Breach Response: The Legal View

Fast Action Can Save Reputation and Ensure Compliance

By , December 15, 2011.
Breach Response: The Legal View


See Also: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

s legal issues surrounding data breaches become increasingly complex, more organizations are turning to attorneys for post-breach response, says Lisa Sotto, a managing partner for New York-based law firm Hunton & Williams.

Complying with a multitude of regional and international laws when consumers' personal information is compromised is critical. And depending on the size and reach of the organization breached, that could mean complying with dozens of mandates and regulations in various parts of the country and world.

Sotto, who focuses on privacy and information security, says the role of attorneys has changed significantly in recent years. After a data breach, attorneys handle many facets during the response process. "A lawyer who's well-versed in managing data breaches knows that she or he needs to manage really much more than the straight legal compliance issues," Sotto says in an interview with BankInfoSecurity's Tracy Kitten [transcript below].

Attorneys' duties post-breach typically include: forensics investigations; managing public relations; managing media issues generally; hiring and training call-center agents; retaining a mail house; retaining a credit monitoring and identity protection service; and dealing with the inevitable fallout of a data breach internally.

"And of course, the lawyers also need to set things up to try to mitigate the risk of litigation that typically follows a security incident," Sotto says.

The success or failure of a company is based on the value of its data. And that means roles for attorneys in this emerging field will continue to evolve. "There just couldn't be a more exciting time to practice in this area," Sotto says. "It's still a nascent field, and there's so much more for us to learn and so many new laws being enacted globally in this space that it's a wide-open field."

During this interview, Sotto discusses:

  • Why attorneys must play key roles in forensic investigations and subsequent public-relations efforts;
  • How attorneys can break into the field of information security, and why they should; and
  • Why attorneys are increasingly being looked upon as the gatekeepers of data-privacy, necessitating them to manage an organization's data-security strategy from "the cradle to the grave."

Sotto is the managing partner of the New York office, and her practice focuses on privacy, data security and information management issues. She was rated No. 1 privacy expert in 2007 and 2008 by Computerworld magazine. She also earned a No. 1 U.S. national ranking for privacy and data security from Chambers and Partners. In addition, Hunton & Williams' privacy and information practice received a No. 1 U.S. national ranking from Chambers in privacy and data security.

Breach Legal Issues

TRACY KITTEN: In the event of a data security breach, what legal issues should organizations be concerned about?

LISA SOTTO: There are 46 state breach notification laws in the U.S., plus laws in Puerto Rico, the U.S. Virgin Islands and D.C. These laws require that an entity that maintains computerized personal information that's compromised notify those people whose information was affected by the incident. There's also a federal law that requires similar notification where health information is involved. And layered on top of that morass, there are similar requirements in other countries like Germany, so a company that has experienced a data breach needs to take all of these laws into consideration in deciding how to manage the event.

Attorneys' Role

KITTEN: What role does the organization's attorney play when it comes to data breach notification?

SOTTO: The attorneys need to consider the legal environment so they need to think about what laws apply, which jurisdictions need to be considered and what requirements are applicable in light of the facts of the incident. In addition, lawyers have the benefit of being able to quote certain information in the attorney/client privilege so it's often important for the lawyers to retain any experts that might need to be brought in to help assess the scope of a breach.

KITTEN: How do attorneys typically respond to such breaches? It sounds like they probably just play this role of helping to advise the organization depending on where they are located and where they do business.

Follow Jeffrey Roman on Twitter: @gen_sec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Possible Cyber-Attack at Defense Agency

The Defense Contract Management Agency, which manages outside contracts for the Department of...

Latest Tweets and Mentions

ARTICLE Possible Cyber-Attack at Defense Agency

The Defense Contract Management Agency, which manages outside contracts for the Department of...

The ISMG Network