How Soon Is Too Soon When Notifying Consumers After a Breach?
"The State of Data Breach Litigation: What You Need to Know and How to Protect Yourself" at Legalweek 2019 explored the aftermath of a breach and some important things to consider when looking at cyberinsurance coverage.
January 31, 2019 at 02:53 PM
3 minute read
The original version of this story was published on Legal Tech News
Nothing gets the blood pumping quite like insurance talk. "The State of Data Breach Litigation: What You Need to Know and How to Protect Yourself" session delivered a few pro tips on how to handle the aftermath of a data breach.
The precise order of the steps they outlined may vary from jurisdiction to jurisdiction — hello, General Data Protection Regulation and California Consumer Protection Act — but sooner or later all breached parties should expect to encounter some tough questions about when to bring insurance carriers or even their own customers into the fold.
First things first: moderator Robert Brownstone, chairman of the electronic information management group at Fenwick & West, suggested that organizations top off their incident response plans with a one-pager that is basically a "in-case-of-emergency call list."
A company's go-to legal counsel should be right at the top. Panelist Roberta Anderson Sutton, owner of RAS Enterprise Risk Management Services, said that this could help to preserve attorney-client privilege around early conversations.
It's also generally a good idea to bring your cyber insurance carrier into the loop. Some companies are reluctant to make the call because they don't want to watch their rates balloon, but Mark Knepshield, senior vice president at McGriff, Seibels and Williams, said that carriers typically do not increase premiums following a breach.
Besides, there's always a chance that news of a cyber incident will leak anyway. "The worst way to notify a carrier is in the press," Knepshield said.
If you don't have a cyber insurance plan already locked down, there are some important things to consider before signing on the dotted line. Breaches aren't always discovered in a timely fashion, so Anderson Sutton advises getting retroactive coverage that dates back at least a year.
Devising a policy that still provides coverage in the event of human error—like an employee clicking on a phishing email—is also critical. Under those circumstances, being able to offer proof that simple preventive actions such as in-house security training were undertaken might help put the breach in a more defensible light with customers or board members.
Isis Miranda, an associate at London Fischer, said that some IT departments send out faux phishing emails to employees so that they can identify the employees who are prone to click and offer instruction.
Once the insurance stuff is out of the way, it may come time to start thinking about how and when to notify consumers or the effected parties. In some cases, a time frame may already be established by jurisdictional privacy or data breach laws. But if not, Sutton suggested waiting until a clearer picture of events has crystallized. Being forced to constantly revise or update an already embarrassing story in the press isn't a good look. "Too early notification costs almost as much as too late notification," she said.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllA Look Back at High-Profile Hires in Big Law From Federal Government
4 minute readFederal Judge Named in Lawsuit Over Underage Drinking Party at His California Home
2 minute readGrabbing Market Share From Rivals, Law Firms Ramped Up Group Lateral Hires
These Law Firm Leaders Are Optimistic About 2025, Citing Deal Pipeline, International Business
6 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250