Edward McNicholas, co-leader of Ropes & Gray's data, privacy & cybersecurity practice, provides general counsel with three key rules he follows when responding to a data breach.

Transcript:

I'm Ed McNicholas, and I co-lead the data, privacy & cybersecurity practice at Ropes & Gray, based in Washington, D.C. In this video, I'm going to provide general counsel with three key rules that I follow when quarterbacking a data breach response.

Make no mistake – data breaches are often fast moving, complex and consequential. More than one company has suffered more harm from how they responded to a data breach than the data breach itself. In the middle of that swirl of technical, legal, operational and financial issues, many companies look to the general counsel for steady leadership – just like a confident quarterback in the pocket making a great pass. I like that analogy: data breaches can certainly feel like football – unexpected blitzers are coming in; time is limited; there is a real chance of getting sacked; and things rarely go the way they did in practice. So what are the three loadstones that I use?

Rule #1: Focus on actual harm

First, focus on actual harm. Data breaches are full of technical and legal complexity. There are 54 state data breach laws and hundreds of state privacy statutes, not to mention to federal laws, and very significant international laws, such as the EU's GDPR. Securities, employment, labor, contract and regulatory issues abound. The most important item to keep clear in the legal analysis is which stakeholders are actually suffering tangible harm and what we can do to alleviate and mitigate that harm – everything else flows from that simple focus.

Rule #2: Look to the long-term

Second, look to the long-term. Data breaches can be intensely focused on immediate communication. The EU requires notice in 72 hours – as does the New York Department of Financial Services. But many customers need notice immediately, often in a few hours, and often despite the lack of clear knowledge about the breach. In that environment, the crucial legal focus must be to realize that the success of the data breach response will be measured in the long run. Although the time pressure is great, it is crucial for the lawyers to recognize that this is the first step on a long legal journey that may continue for years of investigations and litigation, and the key decisions made during the breach response can set that narrative.

Rule #3: Be transparent

Third, be transparent. Remember that your stakeholders⁠—your employees, customers, investors, and even the press and regulators⁠—will forgive the data breach. People accept that cybersecurity attacks are part of life in the 21st century. Your reputation will not be destroyed because a hacker got into your systems. What stakeholders tend not to forgive or forget are efforts to be less than transparent in the response. There is an art to presenting facts in the most reassuring way. No one should raise undue concerns, but attorneys must raise a bulwark against misleading stakeholders. Your reputation will not be destroyed because hackers get into your computer system, but reputations can be severely harmed if your investors, customers, employees and regulators trust you less after the crisis.

When I guide companies through a data breach, I keep these three rules in mind. Focus on actual harm. Look to the long-term. Be transparent. I cannot say that going through a data breach will be enjoyable, but with the right data breach response, you may well enhance your stakeholder confidence that you can weather any storm.

Originally published by Ropes & Gray, July 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.