Skip to content

Continuing Legal Education notes – Managing the Existential Data Breach (Lexis Webinar)

by merlin on March 12th, 2014
  • Sumo

Managing the Existential Data Breach (Lexis Webinar CLE)

 March 12, 2014

John Kropf

  • Senior Counsel, Privacy and Information Governance (formerly with Reed Elsevier)


The Foundation: A Comprehensive Set of Controls and Procedures:

1.         Organizational Commitment to Data Privacy

2.         Personal Data Inventory:

  • Where does data reside?
  • Who has custody and control?
  • How sensitive is the information?
  • Applicable legal standards (what about data subject to EU regulations, AsiaPAC stuff, etc.)
  1. Documented Data Privacy Policies (ex. Website privacy policy)
  2. Risk assessment and mitigation (does the organization conduct regular assessment and mitigation of the data)
  3. Documented program to regularly train employees in policies and procedures
  4. Breach incident management program (builds processes and assigns responsibilities for dealing with data breaches)
  5. Service provider management (what can be shared with outside third parties and what can’t?)
  6. External communication – dedicated line of communication to ensure immediate knowledge of incidents
  7. Oversight and review (complete plan: who checks it, and what standards govern?

10. Regularly assess and revise as needed


CLE:  SPze9o


David Katz

  • Partner and Head of Privacy and Information Security Practice Group (Nelson Mullins Riley & Scarborough)


Have a plan (ex. Who is responsible for responding to what, and how); be prepared to quickly gather the facts for analysis on notification obligations.

  • Assemble outside experts
  • Determine scope of investigation
  • Determine applicability of Attorney-Client privilege
  • Be prepared to: communicate, and make a record


Proactive versus Reactive Risk Management:

World of budgets versus “get me out of trouble no matter what it costs”


Involve outside counsel in the risk management preparation to preserve the privilege.



  • Ex. Why you did what you did, when you did, etc.
  • There needs to be an internal script within the company for communication with employees, customers, etc.


PRACTICE THE PLAN – if you delay, it could be a very expensive mistake in the long run.


Notification Obligations

  • 46 States (+ Puerto Rico) have statutes addressing data breaches and confidential info (ex. SSN, credit card numbers, debit numbers, etc.)
  • 17 States permit a PRIVATE CAUSE OF ACTION
  • 7 States require notification within a certain time frame, etc.
  • 3 States trigger notice by access alone
  • These standards are the kind of thing that have to be done for each State!!!



Internal communications: Need to speak with one voice consistently throughout the organization.


Oliver Brew, CIPP/US, CIPM

  • Vice President, Specialty Casualty (Liberty International Underwriters)


Standard insurance:           DOESN’T TYPICALLY COVER DATA BREACHES (viewed as intentional crime)


First Party Coverage

  • Includes breach notification coverage
  • What about loss of access to online service (business interruption)


Third Party Coverage

  • Breach liability – civil, punitive
  • Public Relations




Application Process:

  • Broker makes a risk assessment (including nature of risks and stakeholders involved)
  • Application itself
  • Obtaining quotations (finding the insurance providers; far more now than there were a decade ago, but only multiplies for low risk)
  • Finalize terms
  • Bind coverage


In the event of an “incident”, when should client notify insurer?

  • Point of breach?
  • Point of loss?
  • When other people become aware?


What about deliberate or malicious acts (ex. Rogue employee insiders)?

What about contract indemnification issues?


Adam Miller (CA Supervising Deputy Attorney General, Privacy Protection and Enforcement Unit)

  • CA “Safeguards” Law: Business that maintains info about CA resident must maintain/implement reasonable mechanisms to protect it
  • Person who conducts business in CA using computer database has to disclose if a breach occur, within a reasonable time (ASAP)
  • Remember the “safe harbor” provision – data must be encrypted for it to apply


Too much focus on attorney-client privilege as a means to HIDE documents; instead, try honesty and a good plan.


2nd CLE:



From the Q&A:

Cloud services – MUST ensure that service is trustworthy

Practice good data hygiene (delete date you don’t need)

Protect passwords, etc.

It costs money to do it right

Discovery: Anything you are creating is potentially Discoverable, so use the privilege when it is applicable, and more frequently when litigation becomes “reasonably likely”







From → Uncategorized

Comments are closed.