The current sentiment surrounding corporate data security is that it’s not a matter of if, but when, your company will suffer a breach. This sentiment is cause for concern considering:
- Capital One was recently fined $80 million by the Office of the Comptroller of the Currency (“OCC”) for its failure to assess and mitigate risks that resulted in a data breach in 2019 that affected the records of 106 million individuals (read more here).
- Twitter estimates that the Federal Trade Commission (“FTC”) will impose a fine in the vicinity of $150-$250 million for its October 2019 breach.
Given the immense reputational and financial risks that follow any breach, you must act quickly to mitigate your losses and the potential legal fallout. Here’s what to do if your business falls victim to a privacy breach:
Step 1: Prevent further data losses
Your cybersecurity and IT team will play a crucial role in helping you recover from a data breach. But first, they’ll need to stanch the flow of information and cauterize any holes in your organization’s security.
The speed with which they move to secure your systems and fix the vulnerabilities that led to the breach will play a critical role in the public’s and regulators’ response to the breach. Having a sound data breach response plan in place before you suffer a breach will go a long way to making sure your team is ready to act.
Although the exact steps you should take will depend on both the nature of your business and the nature of the breach, you will generally want to:
– Secure physical areas implicated by the breach.
– Take all affected equipment offline immediately.
– Change any access codes, passwords, and other credentials that may have been compromised.
– Search for your company’s exposed data online and contact any sites where it appears to ask them to remove the data.
Step 2: Seek help from privacy experts
Your legal team might not be your first call, but you should quickly consult with privacy experts who can advise you on various laws that may be implicated by the breach and help you mitigate the professional, reputational, and legal backlash. Here’s where your legal team can assist:
Determining your legal obligations
Your legal obligations following a data breach will vary greatly depending on the geographical spread from which you sourced your data. Countries around the world are enacting increasingly stringent legal obligations for data transfer and privacy. And your response to a breach will need to factor in your obligations in each of those jurisdictions, including:
– Reporting obligations following a data breach
– Deadlines for disclosure of the data breach.
The type of information involved in the breach is also relevant as certain laws and regulations can be triggered when particular types of information, such as electronic health information, are compromised.
Abiding by these laws is your minimum obligation following a breach, but this can be complicated – especially where you operate across multiple jurisdictions.
Finally, you may also have contractual obligations to your customers and your service providers in the event of a breach that must be considered.
Legal privacy experts are the best people to provide you with this guidance and to ensure compliance.
Developing a communications plan
Following a breach, it is important to work with your attorneys to develop a communications plan that reaches all affected parties, including your:
– business partners;
– investors; and
– the media.
Knowing what and how much to say can be tricky. You don’t want to publicly share information that might put individuals at further risk, but you also don’t want to hold back details that could help people protect themselves and their information.
Most importantly, you don’t want to make any misleading statements or statements that have not been thoroughly vetted. Legal counsel with privacy and data security expertise can help you navigate these challenges.
Assisting with your response to regulators
Your attorneys can also help you understand when and how to notify federal and state governments, and regulatory agencies. Each of these entities have different notification procedures in place, though the umbrella of information that needs to be provided do have some commonalities. You can expect to be required to outline:
– The nature and extent of the breach
– Likely consequences
– Your response to the breach
– Your processes and procedures prior to the breach
– Evidence of corrective action.
Regulatory agencies may also use their subpoena power to demand information about a breach, even if there is no positive requirement for you to provide them with notice. If you receive such a request for information, you should always consult legal counsel to discuss how best to respond.
Step 3: Learn from the privacy breach
Privacy breaches are costly, embarrassing, and professionally damaging. You need to learn from the breach if you hope to prevent future cybersecurity incidents – and to demonstrate to the relevant regulatory bodies that you’ve instituted appropriate changes. Educate your staff and management team, ensure your digital systems and internal processes are always up-to-date, and leverage technological advances to stay ahead.
CGL is here to help your business manage privacy risk
If you need assistance putting in place systems that will protect your business and mitigate your legal risk, reach out. We’re here to help.
CGL is a full-service law firm with experienced privacy attorneys on hand to help. We have a strong track record of developing contingency plans, critical internal and external privacy documentation, and assisting in the aftermath of a privacy breach. Our attorneys have BigLaw experience – while our fully-distributed model allows us to offer our services at a fraction of the price of traditional law firms.
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.