Cyberattacks and data breaches are now common across all major business sectors. The theft, loss or unauthorized disclosure of personal information or other sensitive data can lead to revenue loss, reputation damage, fines, regulatory enforcement action, litigation and legal fees.
The average cost for each lost or stolen record containing sensitive and confidential information is over $100 million. A variety of factors contribute to data breaches, including human error or accident, illegal or malicious activity by individuals, and organized crime or other criminal enterprises.
We can help you prepare for and respond to a cyberattack or the unauthorized disclosure of personal information or other sensitive data. We will work with your in-house lawyers, privacy and compliance officials, and technology teams. In addition, we will work with your other, external service providers and agents, including your information security and digital forensic consultants, cyber insurance carriers, and ransomware negotiators. We regularly lead and direct investigations into data security incidents, manage data breach response teams, and coordinate a single response process, all while working to ensure these activities are properly protected by applicable legal and evidentiary privileges. We have handled data incidents involving all 50 states, the U.S. territories, the European Union, and in several jurisdictions around the world.
Our services include advising on:
Businesses must protect the privacy and security of the personal data and confidential information in their custody and control. However, in today’s dynamic threat environment, businesses are facing evolving risks to their information technology (IT) systems and networks. To mitigate these risks, a business should build a data protection program tailored to its unique concerns and threats. Central to developing a data protection program is creating, implementing, and maintaining a clear and concise data incident response plan (IRP) that outlines the measures and tools needed to prepare for and respond to an actual or reasonably suspected data breach.
This checklist provides an outline of the critical elements a business should address or consider when creating an IRP. Full access to the checklist is available here (pdf).
Critical Steps Following a Data Breach
When it comes to a data breach, what you do in the first few hours and days can mean the difference between containing the risks and losses and losing control of events. As the minutes and hours tick by, the financial and reputational consequences you face may be quickly multiplying. According to the 2019 Cost of a Data Breach Report (Ponemon Institute/IBM Security), the average total cost of a data breach globally is $3.92 million (USD), and in the United States that number more than doubles to $8.19 million. And that doesn’t even begin to account for the potential harm to your public image. It is in the best interests of your company and its employees and customers that you quickly assess the situation, notify the proper parties, and begin the investigation and remediation process. In fact, if you conduct business in the European Union, its General Data Protection Regulation in most cases requires you to report a breach to the supervisory authority within 72 hours of its discovery.
Would you know where to begin? The good news is that you don’t have to. Our Privacy & Cybersecurity team has the experience and resources to help you quickly and effectively respond to a data breach. Our professionals have substantial experience in managing data incident response scenarios, and we can deliver an efficient, disciplined and effective response plan. And we provide our services for a fixed fee, so you know the cost up front.
Here’s how we can help:
DELIVERABLE #1: Initial assessment of potential reporting/notification requirements (legal analysis)
Third-Party Provider Assessment
DELIVERABLE #2: Ensure necessary third-party providers are in place
DELIVERABLE #3: Prepare forms or provide notice templates specific to location/jurisdiction/regulatory requirements
Identification of External Resources/Service Providers
If your organization has suffered a data breach or incident, please contact us at any time (24/7) here and a Thompson Hine cybersecurity attorney will respond to you as soon as possible.
For more information about the critical steps following a data breach, please contact:
Thomas F. Zych, Partner, Chair, Privacy & Cybersecurity
Steven G. Stransky*, Partner, Vice Chair, Privacy & Cybersecurity
202.263.4126 | 216.566.5646
*International Association of Privacy Professionals, Certified Information Privacy Professional/Government (CIPP/G), Certified Information Privacy Professional/United States (CIPP/US)
You must agree to Thompson Hine's terms and conditions set forth in the disclaimer below before submitting any email to us:
This website provides general information about Thompson Hine LLP for the convenience of visitors to the site. The site and the content within it are not intended to establish and their use does not establish an attorney/client relationship between Thompson Hine and any visitor. Information on the website is not legal advice. Do not send confidential information to any of our lawyers without first obtaining specific authorization. This website includes photographs of our lawyers and staff. Some of the design images and photographs on our website may be of actors depicting fictional scenes. Statements on this website of prior results do not guarantee a similar outcome.
This website may be considered attorney advertising in some jurisdictions.