Washington, D.C.

Data Breach & Incident Response

Intrusions by hackers, malware infections, and ransomware have become all too common. We counsel executives and companies in pre- and post-breach incident response. We also represent companies in investigations and civil litigation that increasingly follow a breach.

A breach is an immediate problem with long-term consequences. If not handled early and comprehensively, litigation can continue for years; government investigations may persist longer. A proper response requires quick but strategic action. We provide legal and practical guidance to take that action.

Pre-Breach Assessments

Before a breach, we help clients minimize the risk of a breach and, if a breach does occur, assist them to respond quickly and effectively. We begin by evaluating a client's current environment, to determine its responsibilities to customers, patients, vendors, insurance carriers, and the government in the event of a breach. We also examine whether a client's current contracts with employees provide proper protection in the event that disgruntled personnel consider acting against company interests. And we analyze each client's rights and obligations under federal laws, including the Defend Trade Secrets Act, the Health Insurance Portability and Accountability Act (HIPAA), and the Electronic Communications Privacy Act (ECPA). Where applicable, we also analyze potential courses of action under state law.

During a breach investigation is no time to catalogue contractural requriements for victim notification or regulatory requirements for reporting.

We then work with security engineers to analyze existing security procedures and preparedness. For instance, clients may be called upon to decide whether the benefit of retaining logs that may be helpful to incident response is worth the risk in later litigation of being forced to disclose those logs in discovery. Clients may also need to determine how their security infrastructure will respond to a "litigation hold," where data retention for indeterminate time may be legally required. Together, we devise recommendations for changes to current systems and procedures. We also develop a comprehensive response plan.

Post-Breach Investigations

During and after a breach, we advise clients in crisis. Our approach has two prongs: First, we provide legal assistance and oversight to digital forensics and incident responders (DFIR), to maintain the maximum legal protections for their results under the attorney-client privilege and the work-product doctrine, and to ensure that investigations not only uncover the scope and extent of the breach, but also provide evidence of how and why a breach occurred: Was it the client's negligence? Action or inaction of a rogue employee or vendor? Was it an unforeseeable "0day" (an undisclosed vulnerability)? Second, we immediately begin preparations for legal action—to defend the company, identify the party that may have legal liability, and, where necessary, make the proper disclosures.

Disclosure to Government, Law Enforcement, and Collateral Victims

The decision whether to disclose an incident or breach to the government depends on many factors. Under certain federal and state laws, disclosure to government officials or collateral victims may be required. In such circumstances, we can assist clients to determine whether disclosure is required. And where disclosure is a necessity, we can assist in determining when—and to what extent—information must be divulged.

Even where disclosure is not mandated, it still may be advisable—to benefit from the expertise of law enforcement or to stay ahead of a potential publicity disaster. This is especially so where a breach is likely to become public even without voluntary disclosure. Still, it is important to decide carefully what will be disclosed, to whom, and when. Disclosures must be carefully crafted and coordinated with the ongoing investigation. We help clients make these independent but related decisions strategically.

Not only are 80 to 100 lawsuits filed each year following data breaches, but information security firms, and other companies that have done work for corporate victims, remain attractive litigation targets.

Post-Breach Litigation

Post-breach law suits are increasingly common. Although these suits can often be dealt with at the motion-to-dismiss stage, doing so may require a proper investigation of the breach itself—including close coordination with digital forensics investigators. And as plaintiffs continue to seek new and creative avenues to survive early challenges to data-breach suits, we can craft innovative responses. Our creativity as attorneys is furthered by our deep understanding of the technology.

Where a breach may harm consumers, investigations and law suits may also be brought by state attorneys general. When such investigations are threatened or begin, we guide clients in responding to government inquiries and, where investigations progress, defend them in subsequent litigation.