Information Security & Data Breach Response
Information security is one of the greatest challenges companies face today. We help our clients succeed with solutions that are legally sophisticated, technically savvy, and operationally practical.
Will You Be Ready if a Breach Occurs?
Our Information Security & Data Breach Response Team provides resources to help you develop your information security and incident response programs. For a more customized approach, contact a member of our team.
This guide is intended to provide general information and considerations when preparing for and responding to a ransomware attack.
IR workshops from our information security team can help you evaluate the risks and identify priorities that are unique to your organization.
Use this summary to help answer questions about state data breach notification requirements.
Our latest thinking on attorney-client privilege.
24/7 Breach Response Team
Assistance with assessing and responding to security incidents designed to limit legal liability, preserve system assets, and protect your business reputation.
Information security is one of the great challenges companies face today. We help our clients succeed with solutions that are legally sophisticated, technically savvy, and operationally practical.
Overview
Legal Expertise
We don't dabble in information security law—we live it every day. From broadly applicable data breach and security laws to technical, sector-specific requirements, our legal advice is shaped by years of experience focused on information security.
Technical Savvy
Understanding our clients' technology is essential to our practice. We believe that only by engaging with complex technical issues can an attorney truly understand the legal risks and challenges that technology creates. Where other attorneys throw up their hands, our team digs in.
Practical Approach
We deliver actionable legal guidance tailored to your organization. We can help you turn esoteric legal requirements into concrete policies and practices that support both your compliance needs and business goals. We'll help you evaluate your legal risks and develop solutions that make both legal and business sense.
Areas of Practice
Complex Incident and Breach Response
We advise our clients on all aspects of the incident response process, including:
- Engagement and oversight of forensic investigators
- Internal investigation
- Ransomware response strategy
- Maintenance of attorney-client privilege and attorney work product
- Document preservation and legal hold
- Communications management and strategy
- Assessment and execution of notification obligations
- Law enforcement and regulator engagement
- Business continuity management and mitigation
- Recovery and remediation
- Pre-litigation counseling and disputes management
Our incident response team is available 24/7 on our breach response hotline (844-GoToDWT).
Incident and Breach Readiness
We help our clients sharpen their incident response skills through a variety of innovative service offerings, including:
- Board and management-level tabletop exercises
- Incident response team tabletop exercises
- Incident response plan and playbook development
- Investigation readiness assessments
- Forensic investigator/vendor pre-engagement
- Business continuity/disaster recovery planning
Security Strategy and Compliance
Our team helps clients formulate legal and business-oriented information security strategies. We advise on compliance with information security laws and frameworks, including in the areas of:
- State data breach and data security laws (e.g., 201 CMR 17.00 and the New York SHIELD Act)
- Financial services (e.g., GLBA, FCRA, CFPB, OCC, NY DFS Cybersecurity Regulation, and state insurance laws)
- Healthcare (e.g., HIPAA and HITECH)
- Government contracting and critical infrastructure (FedRAMP, CMMC, DHS/CISA, and cybersecurity executive orders)
- Computer crime and electronic surveillance (e.g., CFAA, ECPA, and SCA)
- Securities and commodities regulation (e.g., SEC and CFTC)
- Consumer protection (e.g., FTC and state AGs)
- Telecommunications (e.g., Cable Act, CPNI regulations, and FCC)
- Internet of Things (e.g., FTC and NIST guidance, and CA and OR laws)
- Energy (e.g., NERC and TSA)
- Payment card industry (PCI DSS, PA-DSS and related standards)
- Self-regulatory frameworks (e.g., NIST Cybersecurity Framework, ISO 27001, etc., NIST 800-53, NIST 800-171, CIS Controls, SOC, and HITRUST)
- International data security laws
Security Assessments and Program Development
We help our clients take their information security programs to the next level with a variety of program assessment and development services. Our attorneys frequently coordinate with our stable of cybersecurity experts and other partners to deliver assessments that can seamlessly combine legal, operational, and technical expertise. Our offerings include:
- Policy and procedure development
- Risk assessment (including under HIPAA, GLBA, NY DFS Cybersecurity Regulation, state laws and regulatory frameworks)
- M&A and transactional due diligence assessments
- Control and gap analyses
- Investigation and audit readiness assessments
National Security and International Trade
Working closely with DWT's international trade, investment and national security team, we advise on the information security aspects of many national security and international trade laws and regulatory regimes, including:
- CFIUS and FIRRMA
- OFAC sanctions
- Bank Secrecy Act, FinCEN, and AML regulations
- Supply chain and government contractor security
24/7 Breach Response Team
Assistance with assessing and responding to security incidents designed to limit legal liability, preserve system assets, and protect your business reputation.
Our Resources
Our Information Security & Data Breach Response Team provides resources to help you develop your information security and incident response programs.
Privacy & Security Law Blog
Summary of U.S. State Breach Notification Statutes
Incident Response Workshops
Whether you have an existing incident response (IR) plan in place or are looking to bring an informal program up to scale, IR workshops from our information security team can help you evaluate the risks and identify priorities that are unique to your organization.
- Represent telecommunications conglomerate in various information security matters, as well as investigating and responding to various incidents, some of which resulted in the disclosure of consumer information and required consumer and governmental notifications.
- Advised e-commerce companies on incident response plan for information security incidents and data breaches.
- Provided counsel on compliance with HIPAA and other health information privacy and security laws, including successfully resolution of investigation by the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) of a reported breach, which had the potential to result in millions of dollars in civil monetary penalties. Facilitated the client’s response and OCR closed its investigation without financial penalty or settlement.
- Assisted consumer products company investigate ransomware attack on website collecting personal information from European residents. Developed forensic evidence necessary to determine that personal information was not put at risk.
- Conducted incident response for medical services provider addressing a breach in a recently acquired asset. Guided medical services provider through analyzing network of acquired company, remediating security incident, and properly securing its own network from potential impact from acquired company.
- Conducted incident response for publisher that was victim of spear phishing campaign that compromised personal information of US and EU residents. Coordinated forensic investigation, breach notification, and regulator communication.
- Conducted incident response for software developer that was the subject of a ransomware attack. Assisted in payment of ransom and decryption of data, law enforcement coordination, transition to new network structure, and other remediation activities.
- Advised book publisher that mailed information to incorrect contractors. Coordinated breach notification, identity theft monitoring, and regulator communication.
- Identified spear phishing attack on a nonprofit client that suspected an employee was committing fraud and guided client through remediation.
- Advised religious institution that suffered an attack from a disgruntled employee. Drafted demand letter and recovered stolen data.
- Advised restaurant client on data misuse by franchise, including addressing data ownership issues not directly addressed in franchise agreement.
- Served as data breach counsel to a regional health plan for a series of potential data breaches that could have affected tens of thousands of the plan’s members, including analysing the breach notification obligations under HIPAA, the federal notification law, and the laws of all 50 states and a couple of territories. Also developed multiple notifications to individuals, government regulators, and consumer reporting agencies to meet all these requirements.