Beyond the Breach
The legal stakes are high for organizations that suffer a data breach.
Government investigations of data breaches are becoming more sweeping and are leading to ever-increasing settlement amounts. For example, in July 2022, mobile communications giant T-Mobile announced the terms of a settlement for a consolidated class action lawsuit following a data breach that occurred in early 2021, impacting an estimated 77 million people. The incident centered around “unauthorized access” to T-Mobile’s systems after a portion of customer data was listed for sale on a known cybercriminal forum. An SEC filing revealed that T-Mobile would pay an aggregate of $350 million to fund claims submitted by class members, the legal fees of plaintiffs’ counsel, and the costs of administering the settlement. The company also had to pay an aggregate incremental spend of $150 million for data security and related technology in 2022 and 2023.
With both investigations by government agencies and the filing of private lawsuits looming just over the horizon as soon as a data breach occurs, organizations must respond in a way that positions them to resolve breach-related investigations and litigation as favorably as possible.
To meet these challenges, members of our global Privacy + Data Security and our Crisis Management Groups have written articles that tackle the legal concepts and concerns that organizations and their teams must keep in mind as they deal with the fallout from a data breach and the possibility—or perhaps likelihood—of government investigations and private litigation. Read these articles to gain deeper insight into:
- The role that the board of directors should play in preparing for and responding to a data breach;
- Strategies for preserving attorney-client privilege when hiring a third-party forensics firm to investigate a breach;
- The pros and cons of making voluntary disclosures to law enforcement after suffering a breach, as well as the appropriate law enforcement agencies to contact;
- The types of claims that plaintiffs’ attorneys often bring in data breach litigation and possible defenses to those claims;
- Multidistrict Litigation (MDL)—the consolidation of multiple suits stemming from the same breach—and its potential impact on both the course and the outcome of the litigation;
- And more.
It is our hope that the “Beyond the Breach: Through the Lens of a Litigator” articles will provide you with helpful insights into what you can do after a data breach to support your organization for the inevitable legal battles ahead.
- Client Alert
Litigation Readiness: Seven Things to Keep in Mind
Data breach class actions continue to rise, following almost inevitably from nearly every major security incident. Here are seven things in-house counsel can do to prepare for that anticipated litigation.
- Client Alert
Six Considerations to Preserve Privilege
This article in the Beyond the Breach series explores how organizations and their in-house counsel can structure their breach investigations from the get-go to bolster privilege.
- Article
What Should Boards Think About After a Breach?
Thanks in no small part to a breach’s potential impact on organizations’ bottom lines, cybersecurity has become a top-of-mind concern for boards of directors.
- Client Alert
The Benefits and Risks of Notifying Law Enforcement
In the wake of a data breach, one of the key questions an organization will face is whether to inform law enforcement of the incident.
- Client Alert
Communicating with the SEC When Your Organization Suffers a Cybersecurity Incident
If there was ever doubt before, the Securities and Exchange Commission (SEC) has made clear that it expects public companies and registered entities to promptly assess the materiality of cybersecurity incidents and make swift disclosures of material incidents.
