Header graphic for print

Privacy & Security Matters

Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

Privacy Monday – June 1, 2015 – Courts Affirm Insurers’ Denial of Coverage for Electronic Data Claims  

Posted in Cybersecurity, Insurance, Privacy Litigation, Privacy Monday

Happy June – the first day of meteorological summer!

In the last month, both a federal and state court denied coverage for claims relating to an insured’s handling of electronic data.  In the first case, a federal court held that there was no coverage under a cyber insurance policy for a claim alleging that the insured had intentionally refused to return electronic financial data.  In the second, a state supreme court held that there was no coverage under a general liability policy for a claim alleging that the insured had lost computer tapes storing personal information.   Both of these decisions illustrate the importance of the specific language contained in an insurance policy as that language determines the scope and breadth of the coverage actually afforded under that policy. Continue Reading

REMINDER: Webinar – The Long Reach of COPPA

Posted in Children, Events and Webinars, Online Advertising

If your company has an online presence — or provides marketing or advertising services — you should be registered for the fifth webinar in our 2015 Wednesday Privacy Webinar series:  The Long Reach of COPPA.   Recall the recent FTC settlement agreement with Yelp — clearly a site not targeted at children — that cost the online review company $450,000.

 

Register online here – NY and CA CLE credit is available.

Tweet Like Email linkedin
Comments Off

Failure to Obtain Required Retailer Approval Scuttles Target-MasterCard Data Breach Settlement

Posted in Class Action Litigation, Data Breach, Privacy Litigation

Target’s attempt to resolve claims of MasterCard-issuing banks through a $19 million private settlement with MasterCard has been terminated for failure of issuers of 90% of the affected cards to accept the settlement by the Wednesday, May 20 acceptance deadline.  Press reports on Friday, May 22 indicated that both Target and MasterCard had confirmed that failure to meet the 90% requirement had voided the settlement.  The termination of the settlement means that MasterCard issuing banks no longer have the option to accept a portion of the proposed $19 million MasterCard settlement pool to settle their claims against Target.

For now, the claims that would have been resolved in the MasterCard settlement continue to be the subject of the consolidated class action pending in federal court in Minnesota.  It remains to be seen whether Target and MasterCard will go back to the drawing board to craft a new and richer settlement, or if Target will abandon its attempt to obtain a private settlement and pursue resolution of the MasterCard claims through the federal court lawsuit.

The NAI Issues Privacy Guidelines For Interest-Based Advertising, Ad Delivery and Reporting

Posted in Data Compliance & Security, Online Advertising

The Network Advertising Initiative (NAI) has issued guidance for its members on the use of non-cookie technologies for Interest-Based Advertising (IBA) and Ad Delivery and Reporting (ADR) (Guidance). The NAI is a self-regulatory organization for third-party digital advertising companies. Consistent with the NAI Code of Conduct (NAI Code) which was designed based on the Fair Information Practice Principles, the Guidance explains how the NAI Code applies to members’ use of non-cookies technologies for IBA and ADR, sets best practices for members and offers insight into the NAI’s staff review of members using non-cookie technologies for IBA as a part of the NAI annual compliance reviews.

We all know what cookies are by now.  So what is IBA and “non-cookie” technology?

Also commonly referred to as online behavioral advertising, IBA is online advertising tailored to consumers interests by companies promoting their products or services, accomplished by collecting consumer data across multiple web domains owned or operated by different entities,  amassing consumer profiles, and then customizing ads based on the consumers’ interests and web usage patterns using cookie-based and non-cookie based technology. The NAI Code requires notice and choice with respect to IBA and imposes certain restrictions on members’ collection, use and transfer of data used for IBA. For more information about IBA, please click here. The NAI defines non-cookie technology as “mechanisms, other than cookies, used to identify your browser, which can include technologies such as browser cache, locally stored objects (LSO’s), or statistical identifiers… used for many purposes including, but not limited to, ensuring your online banking is secure, preventing online advertising fraud, or to engage in Interest-Based Advertising or Ad Delivery and Reporting”. For more information about non-cookie technology, please see the NAI FAQ’s on Non-Cookie Technologies.

What are the NAI-recommended best practices for members’ use of non-cookie technology for IBA and ADR?

The Guidance sets forth baseline best practices for:

  1. Notifying consumers of a member’s use of non-cookie technology and providing transparency:
  • Members using non-cookie technology for IBA and/or ADR must include certain information in their privacy policies regarding their use of the technology and consumer choice with regard to such use, such as (1) a general description of the technology and a disclosure of use of such technology for IBA and/or ADR, (2) a description of and easy access to a user-friendly opt-out mechanism that will allow consumers to halt online behavioral advertising for a particular browser or device as well as behavioral advertising based on the use of non-cookie technology; (3) a description of an easy access to a consumer transparency tool; and (4) any required updates to representations made in the privacy policy that browser cookie controls in isolation prevent online behavioral advertising where such representation s would otherwise be erroneous.
  • Members using non-cookie technology for IBA must require websites collecting data for IBA through the non-cookie technology to clearly and conspicuously post a notice containing a disclosure that non-cookie technology may be used by third-parties on the site. Members are further required to make a reasonable effort to ensure that such notice is posted on their partners’ websites and that related language that is currently used by their partners is updated accordingly. Addendum A to the Guidance provides several examples of partner website notices.
  • Members using non-cookies technologies for IBA that cannot be viewed or modified using native browser controls are required to implement a consumer-facing transparency tool which, at a minimum, displays: (1) on both the member’s website and the NAI’s opt-out page whether data is collected for IBA on a specific browser using non-cookie technology, and the opt-out status for such browser, and (2) on the NAI’s opt-out page only, a disclosure or an icon to inform consumers that the member is using non-cookie technology for IBA and to link back to the member’s website for information about the member’s use of such technology.

2. User control:

  • Members engaging in IBA are required to provide an opt-out mechanism available both on the member’s website and through the NAI’s opt-out page that ensures that data collected using the non-cookie technology is not used for IBA after a consumer has opted out of such use of their data. The opt-out must cover the browser on which the choice is expressed. After a consumer exercised the opt-out choice and while the consumer is opted out, a member may continue to collect data using non-cookie technology only for non-IBA purposes and any such data may not be used for IBA at any time, regardless of future opt-out status and technology used.
  • Under the Guidance, NAI members will be required to offer a centralized consumer opt out of non-cookie technologies through the NAI’s new opt-out tool once it is published to the NAI opt-out page. According to the NAI, this new tool will inform consumers when NAI members use non-cookie technologies for IBA as well as offer a redesigned opt-out experience.

3. User limitations:

  • Members making a material change to their IBA data collection and use policies and practices are required to obtain opt-in consent before applying such change to data collected prior to the change; until opt-in consent is obtained or in its absence, any data collected prior to the change will continue to be governed by the data collection and use policies in effect when the information was collected.

4. Accountability:

  • Members using non-cookie technology for IBA that do not allow the NAI to conduct reasonable technical oversight will be required to develop a process with the NAI staff whereby the NAI compliance team will be able to conduct reasonable, external oversight and monitoring (e.g., access to a member’s API).
  • A member’s opt-out inspection service must provide the NAI: (1) a methodology to determine if changes to an ad interest profile have been made post the applicable consumer’s opt-out where such changes would be updated through the use of the non-cookie technology, and (2) some other methodology that provides adequate information to permit the NAI compliance staff to assess and ensure the member’s compliance with the NAI Code and the Guidance. Members are required to attest that their business practices are compliant with each aspect of the NAI Code.

The Guidance makes it very clear that “before a member may use non-cookie technology for IBA, the member must ensure that the requirements set forth in the Guidance have been adequately satisfied.” Although the Guidance is effective as of its publication on May 18, NAI members will have a grace period to implement policies and procedures to comply with the Guidance.  Members that want to use non-cookie technologies for IBA and ADR during this time may do so but only in accordance with the requirements set forth in the Guidance.  However, since the  current NAI opt-out tool does not indicate when members use non-cookie technologies for IBA, the requirement to use the NAI’s opt-out tool will become effective after the NAI completes testing and integrating the new tool into its central industry opt-out page.

CNA Denies Cyber Insurance Claim

Posted in Cybersecurity, Data Breach, Insurance, Privacy Litigation

Key takeaway:   The insurance applications and underwriting questionnaires prepared in connection with cyber insurance do matter.

Cyber security, and cyber insurance, have dominated the industry headlines for several years now, but even as companies, brokers and insurers work to develop these products, there has been a dearth of case law interpreting key provisions.  This is beginning to change as disputes arise and make through way through the judicial system.

One such suit came last week when CNA filed a declaratory judgment action against its insured Cottage Health System, seeking reimbursement of both defense costs and a $4.125 million settlement it had paid out on a claim made under Cottage’s cyber policy.  In January 2014, Cottage was sued in a class action in California state court, where it was alleged that the records of more than 30,000 of Cottage’s patients had been disclosed to the public via the internet.  Cottage allegedly stored such records on an internet-accessible system but failed to install encryption or use other safeguards.  The California court granted approval of the $4.125 million settlement fund in December 2014.  CNA, which had reserved rights, filed this action. You can read more about the underlying lawsuit here.

In it, CNA invokes the exclusion for “failure to follow minimum required practices” which precludes coverage if the insured does not “continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance.”  In its application Cottage had indicated that it regularly re-assessed its exposure to information security and privacy threats, among other, more specific, data-protection procedures.  CNA asserts that this representation in the application was false.

Insureds and insurers in the cyber space would do well to watch this matter unfold.  The exclusion invoked, and the application questions it relies on, are broadly worded and may leave room for strong arguments on both sides.  Regardless of the outcome, we can be sure that this is only the beginning of judicial interpretation of the key terms of cyber-related policies.  Interested readers can also review one of the first cyber-related decisions in the country, which came out of the District Court of Utah last week, here.

 

Privacy Monday – May 18, 2015

Posted in Children, Cybersecurity, Data Breach, Data Breach Notification, Data Compliance & Security, Events and Webinars, Mobile Privacy, Online Advertising, Privacy Monday, Security, Uncategorized

It’s Monday morning — do you know your privacy/security status?

Here are a few bits and bytes to start your week.

SEC to Registered Investment Advisers and Broker-Dealers:  It’s Your Turn to Pay Attention to Cybersecurity

The Division of Investment Management of the Securities & Exchange Commission (SEC) has weighed in on cybersecurity of registered investment companies (“funds”) and registered investment advisers (“advisers”) as an important issue because both funds and advisers increasingly use technology to conduct their business activities, and need to protect confidential and sensitive information related to these activities from third parties.  That information includes information concerning fund investors and advisory clients.   We’ve summarized key points from the recently-issued Guidance.

The Guidance recommends a number of measures that funds and advisers may wish to consider in addressing cybersecurity risk, including:

  • Conduct a periodic assessment of:
    • the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses;
    • internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems;
    • security controls and processes currently in place; and
    • the impact should the information or technology systems become compromised;  and the effectiveness of the governance structure for the management of cybersecurity risk.
  • Create a strategy that is designed to prevent, detect and respond to cybersecurity threats, such a strategy could include:PrivacyMonday_Image1
    •  controlling access to:
      • various systems and data via management of user credentials;
      • authentication and authorization methods;
      • firewalls and/or perimeter defenses;
      • sensitive information and network resources;
      • network segregation;
      • system hardening; and
      • data encryption.
  • protecting against the loss or exfiltration of sensitive data by:
  • restricting the use of removable storage media; and
  • deploying software that monitors technology systems for:
    • unauthorized intrusions;
    • loss or exfiltration of sensitive data;  or
    • other unusual events.
  • data backup and retrieval; and
  • the development of an incident response plan
    • routine testing of strategies could also enhance the effectiveness of any strategy.
  • Implement the strategy through:
    • written policies and procedures; and
    • training that:
      • provides guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats; and
      •  monitors compliance with cybersecurity policies and procedures.

Most of this should not be a surprise to any business dealing with sensitive financial information these days, but a recent SEC cybersecurity sweep examination by the SEC’s Office of Compliance Inspections and Examinations (OCIE) found that 88 percent of the broker-dealers (BDs) and 74 percent of the registered investment advisers (RIAs) they visited experienced cyber-attacks directly or indirectly through vendors.

 

Penn State University Confirms Cyberattack Originated in China

If you’re studying at Penn State’s College of Engineering, you will not have access to the Internet for a while.  The University said last week that of two recent cyber attacks at the College, at least one was carried out by a “threat actor” based in China.   Penn State was alerted to a breach by the FBI in November and has been investigating since – during that time, a 2012 breach was also discovered.   The 2012 breach apparently originated in China, and compromised servers containing information on about 18,000 people.

For more:  Cyberattack on Penn State University

 

Digital Advertising Alliance to Enforce Mobile App Principles

Starting September 1, the Digital Advertising Alliance (DAA) will begin to enforce its Application of Self-Regulatory Principles to the Mobile Environment.   The DAA issued the mobile principles back in July of 2013 (see our post here), but delayed enforcement while the DAA implemented a choice mechanism for the mobile environment.  Mobile tools for consumers were released in February:  App Choices and the Consumer Choice Page for Mobile Web.

The Guidance addresses mobile-specific issues such as privacy notices, enhanced notices and opt-out mechanisms for data collected from a particular device regarding app use over time and cross-app data; privacy notices, enhanced notices and opt-in consent for geolocation data; and transparency and controls — including opt-in consent — for calendar, address books, photo/video data, etc. created by a user that is stored on or accessed through a particular device.

After September 1, any entity that collects and uses any of this type of data will be required to demonstrate compliance with the Guidance or risk being subject to the DAA’s accountability mechanism.

 

REMINDER — UPCOMING PRIVACY WEDNESDAY WEBINAR

Don’t forget to register for the next in our Privacy Wednesday Webinar series:  The Long Reach of COPPA.   Webinar is eligible for NY and CA CLE credit — register here.

 

 

 

 

 

Privacy Monday – May 11, 2015

Posted in Children, Employee Privacy, Events and Webinars, Federal Trade Commission, Privacy Monday, Uncategorized

On this Privacy Monday, we have some upcoming events that you might want to add to your calendar.Privacy & Security Matters Monday Blog Series Image

Wednesday, May 13 – Mintz Employment Law Summit (Boston)

A discussion of hot topics facing employers, including Privacy in the Workplace.  Free event, breakfast and lunch included.   Register here.

Wednesday, May 13 – National Security, Privacy, and Renewing the USA PATRIOT Act, Hudson Institute, NY

Live streaming starts at noon. #PATRIOTAct.  More information here.

Wednesday, May 13 – Ninth Annual Law & Information Society Symposium – Fordham Law School

Trends in the global processing of data, developments in new technologies, privacy enforcement actions and government surveillance put international privacy at the center of the global law and policy agenda. Government regulators, policymakers, legal experts, and industry players need to find solutions to cross-border conflicts and to the issues presented by innovative technologies. This conference seeks to create a robust, but informal dialog that will explore possible solutions to current questions arising from the international legal framework, infrastructure architecture and commercial practices.   Information here.

Thursday, May 14 – IAPP KnowledgeNet (Boston area)

Learn about data privacy issues posed by wearables, wellness tracking apps, company wellness programs and other technologies and services here in the U.S. and abroad.   Register here.

Monday, May 18 – 36th IEEE Symposium on Security & Privacy – Fairmont Hotel (San Jose)

Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for presenting developments in computer security and electronic privacy, and for bringing together researchers and practitioners in the field. The 2015 Symposium will mark the 36th annual meeting of this flagship conference.  More information here.

Wednesday, May 27 – Mintz Privacy Wednesday Webinar – The Long Reach of COPPA

The fifth in our Wednesday Webinar series will focus on a discussion of COPPA, the long-awaited amendment and issues.   We’ll also discuss the latest Federal Trade Commission settlements and how to avoid being the next target.   Register here.

 

 

Tweet Like Email linkedin
Comments Off

Judge in Target Data Breach Litigation Declines to Block MasterCard Settlement

Posted in Class Action Litigation, Data Breach

Senior U.S. District Court Judge Paul Magnuson issued an order  on Thursday, May 7 denying a request by counsel for card issuer banks to enjoin the settlement of data breach related claims negotiated between Target and MasterCardAs we have previously reported, the proposed settlement would provide compensation to MasterCard-issuing banks for fraud losses and the cost of reissuing credit and debit cards.  Banks that agree to accept the settlement are required to release all data breach claims against Target arising from compromised MasterCard accounts.  Crediting substantive objections to the proposed settlement, Judge Magnuson wrote that “[t]he Court agrees with Plaintiffs’ counsel that the terms of the settlement do not appear altogether fair or reasonable.”  He also signaled disapproval of conducting settlement negotiations outside of the court proceedings without participation by or notice to class counsel, stating that “the way this issue has arisen is neither fair nor is it how the Court expects attorneys to conduct themselves in litigating matters before the Court.”  Nonetheless, Judge Magnuson concluded that he was powerless to enjoin the settlement, insofar as Fed. R. Civ. P. 23, which governs class actions, empowers parties to settle claims that are the subject of a class action privately, without court approval, at any time prior to certification of a plaintiff class.  “Before a class is certified,” he wrote, “a Court’s authority over settlements such as these is limited to curing communications that constitute ‘actual or threatened misconduct of a serious nature.’”  He concluded, however, that Target’s and MasterCard’s communications with card issuers concerning the settlement were not so misleading or deceptive that the Court would be empowered to enjoin the solicitation of card issuers to participate in the settlement.  Accordingly, the judge declined to enjoin the Target-MasterCard settlement.

It is unclear whether class counsel intend to seek interlocutory appellate review of Judge Magnuson’s order.  Such review is highly unusual and difficult to obtain.

As a result of this ruling, the settlement process under the Target-MasterCard settlement agreement can continue to go forward.  In order to participate in the settlement, issuer banks must affirmatively elect to join the settlement and provide releases to Target.  Target can walk away from the settlement if issuers of fewer than 90% of the affected payment card accounts opt into the settlement.  It is likely that class counsel will encourage issuer banks to decline the settlement and continue to participate in the class action.  The success or failure of such a campaign will determine whether MasterCard-related claims continue to be litigated in federal court before Judge Magnuson.  Also unclear at this point is whether a similar settlement is in the works between Target and Visa to resolve the claims of Visa-issuing banks and, if so, what the terms of that settlement will be.

Fitbit Files for IPO: Cybersecurity Risk Disclosure

Posted in Cybersecurity

Fitbit, the fitness-tracking company with six wearable devices that track and collect data about things like calories burned, steps logged, “quality” of sleep and sleep patterns, heart rate, etc.) as well as web and mobile apps and premium services, has filed with the Securities and Exchange Commission for a $100 million initial public offering.   We have discussed the SEC’s Cybersecurity Guidance issued in 2011 and based on that Guidance, how the SEC expects public companies (and soon-to-be public companies) to disclose specific cybersecurity risk to investors — see our discussion here.   Given that, we thought we would check Fitbit’s S-1 filing to see how a company collecting gobs of health and fitness data on millions of users (nearly 21 million units sold last year) discloses cybersecurity risk.

Boilerplate, or discussion of company-specific risk?   You be the judge (the entire S-1 can be obtained here):

We collect, store, process, and use personal information and other customer data, which subjects us to governmental regulation and other legal obligations related to privacy, information security, and data protection, and our actual or perceived failure to comply with such obligations could harm our business.

We collect, store, process, and use personal information and other user data, and we rely on third parties that are not directly under our control to do so as well. Our users’ health and fitness-related data and other highly personal information may include, among other information, names, addresses, phone numbers, email addresses, payment account information, height, weight, and biometric information such as heart rates, sleeping patterns, GPS-based location, and activity patterns. Due to the volume and sensitivity of the personal information and data we manage and the nature of our products, the security features of our platform and information systems are critical. If our security measures, some of which are managed by third parties, are breached or fail, unauthorized persons may be able to obtain access to sensitive user data. If we or our third-party service providers, business partners, or third-party apps with which our users choose to share their Fitbit data were to experience a breach of systems compromising our users’ sensitive data, our brand and reputation could be adversely affected, use of our products and services could decrease, and we could be exposed to a risk of loss, litigation, and regulatory proceedings. Depending on the nature of the information compromised, in the event of a data breach or other unauthorized access to our user data, we may also have obligations to notify users about the incident and we may need to provide some form of remedy, such as a subscription to a credit monitoring service, for the individuals affected by the incident. A growing number of legislative and regulatory bodies have adopted consumer notification requirements in the event of unauthorized access to or acquisition of certain types of personal data. Such breach notification laws continue to evolve and may be inconsistent from one jurisdiction to another. Complying with these obligations could cause us to incur substantial costs and could increase negative publicity surrounding any incident that compromises user data. Our users may also accidentally disclose or lose control of their passwords, creating the perception that our systems are not secure against third-party access. Additionally, if third parties we work with, such as vendors or developers, violate applicable laws, agreements, or our policies, such violations may also put our users’ information at risk and could in turn have an adverse effect on our business. While we maintain insurance coverage that, subject to policy terms and conditions and a significant self-insured retention, is designed to address certain aspects of cyber risks, such insurance coverage may be insufficient to cover all losses or all types of claims that may arise in the continually evolving area of cyber risk.

 

 

 

Breaking Down the DOJ Cybersecurity Unit’s Guidance on Responding to Cyberattacks

Posted in Cybersecurity, Data Breach, Data Compliance & Security, Privacy Litigation, Security

Another federal agency has weighed in with “guidance” on cybersecurity preparation and breach response.  The Department of Justice (DOJ) is the latest to issue guidance on how companies should respond to data breaches.   The guidance is not perfect, and in some respects is simply a recitation of existing best practices, but it is still valuable because it signals the government’s increased willingness to foster public-private cooperation against cybercrime, and it sets out the DOJ’s latest thinking on responding to cyberattacks.  images

Common Sense Advice

Embracing much of NIST’s recently published Cybersecurity Framework, the DOJ guidance provides several useful tips and some common sense advice to businesses as they prepare for cyberattacks. The guidance also has a useful check-list that many smaller businesses or start-ups may find useful as they develop their privacy and data-security infrastructure.

The DOJ’s first recommendation is that companies develop robust incident response plans prior to a breach (i.e. now). Such plans should identify key corporate assets, clearly establish lines of control and communication, inventory available technical resources and ensure their availability during an attack, have identified and retained experienced counsel with knowledge of relevant laws and practices, and have a working relationship with the FBI, Secret Service, and industry cyber intelligence sharing organizations.

Second, the guidance outlines a four step process for responding to a cyberattack.

  • The first step is making an initial assessment of the scope and nature of the incident.
  • Next, a business should implement measures to wall off the attack through rerouting network traffic, filtering, and enhanced segmentation of compromised systems.
  • Third, business should record and collect evidence of the attack, and take steps to preserve such evidence prior to undertaking remediation efforts.
  • Finally, and unsurprisingly, the guidance advises businesses to always notify law enforcement of an attack (more on this below).

Finally, the guidance sets out what companies should not do in the event of a cyberattack. A key warning here is that businesses should not “hack-back” or attempt to penetrate or damage an attacker’s systems.   This warning is well taken—penetrating another system, even one believed to be involved in maliciously compromising a network, may expose individuals or business to criminal liability under the Federal Computer Fraud and Abuse Act, or to civil damages and penalties.

Limitations of the DOJ’s Guidance

Any pre-scripted guidance, even guidance from the DOJ, should be taken in context. Cybercriminals target and exploit gaps in a company’s security and compliance controls. This means that even the best organized companies, with the best laid plans, can struggle to respond to a cyberattack that exploits a loophole, a gap, or an unchallenged assumption. To address this reality, companies should—as the DOJ recommends—engage experienced counsel, but they should also develop a relationship with cybersecurity and forensic experts—like Cylance, Mandiant, or KPMG—who can not only provide pre-breach intelligence and planning assistance, but can also be quickly available to help respond to a breach.

The DOJ’s guidance is also silent on a key element of pre-breach planning: war-gaming. Companies developing incident response plans should routinely test those plans in simulated war-games and table top exercises with all stakeholders. This process helps companies identify issues and ensure all stakeholders understand their respective roles and responsibilities. The Mintz Privacy team has been recommending that for a while.  You test your disaster response plan; if you have an incident response plan, you should test it.

Finally, the DOJ’s recommendation that law enforcement should be contacted immediately if criminal activity is suspected is open for debate. While we applaud the DOJ, and the FBI and Secret Service, for taking steps to minimize business disruptions and liability concerns, and we appreciate the need for enhanced public-private cybersecurity cooperation, any decision to provide notice to law enforcement should only be taken after a company has consulted counsel and carefully assessed its notification requirements under existing state data breach notification laws. To be clear, we believe that companies should cooperate with law enforcement; however,  such cooperation should be carefully considered.