Cyberattacks and data breaches are rarely constrained by geography. Lex Mundi’s network and resources can help you plan globally, whether it’s for protective or reactive support.
Contact
Jenny Karlsson Director, Global Markets / Head of Legal jkarlsson@lexmundi.com
Rapid Reaction contacts
Specialists at Lex Mundi member firms worldwide, our Cyberbreach Rapid Reaction lawyers are experts in their jurisdictions and will work together to provide you with a comprehensive global response plan.
Building resilience and leading your response
This free report from the 10th annual Lex Mundi Summit in Amsterdam analyses cybersecurity insights and best practice from general counsels at some of the world’s biggest brands. The report focuses on three things:
- Strengthening your resistance to attack
- Preparing your response to crisis
- Accepting and adapting to permanent vulnerability
First steps after a breach
These steps can help mitigate exposure and structure your response to cyberattack. Contributed by Stewart Baker (Partner) and Claire Blakey (Associate) of Steptoe & Johnson LLP (Lex Mundi member firm for USA, District of Columbia).
Once a cyberbreach has been detected, the breach must be contained to mitigate the damage and prevent further unauthorized access to or use of personal identifiable information. Ideally, all system and audit logs and evidence will be preserved in the process.
At the same time, the organization must gather details about the breach and assess what information was exposed and who was impacted. While some organizations choose to conduct an investigation in-house, many choose to hire an outside vendor specializing in digital forensics, often under lawyer-client privilege.
A number of countries have laws requiring organizations to notify individuals and/or the government following a data breach. California was the first jurisdiction to enact a broad data breach notification requirement. Most U.S. states and territories now have data breach notification statutes, which typically apply broadly to organizations that acquire, own, or license computerized data including personal identifiable information of individuals who reside within that jurisdiction. Certain U.S. federal statutes also apply to certain types of organizations and protected information (e.g. the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, and the American Recovery and Reinvestment Act).
These statutes generally require notification to individuals whose personal identifiable information has been or may have been compromised. They may also require the government be notified, and certain statutes require notification to credit reporting agencies. Typically, notification must be made without “unreasonable” delay, but certain statutes require more prompt notification (for example, California requires notification to individuals within 5 days of detection of a breach for protected medical information). These statutes normally specify the appropriate method of notification, and some statutes describe the content required. If the breach warrants law enforcement involvement, any notification to individuals may be delayed if law enforcement determines the notification will impede a criminal investigation.
A number of individual European countries currently have data breach notification laws (including the Netherlands, which passed a law in January 2016 requiring data controllers to notify the Data Protection Authority of data security breaches). In addition, the European Commission’s ePrivacy Directive established breach reporting obligations for telecommunications service providers, and the General Data Protection Regulation (GDPR) – which becomes effective May 25, 2018 – will extend data breach notification requirements to all organizations (including a requirement to notify the relevant supervisory authority within 72 hours). Canada and Australia have also recently enacted data breach notification laws, but like the GDPR, they have not yet entered into force.
For example, certain U.S. states require covered entities to offer credit monitoring services free of charge for one year to consumers whose personal identifiable information has been exposed in a data breach.
In coordination with the legal response, an organization should carefully consider its public relations response and adopt a press strategy that focuses on providing accurate information quickly.
After an initial analysis of the breach, it will be necessary to fully understand the circumstances of the breach to explain what happened and prevent future incidents. If the organization already has an incident response plan in place, it should be followed (and modified as necessary – no plan survives contact with reality).
Retain outside legal counsel, if necessary, to defend against lawsuits brought by either government or individuals. With the Lex Mundi Global Cyberbreach Rapid Reaction Force, our member firms can help coordinate a prompt, global response.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR), effective May 25th, 2018, has dramatically changed the global landscape for data privacy compliance. The extra-territorial reach of the GDPR means that it is relevant not only to businesses established in the European Union but also to international businesses established outside the European Union which offer goods or services to individuals in the European Union or monitor their behavior in the European Union.
GDPR: Guide to the Regulations
GDPR: Practical Implications for International Businesses
