Data Breaches and Legal Responsibilities: What Businesses Need to Know

October 2, 2023

Data breaches present significant risks for companies and institutions of all sizes and industries. Whether it’s hacking, phishing or cyberattacks that expose customers, patients, or personal identifiable information (PII) of any kind, such breaches can lead to private civil litigation and governmental enforcement action—and they can cause significant financial harm and reputational damage to the targeted entity.

When faced with a data breach, entities must respond promptly. Entities can have varying legal responsibilities in this scenario—with federal agencies ranging from the Federal Trade Commission (FTC) to the U.S. Department of Health and Human Services (DHHS) and the U.S. Department of Education (DOE) imposing response, notification, and reporting requirements. Entities are also likely subject to state compliance and contractual obligations, and perhaps even international regulations. This vast potential threat to a company’s business continuity requires organizations to carefully—and quickly—navigate all pertinent requirements that are essential for effective risk mitigation.

5 Key Questions for Responding to a Data Breach

Given the wide range of legal responsibilities an entity may have after experiencing a data breach, determining the next steps after a breach involves answering several key questions. These questions include (but are not limited to):

1. What is the Scope of the Breach and What Data Were Compromised?

Following a data breach, the entity’s obligations will depend, in part, on the scope of the breach and the nature of the compromised data. As a result, ascertaining this information is a critical first step toward assessing and addressing the entity’s legal responsibilities.

2. Is the Breach Ongoing? How Can (and Must) the Entity Address the Vulnerability?

It is also critical to assess whether the breach is ongoing. If so, the entity’s top priority should be terminating the unauthorized party’s access as quickly as possible. Regardless, the entity must also work quickly to identify the source of the intrusion and address the vulnerability that led to the breach.

3. What Are the Entity’s Breach Notification Obligations?

In many cases, entities will have statutory, regulatory, and contractual obligations to notify third parties (e.g., customers, patients, vendors) whose data has been compromised. Targeted entities must promptly assess their breach notification obligations and ensure that they comply in a timely manner.

4. What Are the Entity’s Breach Reporting Obligations?

Entities that experience data breaches may have governmental reporting obligations as well. Therefore, entities should have plans and procedures established ahead of a breach so they are well-positioned to deploy responsive action and rapidly ensure their compliance and contractual obligations.

5. What Legal Threats Is the Entity Facing?

Even if a targeted entity timely meets its breach notification and reporting obligations, it can still face various legal threats due to a data breach. To mitigate litigation risks, enforcement actions, and reputational damage, entities that experience data breaches must comprehensively assess these threats concurrently with addressing their statutory, regulatory, and contractual obligations. The best approach to threat mitigation if there is a breach is to have a sound plan in place before such an event.

Speak with a Data Privacy and Protection Lawyer in Confidence

If you need to know more about the legal responsibilities and risks that arise after a data breach, we invite you to get in touch.