The Life Cycle of a Data Breach

A data breach can be an existential crisis for an unprepared business, and in the best case it’s likely to be expensive and disruptive. Treat data security as an integral part of the company risk profile, and to account for that risk build governance and management structures, including a data breach team. It should include a compliance and legal expert, a forensic investigator and a PR professional.

When a breach occurs, first calls should be to outside counsel and a forensic investigator. Counsel can provide expertise in managing compliance questions and navigating issues that might arise with third parties. Forensic investigators provide crucial assistance in identifying the source and scope of a breach.

In some cases, notification must also be sent to a state agency (usually the attorney general). But there are significant differences among states regarding such things as what information is protected, whether notification is necessary regardless of harm, and timing.

Many states are updating their data breach statutes and considering new regulations. Meanwhile, much remains uncertain regarding the scope of federal regulation, given questions about the new administration and its deregulation agenda. In private litigation, we can expect federal and state courts to work out questions of standing and injury, with plaintiffs continuing to use novel theories to advance their claims. Whatever the future brings, it will be critically important to be prepared in advance for  a data breach, to manage compliance carefully, and to be ready for litigation.