What would the company’s legal team most likely recommend to Anton regarding his planned communication with customers?

SCENARIO

Please use the following to answer the next QUESTION:

Henry Home Furnishings has built high-end furniture for nearly forty years. However, the new owner, Anton, has found some degree of disorganization after touring the company headquarters. His uncle Henry had always focused on production C not data processing C and Anton is concerned. In several storage rooms, he has found paper files, disks, and old computers that appear to contain the personal data of current and former employees and customers. Anton knows that a single break-in could irrevocably damage the company’s relationship with its loyal customers. He intends to set a goal of guaranteed zero loss of personal information.

To this end, Anton originally planned to place restrictions on who was admitted to the physical premises of the company. However, Kenneth C his uncle’s vice president and longtime confidante C wants to hold off on Anton’s idea in favor of converting any paper records held at the company to electronic storage. Kenneth believes this process would only take one or two years. Anton likes this idea; he envisions a password- protected system that only he and Kenneth can access.

Anton also plans to divest the company of most of its subsidiaries. Not only will this make his job easier, but it will simplify the management of the stored data. The heads of subsidiaries like the art gallery and kitchenware store down the street will be responsible for their own information management. Then, any unneeded

subsidiary data still in Anton’s possession can be destroyed within the next few years.

After learning of a recent security incident, Anton realizes that another crucial step will be notifying customers. Kenneth insists that two lost hard drives in Question are not cause for concern; all of the data was encrypted and not sensitive in nature. Anton does not want to take any chances, however. He intends on sending notice letters to all employees and customers to be safe.

Anton must also check for compliance with all legislative, regulatory, and market requirements related to privacy protection. Kenneth oversaw the development of the company’s online presence about ten years ago, but Anton is not confident about his understanding of recent online marketing laws. Anton is assigning another trusted employee with a law background the task of the compliance assessment. After a thorough analysis, Anton knows the company should be safe for another five years, at which time he can order another check.

Documentation of this analysis will show auditors due diligence.

Anton has started down a long road toward improved management of the company, but he knows the effort is worth it. Anton wants his uncle’s legacy to continue for many years to come.

What would the company’s legal team most likely recommend to Anton regarding his planned communication with customers?
A . To send consistent communication.
B . To shift to electronic communication.
C . To delay communications until local authorities are informed.
D . To consider under what circumstances communication is necessary.

View Answer

Answer: D

Explanation:

The company’s legal team would most likely recommend Anton to consider under what circumstances communication with customers is necessary after learning of a recent security incident. Communication with customers is an important aspect of data breach response as it can help to mitigate the harm caused by the breach, restore trust and confidence in the company, and comply with legal obligations or best practices. However, communication with customers is not always mandatory or advisable depending on the nature and severity of the breach and the potential impact on the customers7 Therefore, Anton should consult with his legal team and evaluate the following factors before deciding whether to communicate with customers or not:

The type and amount of data involved in the breach and whether it includes personal or sensitive information that could expose the customers to identity theft, fraud, or other harms.

The likelihood and extent of harm that the customers could suffer as a result of the breach and whether they could take any actions to prevent or reduce it.

The legal or contractual obligations that the company has to notify the customers or the relevant authorities about the breach and the applicable laws or regulations that govern the notification process, such as the timing, content, and method of notification.

The potential benefits and risks of communicating with customers, such as enhancing transparency and accountability, providing assistance and remedies, or triggering negative reactions, reputational damage, or legal claims.

Based on these factors, Anton should determine whether communication with customers is necessary and appropriate in his case.

If he decides to communicate with customers, he should follow some best practices, such as:

Communicating as soon as possible after discovering and containing the breach and having sufficient information to share.

Communicating clearly, honestly, and empathetically about what happened, what data was affected, what actions the company has taken or will take, and what steps the customers can or should take. Communicating through multiple channels, such as email, phone, letter, website, or social media, depending on the preferences and expectations of the customers.

Communicating consistently and regularly with updates or follow-ups until the breach is resolved and the customers are satisfied8

Reference: 7: How to Communicate a Data Breach to Customers – U.S. Chamber of Commerce; 8: The do’s and don’ts of communicating a data breach