No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Understanding the Legal Implications of Post-Data Breach Public Statements

You may be required to disclose data breaches, but legal considerations don’t begin — or end — there

by David Balser
July 13, 2022
in Compliance, Data Privacy
data breach public statement

Data breaches will continue to occur, and when organizations are targeted, they may be subject to multiple state and federal laws requiring public disclosure. But as [author] explains, how and when to reveal a breach isn’t a cut-and-dried issue.

When a company discovers that it has been a victim of a data breach, it is essential to act quickly. In particular, an issue of critical importance is when and how a breached company discloses the data breach to customers, business partners, regulators and the general public. 

With respect to public-facing statements specifically, it is critical to be mindful of how such statements could be used against the company in any future litigation or regulatory investigation that may arise out of the breach. In some cases, the most beneficial statements from a business or public relations perspective may have the potential to create exposure in and complicate subsequent litigation.

There are obvious benefits to waiting until a company has a complete understanding of the cause and scope of the breach before making a public disclosure. But there are a host of statutes that require notification to affected individuals within a particular time period and provide a private right of action to assert a claim if the breached company fails to give the required notice. 

These statutes currently exist in all 50 states and vary in how quickly they demand notice to be made to impacted consumers. For example, Washington requires notice within 30 days of discovering the breach. (Wash. Rev. Code § 19.255.010 et seq.) 

Other states adopt a less clear-cut standard requiring “immediate” notice or notice with a “reasonable” timeframe. For example, Georgia requires that notice “be made in the most expedient time possible and without unreasonable delay.” (Ga. Code Ann. § 10-1-912.) 

And while many of these state statutes allow a company to delay notice to determine the scope of the breach and ensure that impacted systems are remediated, they do not permit the breached company to delay notice until it has investigated every fact that could be relevant to how and why the breach occurred — facts that will be key to assessing liability in any future litigation. 

Read more articles about data breaches

Moreover, the patchwork of state and federal notice laws, which impose different notice deadlines and content requirements, makes a company’s response efforts even more challenging. In short, a breached company must provide notice quickly to avoid violating notification laws, while at the same time avoiding the risks associated with making incomplete or inaccurate statements about the facts of the breach.

Further, the language used in public disclosures can significantly impact future litigation, as illustrated in recent decisions involving plaintiffs’ Article III standing to assert data breach claims in federal court. 

The issue of standing has become increasingly important in data breach cases. And at least at the motion-to-dismiss stage, there can be a critical distinction between plaintiffs who allege that their personal information was stolen versus those who merely allege that their data may have been stolen. For example, in a recent case in Arizona, the court focused on the precise language of the notice sent by the breached company to consumers and found that the plaintiff had failed to allege an injury for purposes of standing because the notice said only that the “Plaintiffs’ personal information ha[d] been potentially accessed.” Thus, when a company sends notice to consumers but has not determined that their personal information was, in fact, stolen, including appropriate caveats in the notice may dictate whether the consumers even have standing to sue the company in federal court (or state courts bound by an Article III analog).

Breached companies should also be wary of including language in notices or other public disclosures that arguably amounts to an admission of fault. While a company may have legitimate business and PR reasons for wanting to simply admit that it made a mistake and apologize for any inconvenience caused by the breach, statements of this kind can be problematic in future cases where the company is defending itself against liability and may need to take positions in tension (or inconsistent) with the company’s earlier statements. Statements like “we’re sorry we let you down” and “we failed to provide the level of service our customers expect” could be used by plaintiffs to paint the company as negligent or worse.

In a similar vein, there is also an inherent tension between warning customers that they are at risk and to take appropriate steps to address that risk and not suggesting that future plaintiffs in a lawsuit were, in fact, harmed by the breach. 

In that regard, it may be difficult to strike the right balance between doing what is right for customers and avoiding creating additional legal exposure. For example, by telling customers they are at risk and should monitor their credit reports and institute security freezes (language which is required by some state notice statutes), a company may arguably be telling future plaintiffs to incur “injuries” that may support negligence and other claims. Even if it turns out that the risk of harm from the data breach was low (or even non-existent), plaintiffs could argue that they spent time and incurred costs trying to protect themselves at the direction of the company. Such “injuries” have, under certain circumstances, been sufficient to establish plaintiffs’ standing to sue and to support their claims, at least at the pleading stage of a case.

Finally, statements made in the aftermath of a data breach can have meaningful implications for a company’s ability to protect key documents under the attorney work product doctrine. For example, if the company references its outside cybersecurity or forensic firm’s work in its public disclosures about the breach — for example, by stating that the firm confirmed the scope of the breach and that all vulnerabilities had been remediated — it may be more difficult to protect that firm’s written findings later in discovery. 

That is because in many jurisdictions, a report may only be protected as work product if the primary purpose for its creation was to assist the company in defending against anticipated litigation. Relying on the report to support the company’s public statements about the breach (an arguable business purpose) may give plaintiffs’ counsel fodder to argue that the primary purpose behind the report was business, and not legal, in nature.

All of the complicated issues discussed above highlight why it is critical to engage outside counsel immediately upon discovering a data breach. Moreover, the speed at which key decisions must be made after a breach emphasizes the importance of having a well-established and rehearsed incident response plan in place before the breach occurs. 

It is also a best practice to involve litigation counsel (both in-house and outside counsel) in the formulation of key post-breach communications — including SEC filings, press releases, statutory notices to consumers, responses to governmental inquiries and any other statements that will end up in the public domain. 

Once a harmful statement has been released, it is impossible to take it back. Relatedly, a breached company should involve its litigation counsel early on to think ahead about the types of claims the company might have to defend against if litigation ultimately ensues. 

After all, it is imperative to understand the potential theories of liability in order to ensure the company’s public statements are appropriate and consistent with positions it may need to take in future litigation.

Susan Clare, John Toro, Kent Jordan, Robert Griest and Daniel Sanders contributed to this article.

Tags: Data BreachRisk Assessment
Previous Post

U.S. Widens Sanctions, Targets Russian Gold Production

Next Post

Enough! Bringing a Risk Lens to the Issue of Gun Violence

David Balser

David Balser

David Balser is a partner at King & Spalding. He tries high-stakes cases on behalf of Fortune 500 companies and other leading businesses in the financial services, telecommunications, energy, transportation, professional services and private equity sectors. A fellow of the American College of Trial Lawyers, David leads the firm’s nationwide class-action practice and has defended more than 200 class actions, including many filed in the most plaintiff-friendly jurisdictions in the country.

Related Posts

credit score gauge

Sales at All Costs? Unified Credit Risk Management Can Squash Bad Deals Before They Happen

by Matthew Debbage
March 15, 2023

The collapse of a business doesn’t usually happen all at once. There are warning signs. Late payments, legal filings and...

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

data breach

Sobering Reality: Drizly Order Indicates Officers May Face Personal Liability for Data Breaches

by Baker Donelson
February 1, 2023

The FTC says Drizly’s CEO James Cory Rellas was alerted to a potential security loophole two years before a data...

red flag warnings

Fostering Risk Transparency in the Organization

by Jim DeLoach
November 9, 2022

Serious risks to your company’s financial and reputational health probably aren’t going to walk up and introduce themselves. Protiviti’s Jim...

Next Post
highland park shooting

Enough! Bringing a Risk Lens to the Issue of Gun Violence

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT