Hypothetical Fact Summary #3 You are an independent IT consultant who has just been engaged by a company domiciled in Missouri but operates globally and employs less than 100 people to provide information security services for the company's network and databases. Most of the employees work remotely from home and use a random password generator to access the secure VPN at the company network portal. Still, they sometimes access the network portal using their mobile phones. The company allows select third-party vendors to access its database of U.S.-based clients to perform their business activities. Because the company has had long-standing relationships with these vendors and has previously vetted their information security practices, the company has not required the use of a random password generator to access its network and the U.S. customer database. The company collects and stores the names, addresses, and ages of its customers in its databases, including those of its E.U. customers. The former IT consultant set up servers located in Belgium, so E.U.'s customer personal information database would not be transmitted internationally. The company has not disclosed to its E.U. customers or any E.U. authority to collect such personal information. Sometime before your engagement, an employee of one of the third-party vendors opens an email that causes the download of malicious files to their desktop computer. As a result, the attacker has moved laterally across the company's systems and escalated privileges to access the company's customer databases. Shortly following your engagement, you discover that an attacker has exfiltrated all of the company's data from the customer databases, including the database stored on the Belgian server.

Questions to be answered:

use the IRAC (Issue, Rule, Analysis, Conclusion) Method to analyze the hypothetical facts. 1. Are there data breach laws that apply in this situation? If so, what are they and their requirements (i.e., charting the relevant laws may help analyze the facts)? 2. Besides information security technical suggestions, what would your recommendations be to the client to best protect them from the various levels of economic and non-economic damages (i.e., See Gelbstein Chapter 2 for details)? 3. Are there other potential violations unrelated to the breach, and if so, identify them.