A survey of U.S. Federal and State Laws, Statutes, and Regulations Governing Data Breach Notification, Biometric Information, Cybersecurity, and Data Privacy*
*The content is for general information purposes only and does not constitute legal or professional advice.
Businesses must protect the privacy and security of the personal data and confidential information in their custody and control. However, in today’s dynamic threat environment, businesses are facing evolving risks to their information technology (IT) systems and networks. To mitigate these risks, a business should build a data protection program tailored to its unique concerns and threats. Central to developing a data protection program is creating, implementing, and maintaining a clear and concise data incident response plan (IRP) that outlines the measures and tools needed to prepare for and respond to an actual or reasonably suspected data breach.
This checklist provides an outline of the critical elements a business should address or consider when creating an IRP. Full access to the checklist is available here (pdf).
- Governance and responsibilities. The IRP must identify the key individuals who have roles in the security incident response process.
- Incident Response Coordinator. The business should delegate authority to one person, an Incident Response Coordinator, to oversee data breach response efforts.
- Incident Response Team (IRT). An IRT is a predetermined group of employees, contractors, and other resources responsible for responding to data security incidents.
- Incident response procedures. The IRP should include procedures and protocols that address detection and discovery; assessment and escalation; IRT investigation and analysis; and containment, remediation, and recovery.
- Evidence preservation. The IRT should direct appropriate internal or external resources to capture and preserve evidence during the investigation, analysis, and response activities.
- Communications and notifications. The IRT, in coordination and consultation with legal counsel, should consider developing a communication plan for both internal and external stakeholders.
- Post-incident response. Following a security incident or data breach, a business should, at least periodically, reconvene the IRT to assess the incident, the effectiveness of the response, and any remedial measures needed to mitigate risk.
The First 72 Hours:
Critical Steps Following a Data Breach
When it comes to a data breach, what you do in the first few hours and days can mean the difference between containing the risks and losses and losing control of events. As the minutes and hours tick by, the financial and reputational consequences you face may be quickly multiplying. According to the 2019 Cost of a Data Breach Report (Ponemon Institute/IBM Security), the average total cost of a data breach globally is $3.92 million (USD), and in the United States that number more than doubles to $8.19 million. And that doesn’t even begin to account for the potential harm to your public image. It is in the best interests of your company and its employees and customers that you quickly assess the situation, notify the proper parties, and begin the investigation and remediation process. In fact, if you conduct business in the European Union, its General Data Protection Regulation in most cases requires you to report a breach to the supervisory authority within 72 hours of its discovery.
Would you know where to begin? The good news is that you don’t have to. Our Privacy & Cybersecurity team has the experience and resources to help you quickly and effectively respond to a data breach. Our professionals have substantial experience in managing data incident response scenarios, and we can deliver an efficient, disciplined and effective response plan. And we provide our services for a fixed fee, so you know the cost up front.
Here’s how we can help:
Initial Assessment
- Create and convene (with general counsel/CISO) the incident response team
- Identify and interview knowledgeable personnel
- Investigate source, scope and nature of incident, including what was lost (physical or data) and if breach was result of third-party service provider failure
- Investigate if data is accessible/usable (e.g., encrypted)
- Identify/counsel/verify initial remediation actions taken to immediately limit damage of incident and stop breach
- Analyze compromised data and determine type(s): PII, PHI, PCI; employee or consumer information
- Assess number and geographic distribution of potentially affected individuals
- Identify and assess short-term reporting and regulatory obligations (e.g., HIPAA breach)
- Counsel on timing of scope of notices
- Ensure necessary third-party providers are in place
- Counsel on preservation of evidence (e.g., capturing logs that would ordinarily be deleted)
DELIVERABLE #1: Initial assessment of potential reporting/notification requirements (legal analysis)
Third-Party Provider Assessment
- Identify third-party service providers
- Identify relevant insurance coverage
- Review with internal risk management personnel relevant insurance contracts/coverage
- Ensure appropriate insurance providers are involved
- Review relevant services/IT agreements and breach provisions; provide initial advice on next steps/remedies
Identification of External Resources/Service Providers
- Initiate retention of notice fulfillment services provider as appropriate
- Retain forensic resources as necessary
- Retain crisis communications consultant/coordinate with company PR and investor relations teams
DELIVERABLE #2: Ensure necessary third-party providers are in place
DELIVERABLE #3: Prepare forms or provide notice templates specific to location/jurisdiction/regulatory requirements
If your organization has suffered a data breach or incident, contact us at any time (24/7) at at DataBreachResponse@ThompsonHine.com. A Thompson Hine cybersecurity attorney will respond to you as soon as possible.
For more information about the critical steps following a data breach, please contact:
Thomas F. Zych, Partner, Chair, Privacy & Cybersecurity
216.566.5605
Tom.Zych@ThompsonHine.com
Steven G. Stransky*, Partner, Vice Chair, Privacy & Cybersecurity
202.263.4126 | 216.566.5646
Steve.Stransky@ThompsonHine.com
*International Association of Privacy Professionals, Certified Information Privacy Professional/Government (CIPP/G), Certified Information Privacy Professional/United States (CIPP/US)
- The Microsoft Outage, Cyber Disruptions, and Force Majeure Events,
Privacy & Cybersecurity Update
, July 19, 2024 - SEC Issues Update on Cybersecurity Incident Report,
Privacy & Cybersecurity Update
, May 23, 2024 - Florida and West Virginia Create New Cybersecurity Safe Harbor Laws,
Privacy & Cybersecurity Update
, March 22, 2024 - 5 Privacy And Cybersecurity Resolutions For 2024,
Law360
, January 5, 2024 - New Guidance on SEC Cybersecurity Reporting Regulations,
Privacy & Cybersecurity Update
, December 11, 2023 - NYDFS Amends Data Breach and Cybersecurity Regulations,
Privacy & Cybersecurity Update
, November 7, 2023 - SEC Finalizes Rules Requiring Mandatory Cybersecurity Disclosure,
Securities Law Update
, July 27, 2023 - Navigating Cybersecurity Regulations: An In-Depth Look at SP 800-171,
An In-Depth Look at SP 800-171
, June 8, 2023 - See No Evil, Speak No Evil, Then Pay the Piper: Be Ready for the Worst-Case Results in Cybersecurity,
Business Law Update – Fall 2022
, December 7, 2022 - NY DFS Shakes up Board and Management Exposures for Cyber Breaches,
Privacy & Cybersecurity Update
, November 30, 2022