Although organizations are beginning to dedicate resources to data breach prevention, breaches are almost impossible to eliminate. As such, an organization’s ability to detect, contain and rapidly respond to data breaches is as important as prevention. Given the importance of a company’s data and the ever-increasing threats to data security, preparing for a potential data breach has become one of inside counsel’s most pressing responsibilities. Data breaches present technical, regulatory and legal challenges requiring a comprehensive response. The following 10 steps serve as a roadmap for inside counsel, itemizing and explaining the elements of an effective response to help mitigate long-term damage.
No. 1 – Assess the data security incident. As soon as general counsel learns of a data security incident, they must act quickly to assess the scope. Start by asking the following questions. Was data lost, stolen or merely threatened? What kind of data was involved? Was the impacted data personally identifiable? Was the impacted data encrypted? Is the breach ongoing or contained?
Counsel should use the answers to identify vulnerabilities, determine whom to notify and avoid further loss.
No. 2 – Activate the company response plan. An appropriate response to a data breach depends on the particulars of the situation, but organizations should create and maintain a generalized data breach response plan that outlines a methodical process, including:
• The contact information for legal, technical, communications and business personnel responsible for crafting an initial response.
• A technical overview of critical infrastructure and priority systems.
• The process to inform key decisionmakers about the data breach and response. Guidelines on investigating what happened in a forensically sound manner.
Creating, maintaining and implementing a plan allows a timely, thoughtful and thorough response.
No. 3 – Retain outside counsel. General counsel should consider hiring outside counsel sooner rather than later. Additional legal help frees inside counsel to manage the business response and adds diverse talents to the team. Assistance from those with in-depth knowledge of state regulatory frameworks and forensic techniques is invaluable. Outside counsel may, in turn, help identify, retain and manage other experts. A team of experts puts the company in the best possible position to prepare for regulatory action, litigation, and third party and insurance negotiations. Moreover, outside counsel involvement may shield certain documents under attorney work product and privilege doctrines.
No. 4 – Investigate the cause. Once a data breach has been contained, the real investigative work begins. A critical first step is preserving forensic data by imaging impacted servers, documenting the investigation, maintaining logs, preserving backups and interviewing key personnel. In so doing, the organization can determine the root cause and predict the impact. Armed with this knowledge, counsel can address security vulnerabilities, notify appropriate parties and evaluate legal exposure.
No. 5 – Review legal notification requirements. Both state and federal law may require the company to notify those impacted by a data breach. Who, when and how the company must notify often depends on the kind of data compromised.
No. 6 – Inform regulators and law enforcement. Counsel should consider contacting regulators and law enforcement earlier rather than later. A transparent, cooperative approach may translate to leniency in any investigatory and enforcement actions. Further, law enforcement may assist the company’s response by placing an investigatory hold on the release of any information or by helping to prevent the dissemination of information overseas.
No. 7 – Evaluate legal implications. A data breach spawns a range of legal consequences. Those impacted may sue. Government agencies may investigate. Thirdparty agreements may be implicated. Counsel should take time to evaluate the possibility, probability and extent of the company’s legal exposure.
No. 8 – Review cybersecurity insurance policies. If the company is covered by a cybersecurity insurance policy, counsel should review its provisions carefully. Note the obligations of both insurer and insured that trigger coverage. Also, take time to thoroughly understand the coverage to which the company is entitled and note any gaps.
No. 9 – Communicate to the public. In addition to mandatory breach notifications, the company should also consider a public response. Inside counsel can team with the public relations team to craft open, sincere and factual communications that do not exacerbate the legal exposure or imperil any ongoing investigation.
No. 10 – Conduct a post mortem. Experience is the best teacher. Take time when the worst is over to review what worked and what did not. Use this knowledge to tweak the response plan. Added training and better planning will improve organizational readiness and response.
When faced with a data security threat, inside counsel must act quickly, assessing the situation, marshaling resources and implementing a response. A roadmap provides counsel with a series of steps and a methodical process, allowing a calm and focused approach in the midst of what might otherwise be chaos. Seth Northrop