Our established team has extensive experience in the wide spectrum of issues facing a client during the critical time of a data breach. Knowledge and facility with privacy and cybersecurity laws, particularly security breach notification laws, is critical to this endeavor, but these issues do not, however, start or stop with data breach notification. Most importantly, our team is experienced in applying their skills and talent in the hyper-charged environment that accompanies a sophisticated data loss event or network intrusion. Finally, if events lead to litigation, our litigators are better able to leverage the efforts of our early incident response team in the litigation. We have tremendous litigation capabilities, particularly in the class action arena that is so prevalent in connection with today’s data breaches.
Our vast and deep experience in this space has also made us particularly attuned to what companies should do before a breach occurs so they feel comfortable making decisions during a crisis situation and can demonstrate to regulators that the company has shown the requisite level of commitment to cybersecurity. Likewise, as cyber attack victims can now expect to be sued by consumers, shareholders and even business partners, among others, it is increasingly important that organizations be able to demonstrate that the steps they took to prevent security incidents and minimize the harm caused by successful attacks were sufficient.
Our preparedness experience includes structuring and implementing enterprise-wide privacy and cybersecurity policies and strategies; providing advice on board materials, structuring and reporting; monitoring domestic and international legal regimes to identify laws that apply to specific companies; conducting cybersecurity legal reviews; creating, improving and streamlining data breach response plans; and leading companies through tabletop exercises or other simulations to test those response plans.
To address the complex pre-breach issues, we offer the following preparedness services:
Incident and Data Breach Response Plan Development/Improvement
Drawing on our multidisciplinary team of attorneys, our team can help you develop and document an effective, security-oriented data breach response plan based on information gathered from the company, relevant regulatory and industry requirements and guidance, and our established templates and forms. We can help your company improve upon its existing response plan by identifying areas for improvement and any regulatory or contractual gaps, taking advantage of privilege protections to the maximum extent possible. In both instances, we help your company implement a practical, fact-based and realistic plan that is tailored to your organization’s specific needs.
The value of an incident response plan depends to a great extent on robust practice to stress test the plan and familiarize key company responders with the demands they will likely face in a material security incident. Our extensive experience in responding to data breaches provides us with a sophisticated understanding of how companies should effectively respond to various types of security incidents, including how best to ensure that company responses and investigations are protected by the attorney-client privilege and work product doctrine to the maximum extent possible. Leveraging this knowledge, we develop appropriate, realistic scenarios (based on real-world incidents) to test our clients’ data breach response plans through tabletop exercises and breach simulations. We also draw on our established relationships with third parties (forensics investigators, public relations/crisis managers and others) and enlist their help, as needed, to guide the company through the full lifecycle of a simulated breach response. Following the exercise, we provide the company with a comprehensive summary of recommendations to assist it in refining and reissuing its data breach response plan.
Advice to Public Company Boards and the C-Suite
In an era of increased cybersecurity scrutiny and litigation, it is important for public company directors and officers to prepare the company and themselves for cybersecurity-related risks. This is a particularly difficult issue as directors and officers are often not technically savvy and there are many other enterprise risks that require their daily attention. Additionally, the documentation that is used to inform directors and officers is often quite technical and detailed; however, it will become a focus of attention from regulators and plaintiffs’ lawyers after a breach. Boards and their advisors also have to consider cybersecurity risks as they establish reporting relationships, organize the board and select board members. All of this leads to a situation that requires extensive knowledge of the nuanced and extreme risks facing public company directors and officers in the context of today’s hyper-charged cybersecurity environment.
We routinely assist our public company clients with these issues. Our services assist in providing board-level and senior management information security and cyber risk presentations and/or training regarding their pre-breach and post-incident responsibilities, emerging trends in cybersecurity corporate governance and strategies to minimize cyber risk exposure. We educate boards on the importance of the “information lifecycle” and help companies achieve a clear understanding of the data they create, where it is located, how it is used and how it is retained. We also provide advice to senior officers on day-to-day management of cybersecurity risks and preparation of board and officer materials so that the board and its advisors properly address cybersecurity risks with sound and balanced documentation. We routinely provide these services across the spectrum of publicly held companies, from relatively small and recently listed companies to some of the largest financial institutions and industrial concerns in the world.
Cybersecurity Legal Assessment
Our attorneys review and assess your documented, and undocumented, practices to ensure they will withstand regulatory scrutiny and are consistent with applicable standards. After identifying all applicable compliance obligations, legal requirements, guidelines and the like, we conduct a formal review of your practices against these identified benchmarks, taking into consideration factors such as organizational and programmatic maturity and budgeting constraints. Using the results of this assessment, we identify legal and strategic risks arising from gaps and recommend strategies for mitigating them in a prioritized, risk-informed manner. We protect this review to the maximum extent possible with the attorney-client privilege.
We also have significant experience developing vendor cybersecurity risk management strategies. As service providers and other vendors have been recognized in recent years as an effective attack vector for bad actors, managing cybersecurity risks with these third parties has become an essential exercise (and often, a legal requirement). Our services in this area include designing and drafting vendor management programs and procedures, conducting cyber risk assessments of existing and prospective contracts with vendors and drafting vendor agreements designed to minimize cyber risk, to name a few.
Legislative and Policy Advice
Drawing on our deep experience in data security, privacy, payments issues and regulatory investigations, Alston & Bird provides advice regarding the specific legal and regulatory concerns your company faces in terms of cybersecurity risk and compliance. We interpret the application of various data breach and privacy-related statutes and regulations as they apply to your company and provide practical advice regarding compliance. We constantly monitor this space for changes and updates to the law and provide advice on how those changes affect your company. Our attorneys stay informed of the types of security practices regulators deem to be reasonable or adequate (or unreasonable or inadequate) and can provide your company with a regularly updated, detailed checklist customized to your industry, summarizing both recommended security practices and inadequate security measures.