Whether it’s ransomware, a denial of service attack, a stolen laptop, or an employee stealing information from within, a business facing a data or security breach should immediately seek advice from counsel. Like other unforeseen crises in which businesses consult insurance adjusters, accountants, and lawyers, data and security breaches should be no different.
Retaining an attorney in response to a data or security breach has the following benefits:
1. Lawyer-Client Privilege: Louisiana law protects just about anything you tell your attorney from disclosure. While the first instinct in response to a breach is to contact IT, the second reaction should be to call an attorney to enable you to freely ask questions and receive answers about the legal implications under a nearly impenetrable shield of confidentiality. If the security incident or data breach later results in litigation or government investigation, having early questions and issues vetted by an attorney in confidence will protect those communications from unwanted disclosure.
2. Act as Liaison with Law Enforcement: Louisiana is the only state to enact a state version of the Cybersecurity Information Sharing Act. Under La. R.S. 51:2101 et seq., if a private entity chooses to share cyber threat information with the Louisiana State Police Fusion Center, not only will the business not waive any legal privileges or open itself to public records requests, it may receive forensic or mitigation assistance with legal protections against certain government regulations and penalties. With law enforcement constantly receiving and analyzing cyber threats, they are often tremendously valuable (and free!) and under-utilized tools by the private sector. An attorney with experience in cyber law can assist in navigating this process and explaining the legal benefits/options in enlisting assistance from law enforcement.
3. Work with the Insurance Company: Cyber attorneys can assist businesses in understanding coverage limitations and notification requirements. Allow the cyber attorney to work the insurance company to ensure benefits are timely received. If cyber insurance was not previously purchased, an attorney can negotiate the purchase and rates of a customized policy to meet the individual needs of the business.
4. Determine Legal Obligations for Reporting: each state has individual requirements for reporting data breaches. There are varying timelines for reporting, requirements for the contents of the reports, varying definitions of what constitutes a breach, and different directions as to whom to report the breaches. Failure to follow reporting law can result in regulatory investigations, penalties, and potential criminal sanctions. A qualified attorney will guide a business in determining if and how to report breaches to avoid any potential penalties or sanctions.
5. Coordinate Disaster Management Teams: Depending on the size and nature of the breach, an attorney can serve to manage the different types of professionals required to respond to the event such as media specialists and contracted IT vendors. For example, if a complete replacement of IT equipment and software is required (which can cost upwards of $50,000.00), an attorney can review and execute those contracts on your behalf. If a public statement is deemed in the best interest of the company for goodwill purposes, an attorney should review that information to ensure that the statement faithfully reflects the truthfulness of the situation without over-promising remedies or conveying unnecessary and potentially damaging details.
Apart from an attorney’s utility in security incident or breach response, having an attorney assist in preparing a data breach response plan with a trusted IT professional is a best practice. Having a written response plan may either stop a suspected breach or mitigate the damages therefrom, as well as help insulate a business from data negligence claims prior to any compromise of security.