This resource is continually monitored and revised for any necessary changes due to legal, market, or practice developments. Any significant developments affecting this resource will be described below.
Data Breach Toolkit
Resources to assist counsel in preparing for and responding to a data breach incident. This toolkit includes resources that address risk mitigation and data security preparation, data breach laws, and data breach notification.
Data security breaches are a key risk area for businesses. A business that suffers a data breach incident may incur significant expenses, including costs relating to:
Investigating and containing the breach.
Notifying affected individuals if the breach affects individuals' personally-identifiable information ( www.practicallaw.com/1-501-9145) (PII).
Government fines and private lawsuits.
Reputational damage and lost business.
Because currently there is no uniformly applicable federal law that applies to data breaches that affect PII, assessing legal obligations in the event of a breach requires looking to several sources. Sector-specific federal laws, such as the Health Insurance Portability and Accountability Act of 1996 ( www.practicallaw.com/1-501-6222) (HIPAA), may apply. In addition, nearly all states, the District of Columbia, and US territories have enacted laws that require notification of individuals, and sometimes regulators, if state residents are affected.
An effective breach management process can help minimize risk. The data breach management process includes:
Preparation and risk management.
Incident investigation and legal assessment.
Notification of affected individuals and other entities, if required.
Post-incident review and management.
This Toolkit contains continuously maintained resources that provide practical guidance on many aspects of the data breach management process. For a tool to compare state-specific requirements under state data breach notification laws, see Data Breach Notification Laws: State Q&A Tool ( www.practicallaw.com/3-578-0925) .