Read our State of Employment Law Research Report to get compliance tips from your HR peers.


Anatomy of a Data Privacy Breach

Anatomy of a Data Privacy Breach

5 steps to mitigate risk and protect your company

Posted by on

When a data privacy breach occurs at a company, time is of the essence. The hacker could have stolen sensitive financial data, credit card information, social security information, sensitive health data, or other personal identifying information concerning customers and possibly employees of the company.

Simultaneously, the company’s business reputation, consumer base, and financial assets could be at risk. Other risks a company could inevitably face include: class action litigation, an FTC (Federal Trade Commission) action, and significant costs and expenses associated with remediating the breach and notifying the affected parties. Because time is of the essence in addressing a data breach, there are a number of key steps that a company should take to address the breach.

Engage Outside Counsel

Hiring outside counsel can help to ensure that the investigation of the breach is protected by the attorney-client privilege. It is important to note that the attorney-client privilege protects communications concerning the breach investigation.

Privilege does not protect the fact that the breach occurred. Furthermore, the attorney-client privilege cannot be used as an umbrella to nullify notification requirements under state and federal law.

Consider Hiring a Forensics Examiner

FREE Investigation Report Template

Prepare thorough, consistent investigation reports with our free report template.

Download Template

Often a forensics examiner can quickly determine the causes of the breach. By having outside counsel engage the forensics examiner, the investigation would fall under the auspices of the attorney client privilege.

It is often advantageous for a company to have its own forensics examiner analyzing the breach under the auspices of privilege even where a separate organization may require its own forensics examiner. For example, in a breach investigation involving a retailer, the payment card brands may want the retailer to engage a particular forensics examiner.

It is still advantageous for a company to have its own separate forensics examiner who is working under the attorney-client privilege. The company’s forensics examiner may discover additional security problems that the other examiner may not discover due to the limited scope of the investigation conducted by the other examiner.

Involve Internal Data Security Team

This team most often consists of:

  • inside counsel
  • outside counsel
  • the chief technology officer
  • public relations

With respect to public relations, it is important to engage a key member of the PR team who will understand the sensitivity of the breach and the need to report on the breach only when necessary. Further, a public relations member of this team will assist with any and all written and verbal communications to the company’s internal and external target audiences.

Analyze and Determine Data at Issue

It is also important for counsel to analyze and determine the data at issue, the location of the customers, and the applicable notification laws. If the company is dealing with protected health information, it is important for them to consider HIPAA and HITECH rules and guidelines. If the company is dealing with credit card information, they might examine the agreements with the payment card brands and notify the payment card brands regarding the breach.

Location is also important. Consider where those affected by the breach are located. States have disparate notification requirements when personal identifying information is at issue. Depending on the type of data at issue, state and federal regulators in the U.S. may need to be notified. If the company has customers or employees affected outside of the U.S., it is equally important to consider regulation and laws in those specific countries identified.


Once counsel has analyzed and determined the data at issue and the specific notification requirements, notification to all parties affected should be issued in a clear, succinct, and precise manner. In some circumstances, the company may consider offering credit monitoring services or even a gift card to keep the customer satisfied. Depending on the scope of the breach and the legal requirements at issue, a key public relations person should be involved in communicating the breach to the public.

Swift action to respond to a data privacy breach is critical. Improper action can diminish a customer base, lead to lawsuits, and harm a company’s business reputation. Proper action can mitigate these risks. Preparing for a potential data breach and putting a response team in place can be a key approach to mitigating risks and protecting the company.

Related Resources