Law enforcement has been warning for years that an organization’s next data breach is not a matter of “if,” but “when.” In today’s cyber climate, it is virtually inevitable that all companies will experience a security breach at some point during their life cycles – what is crucial to surviving such an incident is an effective breach response strategy. As regulators reduce the time for data breach reporting, M&R attorneys are prepared to swiftly respond in the event of a data breach, coordinating with requisite vendors (e.g., forensics, network recovery, public relations and insurance) as well as law enforcement and industry regulators during this critical time. We also help businesses navigate the relevant maze of state and federal breach notification requirements. While satisfying clients’ applicable reporting obligations, the firm additionally focuses on maximizing the amount of attorney-client privilege protection allowed by law.

Particularly in the face of new GDPR regulations on data collection and processing, it is important for businesses to develop clear internal policies specifying the types and intended uses for collected consumer data. Both in the U.S. and overseas, companies must understand that indiscriminate data collection (collecting customer information with no immediately identifiable business purpose) and mismanaged data governance can be problematic, resulting in unnecessarily potential liability in the event of a data breach with no offsetting organizational benefit. Also, businesses that collect data from a myriad of sources subject to a wide range of use restrictions must tread lightly given the difficulty in identifying how such information can be utilized. Our attorneys can prepare key data governance policies and counsel clients on how to align data collection and disclosure practices with current and future business plans. At the same time, the firm provides advice regarding risk assessment, management, and strategies to (1) expand potential uses for collected data and (2) open up actual or pseudonymous data sets for use in analytics, monetization or other purposes.

When security breaches result in lawsuits, we provide aggressive representation of our clients’ business interests. Lawyers in the firm’s Commercial & Business Litigation Practice Group are well versed in cybersecurity issues and poised to demonstrate client compliance with the ever-evolving best practices in the world of cybersecurity. The firm is always mindful of clients’ business goals when developing litigation strategies, and stands ready to zealously litigate cybersecurity cases from beginning to end. Our cybersecurity team can provide valuable counsel when resolving such litigation, discussing settlement ranges based on the scope of sensitive data involved, litigation trends (including shareholder suits against officers and directors for lack of cybersecurity due diligence and prioritization), as well as potential C-suite fallout as a consequence of cyber events.

The optimal time to prepare for a potential cyber incident is before a costly breach occurs. Toward that end, our cybersecurity team helps clients prepare tailored cybersecurity policies and Incident Response Plans (IRPs). IRPs allow companies to more easily identify potential threats in their security environments, implement systems for reporting such threats to key stakeholders, and provide roadmaps for satisfying state and federal regulatory compliance obligations in the event of a breach. When it comes to cybersecurity, one size does not fit all, which is why M&R’s cybersecurity policies are tailored to address the unique structure and geographic composition of each of our clients, as well as the responsibilities and capabilities of their key personnel.

Cybersecurity and data privacy are hot issues on the minds of many regulators, both in the U.S. (at the state and federal levels) and internationally. M&R advises companies on the ongoing compliance mandates in jurisdictions around the globe, and provides insight into how new and developing legislation will likely be enforced in a myriad of industries.

• Insurance/Financial Services – With the adoption of cybersecurity requirements by the New York Department of Financial Services and a pending data security model law proposed by the National Association of Insurance Commissioners (NAIC), insurance and insurance-related companies as well as brokers, agents and adjusters are now (or, outside New York, will soon be) under similar cybersecurity regulatory obligations as health care providers (under the Health Insurance Portability and Accountability Act (HIPPA)) and financial institutions (under the Gramm-Leach-Bliley Act (GLBA) and SEC regulations).
• Retail – The Federal Trade Commission has opined that inadequate cybersecurity measures could be deemed an “unfair trade practice” if there is a substantial likelihood that consumers could be injured as a result. While retail has traditionally been an industry with little cybersecurity regulatory oversight in the U.S., this model is quickly changing with the rapid increase in data breaches of large retail chains. We help our retail clients establish the cybersecurity and privacy policies to both improve on preparedness to resist a cyberattack, as well as the data minimization strategies to effectively mitigate any resulting harm to consumers.
• Healthcare – HIPAA’s Security Rule has been in effect behind the scenes since 2005, but it has received substantially less attention than more consumer-facing privacy rules. Nevertheless, with the ever-increasing risk of cyberattacks against healthcare providers (particularly the debilitating effects of ransomware attacks that can result in shutdowns and terminate treatment), it is incumbent upon such providers and their business affiliates to develop robust cybersecurity and data privacy programs. The firm crafts comprehensive and enforceable policies that are critical when it comes to demonstrating due diligence in the face of an OCR investigation.

An Incident Response Plan should not be executed for the first time in response to an actual emergency. For this reason, we train our clients’ key C-suite and information security personnel to respond to simulated attacks using real-world tabletop exercises. These safe and controlled exercises help stakeholders to fully grasp and internalize the reality of cyber attacks and their impact on business operations. They also prepare executives and staff to confidently respond when actual breaches occur, using the skills and tools developed through this comprehensive training.