Conundrum After The Breach: What To Say And How To Say It

In the perilous aftermath of a data breach, strategies that seemingly address one potential problem can make others more likely, as explained in this post from Corporate Compliance Insights. You can’t, for example, warn customers they’re at risk and they should take steps to reduce that risk without suggesting that future plaintiffs in a lawsuit, if one should materialize, were harmed. You don’t want to start making public statements about the situation before you’re confident you understand it, but there are now legal requirements regarding timing in all 50 states – and they vary. Moreover, the precise language used to describe what occurred may have major legal implications, for example with regard to a potential dispute over plaintiff standing, or to privilege issues. In general, data breach victims need to be aware that what may seem advisable from a PR standpoint has potential downsides in a litigation dispute.

There is no neat conclusion here, but the pace at which decisions have to be made following the discovery of a breach does point to the importance of having “a well-established and rehearsed incident response plan in place before the breach occurs.”