Data Breach and Incident Response
Stakeholders across the health care industry have become lucrative targets for cybercriminals looking to steal patients’ data. Unfortunately, threats to patient information can also come from within organizations—whether from negligent employees with access to PHI or those employees actively engaged in fraud. These risks have been exacerbated by the increase in remote work since the COVID-19 pandemic. Organizations must be prepared for the reality that data breach is not a question of “if” but “when.”
EBG attorneys advise on the legal and technical issues flowing from a data breach and assist with all aspects of the breach response. Our services include:
- Investigating the source of a breach (when one occurs), evaluating the damage, and confining the breach.
- Recommending immediate remedial and cost-recovery measures.
- Advising on compliance with notice and reporting obligations under federal securities laws and international, federal, and state privacy laws.
- Drafting required notices and delivering them to affected individuals and agencies in accordance with regulatory requirements and time limits.
- Defending clients in investigations and lawsuits resulting from the breach.
- Prosecuting civil claims against hackers and cyber-criminals.
- Drafting statements concerning the breach for the media, law enforcement, and consumer reporting agencies.
- Advising clients on best practices and legal requirements with respect to offering credit monitoring, identity repair services, or identity theft insurance to affected individuals.
- Assisting employers in drafting statements, e-mail notices, and other correspondence to employees impacted by the breach.
Once the crisis has ended, EBG attorneys take every step necessary to enhance our client’s privacy and security compliance programs on a prospective basis so that the client will be better positioned to shield data from future breach incidents. These steps include, for example:
- Identifying faulty data practices and policies and recommending needed changes.
- Monitoring crisis communications to restore customer, shareholder, consumer, law enforcement, and regulator relationships.
- Reviewing and updating controls, policies, and procedures relating to technology.
- Reviewing and revising privacy, security, and incident response plans.
- Retraining personnel on data security and oversight.
- Creating a breach report in compliance with regulatory requirements.
Attorneys in our Privacy, Cybersecurity & Data Asset Management group have extensive experience establishing data security breach preparedness and response programs, managing a client’s reaction to the data breach, and mitigating the breach’s impact. Our attorneys are available as soon as a breach is discovered to implement an effective crisis management program, take quick remedial action, and provide guidance on whether and when notices to government agencies and affected individuals are required.