Data Breach

Data breaches that trigger legal liability include ransomware attacks and malware that exfiltrate personal data, unauthorized insider access by employees or contractors, phishing attacks that result in credential theft and unauthorized access, and misconfigured databases that expose personal data. Legal liability for a data breach under negligence theory attaches when the organization failed to implement reasonable and appropriate technical and organizational security measures. Courts and regulators have consistently found that the failure to implement basic controls such as multi-factor authentication and encryption constitutes a failure to meet the standard of care. Organizations that have experienced a data breach should immediately engage data breach counsel to assess the legal threshold for notification and begin the forensic investigation.

Under the GDPR, the data controller bears primary legal responsibility for the security of personal data and is liable for any breach that results from its failure to implement appropriate security measures or adequately oversee processing activities. A data processor that suffers a breach must notify the controller without undue delay, and a processor's failure to notify the controller within the 72-hour deadline can result in the processor being held directly liable for the consequences of the delayed notification. Organizations that share personal data with vendors, cloud providers, or third-party processors should engage cybersecurity governance counsel to review their data processing agreements and ensure that processors are contractually required to implement adequate security measures.

The legal response to a data breach begins with immediate containment measures designed to stop the ongoing unauthorized access, preserve forensic evidence, and prevent further exfiltration of personal data. The organization's response should be documented in real time because regulators and courts will scrutinize the containment response. Engaging a qualified forensic investigation team immediately after a breach is discovered is essential for understanding the scope of the breach and preserving the chain of custody of digital evidence in a form admissible in regulatory and litigation proceedings. Organizations that have just discovered a data breach should immediately engage cybersecurity counsel to coordinate the incident response, engage a forensic investigation team, and manage communications during the critical early phase.

Directing the forensic investigation through outside legal counsel is the most effective mechanism for maintaining attorney-client privilege over the investigation findings, because forensic reports and communications created at counsel's direction are protected from disclosure. Organizations must simultaneously implement a litigation hold that suspends normal document retention and preserves all documents and communications potentially relevant to the breach, because the failure to preserve relevant evidence can result in adverse inference instructions. Organizations responding to a data breach should immediately engage cybersecurity legal consulting counsel to structure the investigation under attorney-client privilege and implement a litigation hold.

GDPR requires a data controller to notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach likely to result in a risk to the rights and freedoms of natural persons. Notification to affected data subjects is required without undue delay when the breach is likely to result in a high risk. All 50 US states, the District of Columbia, and several US territories have enacted data breach notification laws requiring businesses to notify affected individuals within 30 to 90 days, and many require simultaneous notification of state attorneys general. Healthcare organizations covered by HIPAA are required to notify affected individuals within 60 days of discovering a breach, to notify the Department of Health and Human Services, and to notify prominent media outlets in states where the breach affects more than 500 residents. Organizations that have suffered a data breach should immediately engage data privacy counsel to assess notification obligations across all applicable jurisdictions and draft the required notification letters.

The FTC enforces data breach liability against US companies under Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices, and has pursued significant enforcement actions against companies that suffered data breaches, requiring data security programs and third-party security audits every two years. GDPR supervisory authorities can impose fines of up to 20 million euros or four percent of total worldwide annual turnover for data breaches resulting from a controller's failure to implement appropriate security measures, as required by GDPR Article 32. Organizations that have received an inquiry from the FTC, a GDPR supervisory authority, or a state attorney general following a data breach should immediately engage data breach litigation counsel to assess the regulatory exposure.

Data breach class actions are filed shortly after public disclosure of a significant breach and typically allege negligence based on the failure to implement adequate security measures, breach of contract based on representations in the privacy policy, and statutory claims. Plaintiffs in data breach class actions seek actual damages such as credit monitoring expenses, the cost of identity theft remediation, and losses from fraudulent transactions. Organizations that have been named as defendants in a data breach class action should immediately engage data privacy class action defense counsel to evaluate class certification vulnerability.

A cyber insurance policy can provide critical financial protection against the costs of a data breach, including coverage for forensic investigation costs, breach notification expenses, and legal defense costs in regulatory proceedings and class action litigation. Cyber insurance policies require prompt notice of a breach and cooperation with the insurer's incident response requirements, and organizations that fail to meet these requirements risk having their coverage denied at the moment it is most needed. Organizations that have experienced a data breach and hold cyber insurance coverage should immediately engage cyber insurance counsel to review the policy terms, provide the required notice, and maximize available coverage.