Data Breach Mitigation

With data security breaches becoming routine and widespread, any entity—whether public or private—that stores proprietary or sensitive data electronically could end up having that data stolen or lost, with catastrophic consequences. At Epstein Becker Green, we know that taking certain crucial steps—such as establishing a good crisis management program, taking quick remedial action when a data breach occurs, and, when necessary, providing notices to government agencies and affected individuals—can dramatically lessen the impact of a data breach incident.

Our Privacy & Security Group has extensive experience establishing data security breach preparedness and response programs, managing a client’s reaction to the data breach, and mitigating the impact of the breach. Additionally, members of our group are available with their response skills as soon as a breach is discovered.

We advise on the legal and technical issues flowing from a data breach and assist with all aspects of the breach response. For example, when a data breach occurs, members of our Privacy & Security Group:

  • Investigate the breach’s source, evaluate the damage, and confine the breach
  • Recommend immediate remedial and cost-recovery measures
  • Preserve evidence while protecting the attorney-client privilege
  • Advise on compliance with notice and reporting obligations under federal securities laws and international, federal, and state privacy laws
  • Draft required notices and deliver them to affected individuals and agencies in accordance with regulatory requirements and time limits
  • Defend clients in investigations and lawsuits resulting from the breach
  • Prosecute civil claims against hackers and cyber-criminals
  • Draft statements concerning the breach for the media, law enforcement, and consumer reporting agencies
  • Advise clients on best practices and legal requirements with respect to offering credit monitoring, identity repair services, or identity theft insurance to affected individuals
  • Assist employers in drafting statements, e-mail notices, and other correspondence to employees impacted by the breach

Post-Crisis Services

Once the crisis has ended, our Privacy & Security Group takes all steps necessary to enhance the client’s privacy and security compliance programs so that they will better shield data from future breach incidents. These steps would include, for example:

  • Identifying faulty data practices and policies and recommending needed changes
  • Monitoring crisis communications to restore customer, shareholder, consumer, law enforcement, and regulator relationships
  • Reviewing and updating controls, policies, and procedures relating to technology
  • Reviewing and revising privacy, security, and incident response plans
  • Retraining personnel on data security and oversight
  • Creating a breach report in compliance with regulatory requirements