One of the most difficult and stressful things a law firm may have to grapple with is what to do in the event of a data or security breach. These breaches are fairly inevitable, given the number of cyber criminals and attacks that are out there. However, the impact of such breaches can be minimized with help from expert witnesses, particularly those who specialize in computers, data, security, and related fields.
Perhaps what is most nerve-wracking for firms is that data breaches can lead to lawsuits. As one legal analyst explains, “Little else is as stressful for a company than handling the aftermath of a data breach. Not only does the company have the obligation of making notifications to clients about the data breach, but it may also be confronted by data breach lawyers with at least one lawsuit, or even a class action. There are steps that can be taken to help a company avoid data breach litigation.” JDSupra, “Tips to Help a Business Avoid Data Breach Litigation,” May 9, 2017, at http://www.jdsupra.com/legalnews/tips-to-help-a-business-avoid-data-54050/. The following strategies can largely minimize the impact of a data breach and help a firm to get back on track more rapidly.
(1). Preparation for a Data Breaches: One of the key ways to minimize the impact of a data breach is for companies to prepare for such breaches and understand that they are, in fact, inevitable. See id, e.g. Specifically, “[c]ompanies can prepare themselves for data breach situations by having a plan on how they will handle a data breach situation. Running practice drills of a data breach scenario can also be helpful for the company to identify potential pitfalls and shortcomings, which can be addressed in advance of the real thing.” Id. In particular, firms will want to consult their security and data experts and put together an action plan for how to respond in the event that a breach occurs.
The action plan should consist of two components and may require two types of consulting experts. First, the plan must deal with the technical issues and how to resolve those matters as best as possible, which is best left in the hands of computer and security experts. Second, and equally important, an effective action plan should address the public relations side of the equation, and how to present the fact of a data breach to the media, legal community, and general public. To best accomplish this second part of a truly successful action plan, firms will need to enlist the support of public relations and media experts in the field, who can do as much damage control to a firm’s reputation as possible when a breach occurs. Experts should be retained before a breach occurs; as one legal commentator explains, “What words are used in the media are critically important since the lawyers will likely try to use what is said to their advantage later in court. Know how the data breach situation will be handled by your company before it happens.” Id.
(2). Handling a Breach from a Legal Perspective: Knowing the Law: In addition to preparing both technical and public relations strategies to handle breaches, it behooves legal organizations to know what their rights and legal duties are in the event that a breach occurs. See id, e.g. Companies should know this information before a breach occurs, which, again, entails consulting with experts in data breaches, computer security, and cyber attacks prior to a breach taking place. For instance, “[k]nowing the law on these matters will give the company better footing on how to handle the aftermath of the situation. Companies that do not know or understand data breach law often fail to notify consumers whose data may have been exposed in a breach in a timely manner, which can result in significant penalties for the company.” Id.
Once an organization discovers that a breach has occurred, immediate action is necessary. As soon as it finds out about the breach, the company should put into place its action plan and follow the above-mentioned strategies. In fact, “[d]ata breach law requires companies to take action quickly upon discovery of a data breach. The company is responsible for quickly shutting down the breach, and then is responsible for notifying victims within a reasonable time after the breach is discovered. It is better to own up to the data breach and let those who are affected by the breach know as soon as possible that their personal identifying information or credit card information has possibly been exposed.” Id. Acting quickly means knowing who to have as a contact point throughout the post-breach clean-up, and experts should be involved at every stage. If litigation does ensue, a company will have a much greater measure of protection and will have expert witnesses who can testify as to what protocols were followed before and after a breach took place. This testimony will, in turn, make a firm look as if it took every necessary precaution and did everything in its power to both prevent and contain a breach. When reviewing courts assess breaches, part of what they will look to is how a company acted and handled a breach. If firms follow the advice discussed herein and make use of the experts in the field, both as early as in the pre-breach planning stages and after a breach has taken place, their legal position will be substantially stronger.
The bottom line, according to one legal analyst, is simple, and one of “the best strategies for a company to have concerning data breaches is to be prepared. Knowing in advance what you will have to do, what you will need to say, and how you can manage the aftermath of a data breach can go a long way towards helping your company avoid data breach litigation.” Id.
Indeed, effective preparation and collaboration with experts may prove the keys to mitigating both the risks of and fallout from a data breach and are invaluable strategies.