With data security breaches becoming routine and widespread, any entity—whether public or private—that stores proprietary or sensitive data electronically risks having that data stolen, lost, or otherwise compromised, with potential catastrophic consequences for the brand, reputation, and goodwill of an organization, as well as possible legal ramifications.
At Epstein Becker Green, we know that following certain crucial steps—such as establishing a good crisis management program, taking quick remedial action when a data breach occurs, and, when necessary, providing notices to government agencies and affected individuals—can dramatically lessen the impact of a data breach incident.
Our Privacy, Cybersecurity, and Data Asset Management Group has extensive experience establishing data security breach preparedness and response programs, managing a client’s reaction to the data breach, and mitigating the impact of the breach. Additionally, members of our group are available with their response skills as soon as a breach is discovered.
Our Services
We advise on the legal and technical issues flowing from a data breach and assist with all aspects of the breach response. For example, when a data breach occurs, members of our Privacy, Cybersecurity, and Data Asset Management Group will:
- investigate the breach’s source, evaluate the damage, and confine the breach;
- recommend immediate remedial and cost-recovery measures;
- advise on compliance with notice and reporting obligations under federal securities laws and international, federal, and state privacy laws;
- draft required notices and deliver them to affected individuals and agencies in accordance with regulatory requirements and time limits;
- defend clients in investigations and lawsuits resulting from the breach;
- prosecute civil claims against hackers and cybercriminals;
- draft statements concerning the breach for the media, law enforcement, and consumer reporting agencies;
- advise clients on best practices and legal requirements with respect to offering credit monitoring, identity repair services, or identity theft insurance to affected individuals; and
- assist employers in drafting statements, email notices, and other correspondence to employees impacted by the breach.
Post-Crisis Services
Once the crisis has ended, our Privacy, Cybersecurity, and Data Asset Management Group takes all steps necessary to enhance the client’s privacy and security compliance programs on a prospective basis so that they will be better positioned to shield data from future breach incidents. These steps would include, for example:
- identifying faulty data practices and policies and recommending needed changes;
- monitoring crisis communications to restore customer, shareholder, consumer, law enforcement, and regulator relationships;
- reviewing and updating controls, policies, and procedures relating to technology;
- reviewing and revising privacy, security, and incident response plans;
- retraining personnel on data security and oversight; and
- creating a breach report in compliance with regulatory requirements.
