Data breach seems like it should be a four-letter word and hopefully one never uttered when talking about your business. In addition to common claims of negligence, data breaches can give rise to statutory claims for damages, such as under the California Consumer Privacy Act of 2018 (CCPA). Similar legislation is pending in other states.

The old adage about an ounce of prevention being worth a pound of cure applies with special urgency here.

If however, the unthinkable happens, then what? The following is a brief checklist of data breach response considerations.

1. Process: There should be a written data breach response plan designating a coordinator/point person to lead the data breach investigation team. Team members and responsibilities should be specified. The investigation should cover: closing the breach, determining the scope of accessed information, and determining the cause/method of the breach.

2. Insurance: Is there insurance to cover the data breach? If so, the insurance company should be notified right away, and you should review next steps with counsel to ensure that you do not get a denial of coverage due to taking an action which has not be approved by the insurance company.

3. Forensics: Do you have a forensic IT team in case of a data security incident? You should review with counsel exactly what information should be in any IT report before it is written since it could possibly be subject to discovery in regulatory, class action, or other data breach lawsuits.

4. Notification: Data breach notices required by law and any required regulatory and/or law enforcement reporting should be prepared and promptly delivered.

5. Public Relations: Do you have a public relations firm selected to help manage communication/messaging?

6. Mitigation: Do you have a mitigation partner who can provide reasonable and necessary mitigation costs such as credit monitoring and identity theft assistance? 

7. Compliance Management System: Data breach response plans should be covered in policies and procedures for the business, as part of an overall Compliance Management System (CMS). The new realities brought on by COVID such a remote work should also be addressed. Have your policies and procedures specified password and virtual private network protocols? How is communication and storage of private customer data to be handled? How is the use of personal devices such as cell phones and tablets managed? Who reviews vendor access and the scope of access granted to vendors (e.g. into the DMS or CRM)? What training is given to employees? What testing of the information security network is being done and how frequently is it done?

Data breach and the lack of policies and procedures can be used by resourceful attorneys

to mount a two-pronged attack: 1. allege a violation of Gramm-Leach-Bliley Act (GLB) such as a failure to safeguard customer non-public personal information, and then 2. claim that the violation of GLB in turn constitutes an unfair deceptive and abusive act or practice (UDAAP).

These cases and claims are disastrous to both a business’ bottom line and reputation.

By all reports, billions of records have been exposed by reported data breaches. How would a data breach affect your company and what should you do? Policies and procedures as well as education and training from a complete Compliance Management System should be part of the “front end.” and a data breach response plan should be part of the “back end.” The old adage about an ounce of prevention being worth a pound of cure applies with special urgency here. If, however, the unthinkable occurs, having a complete written, well thought out data breach response plan will help you manage the challenges you will face.

Content provided in this article is intended for informational purposes only and should not be construed as legal advice and should not be relied upon or acted upon without retaining counsel to provide specific legal advice based upon your particular situation, jurisdiction and circumstances. No duties are assumed, intended or created by this communication. No attorney-client relationship is being created by your review or use of this material.

© 2020 Robert J. Wilson, All Rights Reserved

Robert J. Wilson, Esquire (Bob) is a Philadelphia lawyer and is general counsel for ARMD Resource Group. Bob is the principal of Wilson Law Firm and has over 30 years of experience both as a counselor and as a litigator in State and Federal Courts. Risk management, problem solving and dispute resolution are his core competencies. Bob’s practice is largely in the consumer finance space, and he regularly consults with Lenders and contributes articles on various compliance related issues.