Kamran Salour, Sadia Mirza, and Ron Raether discuss consumer breach notices — specifically from Ron's perspective as a litigator — and how plaintiff's counsel can interpret these notices.
In this episode of Unauthorized Access, Kamran and Sadia welcome their firm colleague, Privacy + Cyber Partner and Team Leader Ron Raether, in a discussion on consumer breach notices — specifically from Ron's perspective as a litigator — and how plaintiff's counsel can interpret these notices.
For more than 20 years, Ron has advised companies in navigating federal and state privacy laws, bringing a unique understanding of technology in the areas of data security, data privacy, patent, antitrust, and licensing and contracts.
Unauthorized Access: Drafting Consumer Breach Notices – From a Litigation Perspective
Recorded: October 2022
Sadia Mirza:
Welcome to Unauthorized Access, the pod that tells you what's going on in incident response today. My name is Sadia Mirza, and as usual, I'm joined by my co-host, colleague and occasionally funny friend, Kamran Salour. So, Kamran, today is a very special day. Normally, I always let you introduce our guest because you're much better at it than I am, but you know I can't let you do that today.
Kamran Salour:
Well, you are right, Sadia, because but for Ron, this podcast would not be possible, and I'm sure Ron would have many things he'd rather be doing right now than being on this podcast, so I will have you introduce Ron, so any ire that he has is directed toward you and not me. Take it away, Sadia.
Sadia Mirza:
Kamran, you weren't supposed to say that it was Ron. That was my part, but that is what I will do. Today, we have Ron Raether on our podcast. Ron leads the privacy and cyber practice at Troutman Pepper, so look, he's a big deal, but honestly, you would never know that if you've met him in person. Ron is truly one of the most humble, supportive, encouraging, genuine, and kind person that I've ever met.
He's an incredible mentor, the greatest supporter, and now, I often joke about that he has become my dad because my greatest fear in life is to ever disappoint him. So, Ron, usually me and Kamran spend the first 20 minutes not letting our guests say anything and just telling people about you, but I think it would make sense for you to share a little bit about yourself, your background, and your area of focus these days.
Ron Raether:
Well, thanks, Sadia and Kamran. Great introduction. You can obviously tell that my astrological sign is Gemini because between the two of you, I think I got ire, I got supportive and compassionate, but then I got you're afraid that I'm going to treat you like a child, so there's obviously many different aspects of who I am and my personality. We'll trade that to my astrological sign and not any schizophrenia or any other diagnosis, but I've had the real fortune of being in this space before anyone knew it really existed and there weren't many practitioners. By this space, I mean not just privacy and cyber, but technology generally.
Because of my emphasis on technology, I've had lots of amazing opportunities to work on fascinating cases with clients on issues that really were cutting edge and continue to be cutting edge, including one of the first incidents that happened in 2005. It required a response under California law. At that point, there were no other breach notification laws other than California, and since that time, being engaged in not just incident responses but regulatory investigations, litigation, including up to today, having the honor of being able to represent companies in a variety of different privacy and cyber litigations.
Kamran Salour:
Well, thank you for your introduction, Ron and I too am a gemini, and so, I certainly understand the schizophrenic response that I seem to give to people, but I want to talk today about consumer breach notices. As IR attorneys, Sadia and I often write data breach notices or consumer notification letters. Oftentimes, we will get calls from people that receive those letters, and they'll ask lots of questions about the letters, but we're really interested in getting your perspective on consumer breach notices because as a litigator, you get to see how it's interpreted by plaintiff's counsel, how it's interpreted by judges and juries. From your standpoint, can you tell us your view on the notification letters and how the incident response counsel should be approaching drafting those data breach notification letters?
Ron Raether:
I think my perspective on this question has changed over time. Obviously, in 2005, when we were putting a notice letter together, there was litigation that arose relative to that. I had one perspective and then I would say in 2009 to 2012, I had a slightly different perspective. Skipping a few years in between 2012 and today, because we only have so much time on this podcast, if I look at the question today, it's actually evolved, at least my thinking has.
The notification letter does set a cornerstone in how the company begins to communicate with the public with respect to what happened. I think for a long time, attorneys and others led by fear and fear was a vast motivator, not just in incident response, but frankly, the cyber market generally. That may sell for some people, but I think we need to take a different perspective on not just notification letters, but the process itself. From working with the CISO to getting the right cyber security practices and procedures in place, preparing for incident responses, the investigation all the way through to how we begin to communicate what we're learning out for consumers, regulators, and the like.
To me, at the end, what that means is honesty. We need to start communicating in an honest, forthright manner. That may not work for every incident. As you guys know, the vast majority of them don't turn to litigation, but for those that do turn to litigation, what I want to see in that notification letter are facts. Be honest. If we have to give a notification that we're not yet sure about certain details, we shouldn't make statements in the notification letter just to check a box. We need to pay attention to making sure that while we're meeting the statutory obligations, while we're trying to help address public relation issues for the client, while we're thinking about and anticipating what the reaction might be from the public, at the end of the day, it needs to be honest.
Sadia Mirza:
Ron, one, I didn't know that both you and Kamran were Gemini, and so, while you guys were talking about important things, I quickly googled the Pisces and Gemini compatibility, and I need you guys to know that it says that, "Pisces is a highly passionate sign and they might be wounded when bold Gemini talk without considering," and so, I just want you guys to think about that a little bit.
Ron Raether:
Now I have to go back over all our prior conversations.
Sadia Mirza:
Yeah, I need you to know that I'm a Pisces, that actually, this is very insightful for both of you, but we'll table that conversation. I was on a panel recently at NetD and we talked about... It was called To Notify or Not Notify, and one of the things that I had talked about, and based on our conversation before was giving... In the notification, writing out the facts or being more transparent about what happened.
Jamie Singer from FTI was on the panel as well, and she raised some concerns from more of a PR perspective about being too transparent and balancing those issues, and the context of a discussion we were having was about ransomware like payments, and she said, "Look, that might not be helpful from a PR perspective," but what are your thoughts on being transparent in a notice and then also balancing the PR concerns?
Ron Raether:
Let me back up for a moment, and I think a lot of those issues were germane if we look at the timeframe, let's say prior to really 2020, and by that, I think the industry and anticipating how individuals might react led to a need for a certain amount of caution. As I think about the issues today, we have to start from the premise that not every matter results in litigation, but almost every notice, as you guys know, is reviewed by a regulator.
As I think about your question and I think about how we ought to frame our notices going forward, it's with those audiences in mind, which ultimately, to me, means what we don't want to have happen is getting caught in a half truth or signaling to third parties that there's something we're hiding because of an omission from what they might typically see or what they would expect to see.
That being said, it goes back to something we've talked about many times before. I'm not a big fan of using the same form over and over. That means and requires us to take a considerate look at the specific circumstances of the incident we're addressing and then projecting what might be around the corner with respect to this client, this incident, these facts. Are we going to get further inquiry? Who's that inquiry going to be from?
For example, being candid and open might actually divert some audiences from overreacting to an incident that otherwise might be seen as typical. I won't use the typical lawyer answer that it depends, but I just did without saying it, but what it does lead us to is the need for a thoughtful presence, the need for looking around corners, the need for anticipating who's going to be the audience, and then crafting the notice consistent with what we're trying to accomplish in that particular instance.
Kamran Salour:
I think, Ron, it's an important point that you bring up, and one thing that I always harp on is knowing your audience, and you've talked about potentially, if the letter goes to litigation, and certainly, that's one potential audience, the other audience of course is the regulator, but how do you balance the regulatory and legal audience with the actual consumer? Because sometimes too many facts, which will be helpful to be transparent to the regulator, can cause alarm to the consumer. Do you consider that in the process? Are you thinking more along regulators and litigators primarily?
Ron Raether:
I think based on what I see in litigation, in my general experience, there's a minority of people that actually read, and by people, I mean consumers that actually read the breach notification letters. We know that 1% that's out there that does seem to read them and focus in on them, and frankly, in part, if we have a good FAQ or communication plan to sit on top of the notice, we can deal with that 1%. Unlike some of the other privacy issues that I'm litigating, where normally, I would advise clients to communicate with consumers in a way to make sure they feel satisfied so that they don't become frustrated and find a lawyer to sue my client.
In my experience, the breach notification litigation isn't resulting because a consumer is upset about the breach notification letter or frankly, they're really upset about what my client may or may not have done with respect to information security. Instead, what we see are individuals who repeatedly are willing to be class representative, oftentimes, regardless of whether there was any real harm, and certainly, in my experience, no causation between the incident that notice is being provided about and any experience that individual's having, let's say with respect to identity theft or unwanted emails, solicitations and the like.
So if I take that, Kamran, and I build upon it, the people that are really analyzing our breach response notices are not the consumers, they're the regulators and the plaintiff's attorneys. That being said, and Sadia has heard me say this before, and you may have as well, Kamran, in litigating cases, we can't hide the facts. The facts are the facts. If in my notification letter, I can check off what I need to do statutorily, if I can understand the regulatory and the plaintiff's litigation council audience and I can address those audiences, but I have to do so from a point of factual accuracy.
In other words, state the facts, don't state opinions, and in doing so, craft it in a way that communicates to your audience, the regulators and the plaintiff's attorneys, there's no, "There, there." It's just like all the other breach cases that you've looked at over the past couple of months that you passed on and decided not to pursue in litigation as opposed to the one that they end up focusing in on resulting in CIDs or subpoena from the regulators or class action complaint from the plaintiff's bar.
Kamran Salour:
Two things, Ron. One, as I always tell Sadia after I have a conversation with you, I walk away learning something very valuable and that was a very valuable response, so I appreciate that.
Sadia Mirza:
I've never heard that one. I've [inaudible 00:13:44], but that's... Go ahead. Go ahead, Kamran.
Kamran Salour:
And two, my apologies to Sadia because I, of course, went off script and I'm probably throwing her off. I will get back on script here, Sadia, to ask you, Ron, is there something in notification letters? Because you're not involved in the letter writing process, and so, if you were able to write a letter aside from what we've talked about in terms of being factual and being honest and not creating the appearance of hiding anything, is there any other type of content that if you're going through a litigation, you might think to yourself, "Gosh, I wish the notice had said this," and that would've alleviated this whole side issue or would've helped us in a certain way in the litigation? Is there anything that comes to mind that you would generally like to see in the notices that isn't there typically?
Ron Raether:
Great question and something I've been considering, especially as the litigation turns from the motion to dismiss phase to discovery, class certification, opposition, and dispositive motions, Kamran. In other words, as you guys probably all know, because of the continuing standing gifts that the Supreme Court kept giving us, many of the breach litigation cases didn't survive the motion to dismiss phase, and if they did, they were quickly settled given how few actually made it past that point.
Now that we're getting into substantive issues, what I would like to see in the breach notification letters is an offer to consumers to reach out if they feel like there has been some consequence as a result of the incident. Let me back up a little bit. I think in my experience, a lot of breach coaches and clients have steered their letters towards not engaging with consumers. You would hear things like, "We're offering credit monitoring, but you probably don't need it, so you really shouldn't sign up."
And I'm not saying, "Don't worry about this," but follow up with, "This is the type of information that was an issue. We're not seeing any evidence of exfiltration or we're not seeing any misuse, but if you happen to feel or have any experience that suggests there is a connection, please reach out to us immediately," and we know that the response will be deafening.
Not a lot of people in my experience can actually connect identity theft or other experiences they're having to a specific incident, and those that will probably can have those concerns or issues addressed through whatever identity theft prevention tools and services we're offering as part of the incident response. In other words, by having that in the notice and by having a record evidence of how little impact the incident actually had on consumers, by giving that opportunity for consumers to reach out, because we know very few of them will, it will help me in defending the case, including opposing class certification.
Sadia Mirza:
I think you can almost guess what the response would be, but Ron, what type of information do you see in breach notices now that plaintiff's counsel focus in on and try to use it to their advantage? So the question is, what should we be steering away from? I think your point was giving the facts, don't discourage consumers from taking steps to protect their information or reaching out, but what do you see in notices that aren't necessarily helpful?
Ron Raether:
It's normally where the notices start to steer towards advocacy or opinions. I think Sadia, if you break that down into something specific, it could be anything from the standards or whether the standards were met or not met with respect to sound information security practices. It could also be in making overstatements in the notice letter with respect to what happened or what did not happen. It doesn't really diverge from the need for honesty and candidness. I think when companies and their advisors try to be too cute, play too much with the facts, try to spin them too much in a certain way, when it ends up that that spend is not factually accurate, that's when the breach notification letter presents problems for us in the litigation.
Sadia Mirza:
Every time Kamran and I are drafting these notices, it is incredibly helpful to us to have, Ron, you and a team of litigators who have a lot of experience in the breach litigation perspective, because oftentimes, we're writing something, and it'll come up. Your name will come up, and I'll pull from what I've learned from the cases we've worked on together, and it really does change, I think, how we would approach it.
We deal with other breach coaches, especially nowadays when we're doing B2B incidents, so we're working closely with maybe another company that was, let's say, a service provider. I think a lot of attorneys that work solely in the IR space and don't have the litigation perspective, they don't necessarily appreciate things that you talked about today. It's a good viewpoint, something that people need to take into consideration.
Ron Raether:
Well, it's been a pleasure to be able to have this conversation. Despite the opening and the Gemini reference, I really appreciate the collaboration and the candidness that we're able to have in sharing ideas and providing an approach that I think enriches our client experience because it's not just limited to one silo or another in terms of the experience that might be brought to an incident and the market's changing. That's been my experience since 2005. What worked for me in 2005 didn't work for me in 2012, and what worked for me in 2012 is not going to work in 2022, and so, we got to keep evolving and changing and being thoughtful about what we do when we advise our clients in this space.
Sadia Mirza:
We are running out of time, so there's two things that I need to end with. One, as I continue to read about Pisces and Gemini, I also wanted to quote this part that, "Pisces are imaginative and sensitive, and Gemini must be careful not to hurt their feelings." I'm going to send both of you guys this article after this, but the other thing I need to end with, Ron, thank you so much for taking time to be on the podcast.
You also drafted or were part of an incredible article published on Law360 that covers these same issues. We're going to link it under this podcast. It was the Effective Strategies for Consumer Breach Notifications, and it talks about a lot of the points that were covered today, so if anyone wanted to read that, certainly reach out to me, Kamran, or Ron, and we can send that over to you.
Ron, as you know, because I know you're a very devout listener to Unauthorized Access, we end every episode with a trivia question. It seems only appropriate for today's trivia question to be, what is Ron's Zodiac sign? There's no way you missed it at this point, but the first person to respond with the correct answer at Incident.Response@Troutman.com will win this month's prize. Again, the email address to send your response to is Incident.Response@Troutman.com. Thank you for everyone for listening today. We hope you tune in to the next episode.
Kamran Salour:
Thank you for your time, Ron. We really learned a lot.
Ron Raether:
Thanks everyone. Have a wonderful day.
Copyright, Troutman Pepper Hamilton Sanders LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman Pepper does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper. If you have any questions, please contact us at troutman.com.