Yahoo’s data breach costs general counsel his job
Various privacy laws are potentially applicable to businesses, employers and sponsors of employee benefit plans, not the least of which is the Health Insurance Portability and Accountability Act (HIPAA). While the specifics of the laws vary, certain basic principles apply across the board. One key principle is that security incidents do not arrive packaged with a pretty bow, and a notice stating “hundreds of millions of your user accounts were just affected.” Incidents can appear innocuous or minor until fully investigated, and it may be challenging to draw distinctions between business decisions and legal decisions. The committee that reviewed the Yahoo matters concluded that the relevant legal staff had sufficient information to warrant substantial further inquiry, but failed to do so. Subsequently, general counsel resigned.
Anyone who could possibly be held accountable for the handling of data breaches should be asking tough questions about data security practices and procedures, including the incident response plan. Don’t know what an incident response plan is, and who is responsible for it? It’s time to find out. It costs a lot less to work with your privacy and data security attorneys to establish good practices and procedures than it does to deal with the aftermath of a hack and insufficient investigation, and your job may depend on it.