Best Practices: Responding to a Data Breach

This is part three of a three part series from Brandie N. Weddle and Laura J. Butte of Arnold & Porter LLP on the prevention, mitigation and response to a data breach.

Businesses should invest time and resources up front to develop an initial response plan to a data breach. A well-developed response plan should be drafted with input from all the relevant stakeholders and technical experts, including information technology, human resources, in-house and possibly outside counsel, and business units. A well thought out plan will enable a business to get in front of a data breach and potentially limit liability and the reputational consequences of a data breach.

An initial response plan should include, among other things:

1. Named spokesperson for the company and a draft statement.
2. Named designee responsible for implementation of the plan, including counsel and technical experts.
3. Named designee to notify stakeholders.
4. A determination of mandatory notification obligations, including to federal authorities, law enforcement agencies, consumer reporting agencies, and consumers.
5. Preliminary thoughts on what to offer potential victims in terms of credit monitoring.

Failure to implement the protective measures mentioned above will save businesses money in the short term. But in the long term, failure to prevent and plan for a data breach can result in considerable expense in the form of litigation costs from a Federal Trade Commission enforcement action, state attorneys general, the Department of Justice, and consumer class actions.

Finally, it is important to remember that businesses considering whether to draft a data protection plan are not forced to decide between adopting an ineffective data protection plan or a Cadillac data protection plan. The above tools are effective, can be made to scale, and will go a long way toward preventing, mitigating, and responding to a data breach.