor, requiring that the vendor pass security certification and adhere to third-party security standards, etc.) and ensure these obligations are memorialized in writing.  Merchants should be careful about their vendors' ability to make use of data downstream.  Too often we are dealing with breaches due to vendors who have data they didn’t need to have and should have gotten rid of.   

Finally, and perhaps most importantly, protecting from a data breach is not just the job of IT or Info Sec.  While obviously an important component, often breaches occur due to no lapse in perimeter security.  Information security is a top-down issue and one that involves not only IT professionals but also Asset Protection, Legal, Compliance, Internal Audit, Public Affairs, Government Relations, Marketing, Product Development, and senior executives.  While not preventative, one of the most important things to do is make sure the company is prepared to respond if/when a breach occurs. Testing will ensure that the response is adequate and will dramatically decrease liability exposure when a breach does occur. 

3. How do federal data breach laws compare with those in place in states and localities across the country?

Currently, an omnibus federal data breach law does not exist (although, with the increasing attention surrounding data breaches, many members of Congress are floating the idea of some sort of federal data breach legislation).  That said the state data breach laws make up a patchwork quilt of their own.  Nearly every state has enacted data breach law(s), with some states having very stringent notification standards while others are less restrictive.  For example, states like Connecticut and Indiana require regulatory notification any time a breach occurs; whereas, other states (e.g., California) only require notification to regulators if the number of impacted consumers exceeds a particular threshold. 

In addition, merchants also have to be cognizant of any time limitations that may apply to either consumer or regulator notification.  Florida, for instance, requires that affected individuals be notified within 30 days of discovering the breach.  Moreover, what constitutes a “breach” may differ from state to state and what is or is not required in consumer notifications also varies depending on the state.  Given the varying requirements across the country, it will be interesting to see if a federal standard is actually implemented and, if so, whether such legislation will preempt existing state laws.

4. What resources are available to merchants to protect from or mitigate against a data breach (ex: government and other institutions)?

As far as alerts pertaining to system vulnerabilities, there are several good resources from which merchants can obtain valuable information.  The National Institute of Standards and Technology (NIST) has a specific database where it publishes known vulnerabilities.  Other platform/vendor updates are available through companies, such as Adobe, Oracle, Microsoft, etc.  Information Sharing and Analysis Centers (ISACs) are also a great source for information sharing and alerting regarding potential cyber threats.  Merchants should ensure that they have someone who is responsible for monitoring these alerts and updating and patching systems—including open source systems—accordingly.

As I said above, one of the best things to do to mitigate damages is to be prepared to respond promptly and adequately once there is a breach.  The best way to do this is to review plans and to test them.  The regulators have told me on a number of occasions that they understand companies have breaches, so what they want to know is whether companies have been ignoring the issue.  One of the most important things a company can do - once it has written plans in place - is to test and improve upon those plans.  Doing so will go a long way in informing a regulator's exercise of prosecutorial discretion after a breach occurs. 


In addition to the Data Security session at the FMI Legal Conference, there are resources for FMI members at www.fmi.org/AssetProtection and the Asset Protection Conference is March 9 – 12 in Memphis, TN.