Tips For Navigating U.S. and International Data Breaches

by K&L Gates LLP

Navigating today’s complex legal and regulatory framework surrounding data breaches can be a daunting process for even the most sophisticated organization. In the United States, there is not currently a national uniform data breach notification law. Instead, organizations experiencing a data breach face a patchwork of 47 different potentially applicable state laws to-date, in addition to industry-specific federal laws such as Gramm-Leach-Bliley.

Adding to the complexity, more data is being stored in the “cloud,” thereby allowing potentially sensitive information to move more seamlessly across country borders, and requiring organizations to be familiar and compliant with international laws and regulations.

Understanding the various and changing state, federal and international laws and regulations will be increasingly important for organizations moving forward. In addition to keeping pace with evolving state, federal and international laws, organizations will need to ensure that effective data breach and cybersecurity incident response plans are in place to address breach incidents — whether they are local or global in nature.

Federal and Foreign Standards — A Renewed Focus on Data Breach Regulation
With the recent rise of highly publicized breaches top of mind, several efforts have been made by congressional committees aimed at forging a comprehensive federal data breach notification law. Although lack of consensus on specific issues related to the preemption of state laws has halted this progress in the past, federal legislation is once again a top priority for lawmakers.[1] Legislators in several states are also considering expanding existing breach notification laws by being more prescriptive about what information must be included in a notice. This may include such information as the time of the breach and the type of data affected.

On an international level, stricter data breach notification requirements are already underway. The European Union implemented new data breach requirements last August, requiring telecommunication operators and Internet service providers to notify national data protection authorities within 24 hours of detection of a theft, loss or unauthorized access to customer data, including emails, calling data and IP addresses. The EU is now also considering expanding this requirement to all commercial sectors.

Data Breach Preparedness — Going Beyond the Regulatory Checklist
The number of data breaches is anticipated to continue to increase throughout the year, both within the U.S. and across the globe. Between January and March of 2014 alone, nearly 200 million data records were stolen, the equivalent of approximately 93,000 records stolen every hour. This is an increase of 233 percent over the same period of time last year.[2] These facts, together with the specter of more — and more stringent — laws and regulations present organizations with increasingly important and complex data breach response issues.

Unfortunately, most U.S.-based organizations do not appear to be sufficiently prepared to deal with an impending data breach incident. Even after experiencing a breach, a surprising 39 percent of companies surveyed last year indicated they still have not developed a formal data breach response plan.[3] And since 2001, the Federal Trade Commission has brought more than 50 cases alleging that organizations failed to protect consumers’ personal information. Generally, settlements with the FTC require companies to implement a comprehensive information security program and undergo evaluation every two years by a certified third-party.

Facing increased regulatory scrutiny, organizations are advised to work closely with legal counsel to ensure that they are prepared to comply with state, federal and international laws and regulations and otherwise are best positioned to mitigate the fallout of a breach incident — both financial and reputational.

1. Develop a Diverse Response Plan
According to research from the Ponemon Institute, having an up-to-date response plan can save a business nearly 25 percent per compromised record.[4] The average cost of a breach in the U.S. last year was $188 per record, with each breach reportedly exposing an average of 23,647 records. At that rate, a 25 percent reduction could save a company $1.1 million per breach.

Organizations are advised to have a diverse response plan in place that clearly outlines protocols and a response team for security incidents, with scenarios mapped out for both the U.S. and abroad. Just as data breach regulations evolve, so should a data breach response plan. It is important for an organization to regularly audit and adjust its preparedness plan in order to include new technologies and address changes in the legal, regulatory and security landscapes.

2. Engage Outside Legal Counsel
Many law firms have attorneys that are dedicated to assisting organizations in developing effective breach incident response plans, including a protocol for who to call within the organization. Additionally the protocol should identify which law firm “breach coach” to notify, in addition to other responders (which are preapproved by the organization, its outside counsel, and preferably by the organization’s insurance carrier) that will undertake critical crisis management functions, such as notification to persons whose personally identifiable information or protected health information may have been compromised, credit monitoring, call center services, forensics, and public relations efforts. Effective incident response and crisis management planning can greatly mitigate an organization’s financial and reputational fallout following a data breach incident.

In addition to formulating an effective breach response plan, the engagement of outside counsel first in the wake of a breach incident, before other breach responders, will preserve, to the extent possible, the attorney-client privilege and the work-product doctrine.

3. Communicate With Customers
Part of an effective response plan is ensuring quick, clear communication with potentially impacted individuals and providing guidance and next steps on how they can protect themselves. Open communication following a breach can help maintain trust and preserve brand reputation — arguably an organization’s most valuable asset.

It is also important to note cultural and language differences may impact a customer’s response to a data breach, and notification materials. When managing an international breach, it can be beneficial to seek counsel on how to mitigate any issues that may arise due to these different standards, and communicate effectively.

Regardless of the legislative environment, data breaches present a substantial business risk to organizations both in the U.S. and across country borders. Creating a diverse security incident response plan and proactively engaging with legal counsel, local authorities and forensics experts will enable companies to better handle an incident when it occurs.

[1] Experian Data Breach Resolution Legislative White Paper, “Policymakers Renew Focus on Data Breach Laws,” 2014

[2] SafeNet, “Breach Level Index (BLI),” April 2014

[3] Data Breach Response Guide, April 2013

[4] Ponemon Institute, “Cost of a Data Breach Study: Global Analysis,” 2013


Written by:

K&L Gates LLP

K&L Gates LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.