You Detected a Data Breach. Now What?

You have detected a data breach. Alert!

You are the CEO of a mid-size company. As you are going about your day, minding your business, you get a call from your security department. It’s a call you really didn’t want. Security has detected suspicious file movements and wants your directions about what to do next. You have likely suffered a data breach.

Now what?

Ideally, you will go to your shelf and pull out your executive copy of the company’s data breach plan. But what if you don’t have a plan?

As with most policies, the time to develop your data breach plan is “before you need it.” In this case, it’s important for two main reasons. First, the law requires you to have a plan if you have Massachusetts customers (as part of a Written Information Security Plan, or WISP) or are in one of any number of regulated industries. Second, odds are high that your business will suffer a data breach sooner or later.

If you don’t have a plan yet, you are not alone. About 20% of companies have not yet developed a plan, according to a 2015 Ponemon study. If you do have a plan but aren’t totally confident in it, again, you are not alone. About 2/3 of companies with a plan weren’t confident in their plans in the same study. If you don’t have a plan, or if you do have a plan and wonder whether it covers everything it should, this post is for you.

Your company’s data breach plan should include each of these important elements:

    The Right Crowd. When you develop your plan, you should include at minimum your security, technology, legal, customer service, and PR/communications folks, as well as representatives from any areas specifically affected. For example, include someone from HR when developing policies about handling HR data. Depending on the size of your organization, this group might include anywhere from 2 people to 20. In final form, your plan should include the roles and responsibilities of people from all of these groups as well. If you don’t have the right people in the room from the start, you face the very real possibility of chaos when a data breach occurs.

    Administrative, Technical, and Physical Safeguards. Your plan should cover how you are going to keep your data as safe as possible. You may not be able to prevent every breach, but you can reduce the number and severity of breaches by taking some basic cybersecurity steps. Administrative safeguards have to do with people’s behaviors and knowledge. Examples include policies about access to and use of data, hardware, and software; background checks; agreements; and training. Technical safeguards have to do with preventing access electronically. Examples include encryption, separating identifier and content data, roles-based systems access, and regular logging and auditing of access to systems. Physical safeguards have to do with preventing physical access to sensitive information. Examples include locked filing cabinets, secure workstations, video surveillance, biometric locks, and ID badges.

    Business Continuity. Your plan should tell you how to keep your business running if you do not have access to your computers or files. This may or may not be included in your normal business continuity plan, so be sure to check. A natural disaster that takes out one of your two locations will play out very differently from a ransomeware attack that ties up your entire network.

    Specific Steps. A data breach plan should ideally cover exactly who does what, and when. In the heat of the moment, your employees may not be thinking clearly; your plan should guide them so that they avoid panicked mistakes. In creating the plan, your organization should spend some time figuring out what its greatest vulnerabilities are and how it will address a resulting breach should it occur. (Ideally, of course, you will find ways to reduce these vulnerabilities during the course of developing your plan, but we live in the real world where time and budget are always constraints.) A data breach plan should cover these specific steps:

    • Escalation: When do you contact your internal and external security team and lawyers? When do you contact your Chief Information Officer? CEO? Your board? If there is any indication of a major incident, your first call should be to your data forensics consultant; the consultant will help you avoid accidentally harming your own systems or destroying any evidence. Beyond that, your next calls will depend a great deal on your organizational structure and preferences.
    • Investigation. If your business can afford it, you should enlist outside help with a data breach; legal, PR, and data forensics consultants will have experience that you may not have internally. They will also be able to give you perspective in a stressful situation. It is important to know who you will contact for outside help ahead of time. Be sure to keep their contact information in your breach plan. During the course of investigation, no matter who is conducting it, it is most important that you avoid destroying evidence, notify law enforcement, and ask the right questions: What specifically was compromised? What can we do to prevent further damage? Can this system be quarantined? What data can be salvaged? What data can we still trust? Can we trace who did it? And perhaps most importantly, is it a data breach as defined by law?
    • Most laws and regulations define “data breach” slightly differently from one another. Generally, though, a data breach is the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector.

    • Responses/Reporting. If you determine that your incident is a data breach under applicable law, you will need to report the breach. The law or regulation that applies to your situation will tell you who you need to contact. Most of the time, you will need to tell law enforcement and the people whose information was affected by the breach. You may also need to tell investors, state attorneys general, regulators, credit reporting agencies, or the media. In order to expedite reporting, you should consider having template versions of communications to these parties in your data breach plan.
    • Remediation. First, protect your customers from further damage. Make sure that any information that has been placed on the web is removed, including information on cached sites. Second, make sure that your company is protected for the future. Ideally, the same kind of incident should never happen to the same company twice. After the excitement has died down, evaluate what happened. Follow any steps recommended by your data forensics consultant. Consider whether you need to revamp any contractor relationships, contracts, technology, training programs, or physical safeguards.
    • Re-Evaluation and Practice. Take a look at your breach plan. How well did it perform? Would you do something differently next time? If so, amend the plan. If the plan worked well, practice it. You should run internal and external drills regularly, so use this opportunity for another run-through.

And now? If you already have a plan, great! You should make sure it contains all of these elements, then practice it this week. If you do not have a plan, don’t panic! Gather the folks in your company who need to be involved and develop one. This week.

Does your company have a plan? Do you trust that it will work if you need to implement it tomorrow?

Agricultural Leases, or A Horse is a Horse

A single horse

A horse, a horse! My kingdom has a horse.*

If you have been following the United States Senate hearings on the nomination of Judge Neil Gorsuch for the Supreme Court, you may have heard some discussions about how judges should read statutes and the constitution. Without getting too technical, while at the same time trying to avoid the risk of oversimplification, the Senators have been talking principally about two schools of thought. One is that judges should read the words and apply them, period, whatever the result. The second school is that judges should read the words in the context of the problem the writers were trying to resolve and give them a meaning that the writers intended, or would have intended if they had foreseen the problem in the case before the court, even if the writers did not use exactly the right words.

The Iowa Supreme Court last month decided a case that is an instructive example of how these two theories play out when courts read statutes that, if applied according to their plain meaning, could lead to absurd results. The case involved a statute addressing the definition of agricultural leases. The particular question was, “Does a single horse make a farm?”  Porter vs. Harden (Iowa S. Ct. No. 15–0683, Filed March 10, 2017 Amended March 13, 2017). In answering the question, the majority of the court employed the context based rule whereas the dissent, and the Iowa Court of Appeals before it, employed the plain meaning rule.

The question arose in the setting of a lease termination and the answer was important because Iowa law gives tenants differing protections depending on the type of property being leased and the duration of the lease. For example, residential tenants are given more protections than commercial tenants because generally residential tenants have much less bargaining power and sophistication than commercial tenants who have the means to negotiate with their landlords.  

Farm tenants, since 1939, have been given certain statutory protections because of the seasonal nature of the business and the historical importance of agriculture to Iowa. Particularly, in terminating a farm tenancy, the landlord must follow timelines set by the legislature.  Generally, the law requires written notice of termination to be given on or before September 1, with termination to occur the following March 1. This assures that there is sufficient time for the tenant to harvest growing crops and for the parties to negotiate a new lease or find other land to rent, or find another tenant. A 2006 amendment to the statute added grazing to the existing list of agricultural activities.

The parties in the Porter case had a month to month lease. In those cases, either party has the power to cancel the lease by giving 30 days notice to the other party, if the subject of the lease is not agricultural land. Porter, the landlord, gave Harden, the tenant, notice that it was canceling the lease in 30 days, thus following the legal requirements for terminating a month to month lease. The tenants on this six-acre property, which was their primary residence, claimed they were entitled to the much longer notice required to terminate a farm tenancy because they had a horse grazing on the property. They claimed that a close reading of the statute regarding farm leases required only one grazing animal to qualify the property as a farm. The district court did not agree and ruled in the landlord’s favor saying, “the keeping of one 38-year old horse does not make this a farm tenancy.” The tenant appealed.

The Iowa Court of Appeals reversed the district court and ruled that, even though it might be an absurd result, as the statute was written, the definition of livestock “means an animal …”. Reading the statute strictly, one old horse could make a farm tenancy.  The landlord asked the Supreme Court to review the Court of Appeals’ decision.

The Supreme Court looked again at the statute and decided the Court of Appeals was reading the statute too literally. To determine what the legislature meant required reading the statute in context of its purpose as well other statutes addressing the same or similar subject matter. It then said, “just as we would not conclude that someone with a small vegetable garden ‘produces crops . . . on the land’ …, we think it would be questionable to hold that someone keeping an old mare at the homestead ‘provides for the care and feeding of livestock on the land’ within the meaning of the same statute.”  

The Court emphasized that it would assume the legislature intended a reasonable interpretation of the statute and imprinted a primary purpose test on the statute. That is, one must look at the property to see if its main object was the growing of crops or the feeding of livestock. By accepting the “one old mare” argument, any tenant anywhere could create a farm merely by bringing an old horse or a few chickens onto the property. Probably not what the legislature intended.

However, one justice dissented essentially adopting the Court of Appeals reasoning. When a statute’s language is plain and unambiguous, a court should look no further than the statute. Here the statute says “an animal.” Even though the result may be absurd, it is up to the legislature to fix it, not the courts. The courts have only to apply the statute as written, even if poorly written. If the legislature does not like the result, it can rewrite the statute.

If you have questions about this case, or other issues involving leases, you need not hesitate to contact us.

Apologies to William Shakespeare’s play, Richard III,  Act-V, Scene-IV.

Eminent Domain and the Bakken Pipeline

Iowa farm land is subject to eminent domain under specific circumstances.
An Iowa farm. The Iowa legislature determines when Iowa land is subject to eminent domain.

A great deal of ink has been spilled writing about the Bakken Pipeline currently being built across Iowa and how eminent domain is being used to acquire the land for the project. Not all of the writings have been entirely clear and some of the statements quoted in articles have not been entirely accurate. This post attempts to provide readers enough information about a) the power of eminent domain and b) the Iowa Utilities Board (IUB) decision about the Bakken Pipeline to provide at least a basic understanding of the issue. For those who are interested, the complete decision can be found here (PDF).

For those who are unfamiliar with the power of eminent domain, it is the power of the government to take private property for a public purpose. The government has to pay for the property it takes, but it has the right to force private property owners to sell. At the outset, that power rests entirely with the Iowa legislature, but the legislature can delegate the power to other entities. It has done so many times. For example, it granted the power of eminent domain to the Iowa Department of Transportation to aid in the construction of highways. Interstate pipeline companies are vested with the power of eminent domain when they receive a permit to construct and operate in Iowa. However, they can use eminent domain only under the conditions set out in the permit. So the first step for a pipeline company is to get a permit, and to get a permit it must petition the IUB.

In the Iowa Code, the legislature gave the IUB the authority to grant permits to build and operate interstate pipelines in Iowa. However, the IUB can grant the permits, along with the power of eminent domain, only after following the procedures and meeting the criteria that the legislature set out in the law.

On January 20, 2015, Dakota Access, LLC, filed a Petition for Hazardous Liquid Pipeline Permit with the IUB asking to build 346 miles of 30-inch diameter crude oil pipeline diagonally through 18 Iowa counties. The work is part of a 1,168 mile project to carry oil from the Bakken area near Stanley, North Dakota, to an oil transfer station, or hub, near Patoka, Illinois. Initially, the proposed pipeline will have a capacity of approximately 450,000 barrels per day, which can be increased to 570,000 barrels per day.

As provided for in the law, the IUB took evidence from Dakota Access, as well as from proponents and opponents of the project. The first issue for the board was to determine whether the project would “promote the public convenience and necessity.” To make this determination, the IUB said it needed to consider and balance the public use and public benefits of the pipeline against the public and private costs and detriments. The parties, both proponents and opponents, presented voluminous and vigorously contested evidence regarding the project’s costs and benefits, including the effects on global warming from oil production, the world oil market, energy independence and security, the safety of rail shipments versus pipelines, the impact of freeing up rail cars for grain shipments, alternative energy sources, the extent of the Bakken reserves, the economic activity produced during construction of the project, the annual property taxes generated, the impact on cultural resources, the safety of the operation, and the plans for spill remediation.

In a more than 150 page Final Decision and Order filed March 10, 2016, the IUB reviewed the evidence and concluded that the public convenience and necessity favored the pipeline. Underlying the IUB’s decision is its conclusion that the evidence showed the demand for oil was such that the Bakken oil would be extracted and transported from the oil fields to refineries one way or another. With that in mind, the IUB considered the evidence and determined that two factors, safety and economic benefits to Iowa, weighed most heavily in favor of granting a permit and the attendant limited power of eminent domain. Addressing safety first, the IUB considered two alternative methods of transporting the oil, pipeline and rail (trucking was given only a passing reference). Citing a U.S. Department of Transportation study that found the spill incident rate for transport of crude oil by rail is three to four times higher than the spill incident rate for pipeline transport on a ton-mile basis, the IUB decided that the pipeline was the safer and, therefore, preferred mode. Next, the board said the economic benefits to Iowa generated by the project were significant; $800 million during construction and $27 million in annual property taxes.

Turning to the costs and detriments, the IUB first found the environmental harm flowing from the pipeline’s construction and operation could be sufficiently mitigated. Dakota Access was in compliance with federal environmental regulations, and the proposed design and construction specifications exceeded federal safety standards for pipelines. Regarding the impacts on private property owners whose land would be used for the project, the board imposed certain conditions that it determined would protect them. Those protections include requirements to bury the pipeline 48 inches deep and to replace the topsoil that is removed when the trenches are dug. Furthermore, the owners will be entitled to compensation for the taking of their land.

With that, the board issued the permit and granted Dakota Access the power of eminent domain to acquire any property it could not purchase from property owners acting voluntarily. Several project opponents who disagreed with the IUB’s decision appealed to the Iowa District Court and asked the court to stay the IUB’s decision while the case was on appeal. The court denied the stay request and so, pending the court’s final ruling, Dakota Access may proceed with the project, including proceeding with using the power of eminent domain. We are now awaiting the court’s review of the IUB’s decision granting the permit.

Introducing David Ferree, Of Counsel

The Law Office of Kelcey Patrick-Ferree is focused on the future of business law. With emerging and exciting innovation happening in all sectors, we’re expanding our offerings to include public sector service with a focus in transportation. I am therefore extremely excited to announce that David Ferree has joined the Law Office of Kelcey Patrick-Ferree as Of Counsel to the firm.

Dave Ferree is a regional expert on transportation law, airport law, eminent domain, real estate law, and construction law. With an impressive 35-year career and a resume that includes more than 20 years with the Transportation Division of the Iowa Attorney General’s office and 10 years with the Des Moines City Attorney’s office representing the Des Moines Airport, Dave is adept at tackling complex transportation projects involving multiple stakeholders. Dave’s work includes working with both private parties and government entities in highway, construction and acquisition projects.

Please take a moment to look over Dave’s bio and see what has changed in our practice areas with this expansion of our capacity and offerings. Please contact us if you are interested in working with Dave on any legal matters.

What Should I Put in My Company’s Social Media Policy?

Privacy & Data Security

It seems like someone is in the news for getting into trouble on social media almost daily. Many companies have adopted social media policies as part of their employment policies to help guide their employees’ behavior and prevent embarrassing mishaps. If you are considering a social media policy, here are some things to think over and include.

Trust your employees. You wouldn’t have hired them if you didn’t think they were reasonably intelligent adults. Don’t over-do your social media policy, particularly if you go into detail about rules for external communications elsewhere. One of my favorite social media policies is Best Buy’s: short, sweet, and to the point. You don’t want to anger or alienate your employees.

FTC regulations. There are a lot of them, but the ones most relevant to social media policies have to do with privacy (don’t disclose information that doesn’t belong to you) and disclosure of relationships (do disclose a relationship when you could have something to gain from your comments).

NLRB rulings. The National Labor Relations Board has been extremely active in regulating social media policies for the past few years, all on the theory that certain provisions might discourage protected activity. Make sure your policy doesn’t run afoul of any of these rulings.

Public companies. Social media is a must for public companies these days, but public companies are subject to special rules about what they can tell people and when. Remind your employees to think about those rules when posting on social media sites. A single thoughtless comment about what an engineer is working on at work can reveal a great deal more than s/he intended.

Regulated industries. If you are in a regulated industry, social media is not exempt from the requirements for your company’s communications. Remind your employees of this fact and make sure that you have the technology in place to support any documentation requirements.

Use during working hours. Companies approach this one in many different ways. Employees can use social networking as a valuable tool for creating and maintaining working relationships; or they can dither away time watching videos of cats. There can be some overlap there, too; finding that one has a shared love of cat videos with an important customer can solidify a working relationship. You need to take a look at your own company’s culture in deciding whether to restrict use of social media during working hours and on company equipment. Some common approaches are 1) the outright ban, blocking access from work computers (though you cannot physically/technologically prevent people from using mobile devices, without blocking all mobile signals); 2) the partial ban, allowing access only to selected sites or by selected employees who use social media as part of their jobs; or 3) the “use responsibly” policy, allowing employees to choose whether and when to use social media during working hours and on work machines, within reasonable limits.

Intellectual property. One area that your average employee likely does not have to deal with extensively in the normal course of business is intellectual property. Furthermore, the ways in which photos, videos, and so on, are shared on sites like Facebook, Twitter, and Pinterest has eroded the public sense of what is or is not acceptable practice under the law. Your policy may need to spell out the intellectual property practices of your organization, depending upon how and how often your employees have reason to come into contact with them.

Special concerns. You know your company. You know your industry. There are very likely one or two things that should be in your policy that are unique. You know what they are.

What does your company have in its policy? What else do you think a company should include in its policies?