Introduction
This checklist will assist in-house counsel, private practice lawyers, and IT professionals to respond to a breach of the data held by their organization.
The checklist covers:
- Verify and investigate the breach and its scope
- Understand and assess legal obligations regarding notification and reporting
This list may be used in conjunction with How-to guides: How to manage your organization’s data privacy and security risks, and Incident response plan readiness and identification of a reportable data breach; and Checklist: Understanding privacy laws in the US.
Step 1 – Verify and investigate the breach and its scope
| No. | Requirement |
| 1.1 | Understand what constitutes a breach |
| 1.2 | Consider whether a breach has occurred |
| 1.3 | Conduct a careful investigation into the extent of the breach |
| 1.4 | Determine the scope of the breach |
| 1.5 | Conduct a risk assessment of potential harm to data subjects |
Step 2 – Understand and assess legal obligations regarding notification and reporting
| No. | Requirement |
|---|---|
| 2.1 | Understand your organization’s legal obligations |
| 2.2 | Consider whether the type of data compromised in the breach requires reporting to data subjects |
| 2.3 | Consider whether the type of data compromised in the breach requires reporting to federal agencies |
| 2.4 | Consider whether the type of data compromised in the breach requires reporting to state officials |
| 2.5 | Consider whether the breach should be reported to consumer reporting agencies |
| 2.6 | Consider whether the breach should be reported to the media |
Legal framework
There is no single source of privacy law in the United States. Privacy laws and practices stem from an array of sources including federal laws, state laws, common law privacy claims, and even pressure from the public to undertake certain privacy protections (eg, public pressure to apply enhanced protections for credit card information). US privacy law is an evolving patchwork of federal and state laws that often overlap with data security law.
See further How-to guide: How to determine and apply relevant US privacy laws to your organization.
Key considerations
Every US jurisdiction has laws that require an organization to provide notification of a data breach. There are differences between jurisdictions regarding the parties to whom notification must be given (eg, the persons whose data was compromised, law enforcement, etc.), the extent of the breach that will trigger notification requirements, and the content of the notification itself.
For additional information, see How-to guides: How to prepare for and respond to a governmental investigation or enforcement action for violation of US privacy laws, and Incident response plan readiness and identification of a reportable data breach.
Step 1 – Understand the need to verify and investigate the breach and its scope
The appropriate response to a breach depends on the nature and extent of the breach. Therefore, before a response can be implemented, the type of breach, as well as the number of persons affected by it, must be determined.
1.1 Understand what constitutes a breach
A ‘breach,’ for purposes of the laws requiring notification of a breach, will have a specific meaning that may be broader or narrower than a common understanding of the term. For example, New York General Business Law section 899-AA defines a ‘breach’ as ‘unauthorized access to or acquisition of, or access to or acquisition without valid authorization, of computerized data that compromises the security, confidentiality, or integrity of private information maintained by a business'. Knowing and understanding the definition of ‘breach’ in each jurisdiction in which an organization operates or does business is essential for deciding if a response is needed and if so, what that response might be.
1.2 Consider whether a breach has occurred
A breach, however defined, could be so subtle or well-hidden that the occurrence could go unnoticed for a period of time. An undetected breach has the potential to do great harm, in that responsive measures might not be taken in time to prevent damage. There are a variety of ways in which a breach might come to light and your organization should be alive to these as methods of breach detection. These are as set out below.
1.2.1 Monitoring by data security specialists
By continuously monitoring your organization’s network, systems, and devices for any suspicious activity, security specialists can detect and respond to potential threats, ideally before they can cause damage. This monitoring should include identifying and addressing vulnerabilities, implementing security patches and updates, and ensuring compliance with industry and regulatory standards. In short, monitoring by data security specialists is essential to ensure the protection of sensitive and confidential information from unauthorized access, theft, and misuse.
1.2.2 Presence of confidential data somewhere on the internet
The most common (and far and away the most embarrassing) evidence of a data breach is the presence of confidential data somewhere on the internet, whether in a chatroom or on the dark web. The discovery of such information often is the first indication that there has been a data breach. An organization should monitor social media and set up alerts to learn whether there has been discussion or some mention of a possible data breach (eg, a consumer might post about unauthorised charges being made on a credit card that hasn’t been used for some time, the unauthorised use may be indicative of a data breach).
1.2.3 Blackmail demands by unknown party
There are various ways that intruders may exploit data that they have wrongfully accessed. These include threats of denial of service (shutting down a company’s access to its own data systems) and threats of exposing expropriated data unless a monetary ransom or some other such consideration is provided by the company.
1.2.4 Evidence of a physical breach within facility
Data often is the most valuable commodity of modern companies. A physical break in at a data storage or processing facility, or a break in at a corporate office where terminals with access to the company’s data systems reside, should be viewed as potential data breach, especially if it is not apparent whether anything of pecuniary value (ie, tangible property) has been taken during the break in.
1.3 Conduct a careful investigation into the extent of the breach
With the assistance of data examiners, company officials should investigate the breach, taking into account the following considerations.
1.3.1 Forensic exam by inhouse or on-call data examiners
An in-house or on-call data examiner should collect and analyze data and log files to determine what information was accessed and, if possible, by whom. They should then work with IT staff to secure the system and prevent further access to data by unauthorized individuals.
1.3.2 Have other systems been compromised?
Modern systems often are closely integrated. Intruders can take advantage of systems with lighter security to access systems that are more sensitive. A careful study of which, if any, other systems may have been compromised is always called for.
1.3.3 Has the investigation uncovered new data leaks?
A breach investigation is an ongoing process that may take weeks or months. As data becomes available, company officials should regularly reevaluate the company’s exposure and make new assessments on whether new reporting to data users or state and federal officials is required.
1.4 Determine the scope of the breach
Determining the scope of a potential data breach is the most important step in addressing that breach. For practical and legal reasons, the following is best practice.
1.4.1 Examine the type of data subject to the breach
Because there is no single data privacy law that applies to all data anywhere in the US, the type of data that has been breached will have an impact on the required response. An examination of the type of data subject to the breach will include consideration of the type and quality of information that has been compromised, such as whether it is healthcare information, financial data, or other types of PII. Throughout the process, examiners should document their findings and also provide recommendations for improving the security of the system.
1.4.2 Consider how many data subjects were likely to have been affected by the breach
The volume of data lost, in terms of how many data subjects were affected, is an important benchmark in the response to any breach. An organization’s response (including its reporting requirements) will often depend on the number of affected parties. Laws in many jurisdictions may set different breach notification requirements, or different options for making the required notification, depending on the number of parties affected. For example, the Pennsylvania Breach of Personal Information Notification Act provides that notice of a breach must be made by written notice to the affected individuals, telephone notice, email notice, or electronic notice on a website that prompts an individual to take action (eg, change a password). The Pennsylvania law permits an organization to make substitute notice – defined in the law as a combination of e-mail notice when the organization has an e-mail address for the subject persons, conspicuous posting of the notice on the organization’s website if the organization maintains one, and notification to major statewide media – if the cost of providing notice would exceed $100,000, or if the class of persons affected by the breach includes more than 175,000 people. It is best practice for companies to familiarize themselves with the data breach response laws of the jurisdictions in which they do business.
1.5 Conduct a risk assessment of potential harm to data subjects
Statutes and regulations will set out the minimum requirements for notification of data breaches. These minimum requirements may depend on the quality of information revealed by a breach. For example, South Carolina law requires notification of a data breach only if illegal use of the information has occurred or is reasonably likely to occur or if the use of the information creates a material risk of harm to a resident of South Carolina.
Having determined the volume of data that has been compromised (see step 1.4.2) and the types of data that have been comprised, such as whether it is healthcare information, financial or credit data, PII, or sensitive company information (see step 1.3.2), assess the value of the compromised data to the parties who misappropriated it and consider the potential harm to the data subject.
Step 2 – Understand and assess legal obligations regarding notification and reporting
Notification requirements and procedures will vary according to a number of factors, including the type of data subject to the breach and the number of persons affected by the breach.
The laws that require notification of a breach set out precise processes for reporting or notifying of a breach. The laws will also set out the information that must be included in the notification. Therefore, it is important to have understood which laws apply in order to be able to understand what the reporting process is.
If the breach involved the data of only a few subjects then a full notification may not be necessary, depending on the law of the jurisdiction. Even if the letter of the law does not require notification of a breach, an organization may find it prudent to give notification, to avert possible civil liability or negative publicity. In such a case it is best practice to offer the affected parties some form of remediation of the harm or potential harm from the breach.
2.1 Understand your organization’s legal obligations
2.1.1 Federal laws
If a federal law applies, the organization’s obligations vary, depending on which federal statute may be in play. Under the Health Insurance Portability and Accountability Act (HIPAA), for example, data breaches affecting fewer than 500 people are treated differently than data breaches affecting more data subjects. In addition, for organizations with 500 or more affected persons, the U.S. Department of Health and Human Services must post a list of breaches of unsecured protected health information as proscribed by Section 13402(e)(4) the Health Information Technology for Economic Clinical Health (HITECH) Act. As a rule, federal statutes apply to special classes of especially sensitive information, not to PII in general.
While the specific response requirements may vary depending on the details of the breach, it is important that the organization take immediate and appropriate action. For example, in one high profile case, the Federal Trade Commission (FTC) acted against the online alcohol marketplace Drizly and its CEO James Cory Rellas after it was reported that the company’s security failures led to a data breach that exposed the personal information of about 2.5 million consumers. Of significance to the FTC is the fact that Drizly and Rellas were alerted to security problems two years prior to the breach yet failed to take steps to protect consumers’ data from hackers.
2.1.2 State laws
The rules on the protection of PII under state law vary by state. One important similarity is that most states mandate only the protection of the data of the residents of the state and any organizations doing business there.
2.1.3 Foreign laws
A company that does business with customers or vendors outside the US will very likely be required to comply with the law of the foreign jurisdiction when a breach occurs. For example, according to EU law, particularly the General Data Protection Regulation (GDPR), if a data breach occurs, organizations must report it to the relevant data protection authority ‘without undue delay’ and within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a high risk to individuals' rights and freedoms; this includes taking steps to contain the breach, assess its impact, notify affected individuals, and implement appropriate remediation measures.
2.1.4 Other legal obligations
Evaluate whether the data is subject to special requirements of regulatory agencies, or whether there are contractual obligations relative to the storage or protection of data. Data examiners should work with legal counsel to determine what regulatory or legal requirements must be met, such as reporting the breach to affected individuals or regulatory agencies.
2.2 Consider whether the type of data compromised in the breach requires reporting to data subjects
2.2.1 Healthcare information
HIPAA and the HIPAA regulations require that covered entities notify affected individuals in case of a breach of unsecured protected health information (PHI). The notification must be made without unreasonable delay, but no later than 60 days following the discovery of the breach. The notification must include a description of the breach, a description of the types of information that were involved in the breach, steps individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate harm, and prevent further breaches, as well as contact information for individuals to ask questions and learn additional information. See the HIPAA Breach Notification Rule for additional HIPAA related information.
For more information on the scope of HIPAA, see further How-to guide: How to determine and apply relevant US privacy laws to your organization.
2.2.2 Credit information
The Gramm-Leach-Bliley Act of 1999 (GLBA) requires financial institutions to notify customers if their non-public personal information (NPI) is compromised or at risk of being compromised by a breach. Regulations developed under GLBA require that notification must be made as quickly as possible, based on the institution's assessment of the nature and scope of the breach, to all affected customers, and to the appropriate regulatory authorities.
For more information on the scope of the GLBA, see further How-to guide: How to determine and apply relevant US privacy laws to your organization.
2.2.3 PII
State laws generally deal with the protection of PII, and standards vary between states. It is best practice to familiarize yourself with the data protection and reporting standards of any state in which you do business.
2.3 Consider whether the type of data compromised in the breach requires reporting to federal agencies
Federal law requires notification to federal agencies in the limited circumstances of breaches of health information (HIPAA), or financial regulators (GLBA).
2.3.1 Department of Health and Human Services.
Under HIPAA, covered entities are required to report breaches of unsecured protected health information (PHI) to the US Department of Health and Human Services (HHS). The breach notification rule applies to breaches of all sizes and types of PHI, regardless of whether the breach was intentional or unintentional. It applies to covered entities such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates. The notification must be made without unreasonable delay and no later than 60 calendar days from the discovery of the breach. Notification must be in writing and sent by first-class mail to the individual whose PHI was breached at their last known address. If the individual has agreed to electronic notice and such agreement has not been withdrawn, notification may be made by e-mail. The notification may be provided in one or more mailings as information is available.
2.3.2 Federal financial regulators
Under the GLBA, financial institutions must notify their primary federal regulator as soon as possible after becoming aware of an incident involving unauthorized access to or use of sensitive customer information. Notification will usually be made to the FTC, but notification must be made to the FDIC, the Office of the Comptroller of the Currency, or the Federal Reserve System, if an institution is regulation by one of those agencies. Notification must be made through email, telephone, or other similar methods as prescribed by the regulator.
2.4 Consider whether the type of data compromised in the breach requires reporting to state officials
Reporting standards for the breach of data information vary by state, often considerably. It is best practice to familiarize yourself with reporting standards in each state in which you conduct business, and ascertain whether data breaches should be reported to the relevant state technology agency, the state attorney general’s office, or to law enforcement agencies—or any combination of those three.
Some states set specific time limits by which a report needs to be made, others use language that indicate breach notifications need to be made without delay.
2.5 Consider whether the breach should be reported to consumer reporting agencies
Some state laws require that certain breaches must be reported to consumer reporting agencies, to protect the credit ratings of affected individuals. For example, the law in Maine requires that a breach that requires notification to more than 1,000 persons at a single time must also be made, without unreasonable delay, to consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. The method of notification is not specified, but the notification must include the date of the breach, an estimate of the number of persons affected by the breach, if known, and the actual or anticipated date that persons were or will be notified of the breach.
2.6 Consider whether the breach should be reported to the media
Some state laws allow notification of a breach to be made through the media. Louisiana provides that notification of a breach may be made by '[n]otification to major statewide media'. State laws may also require media notification in some situations. South Dakota law provides that, if the information holder demonstrates that the cost of providing notice would exceed $250,000, that the number of persons to be notified is more than 500,000 persons, or that the information holder does not have sufficient contact information, notice may be made by email notice, if the information holder has an email address for the subject persons; conspicuous posting of the notice on the information holder's website, if the information holder maintains a website page; and notification to statewide media.
Additional resources
Federal Trade Commission: Data Breach Response: A Guide for Business
Related Lexology Pro content
How-to guides:
How to determine and apply relevant US privacy laws to your organization
How to manage your organization’s data privacy and security risks
How to implement privacy by design within your organization
How to develop, implement, and maintain a US privacy law compliance program
How to develop, implement and maintain a US information and data security compliance program
How to evaluate the effectiveness of a data security or data privacy compliance program
How to develop a vulnerability disclosure program (VDP) for your organization to ensure cybersecurity
How to draft a privacy policy, and privacy and data security provisions in contracts
How to manage third party supply chain data privacy, security risks, and liability
Incident response plan readiness and identification of a reportable data breach
How to prepare for and respond to a governmental investigation or enforcement action for violation of US privacy laws
Checklists:
Understanding privacy laws in the US
Completing a data privacy risk assessment
Drafting internal privacy policies and procedures
Completing a data and information security risk assessment
Drafting a consumer privacy policy
Developing key privacy and data security contractual terms and provisions (B2C)
Privacy and data security law training
Completing a data incident response plan assessment
Privacy and data security due diligence in M&A
Quick views:
Key data privacy and data security terms
Collection and use of non-consumer data
Regulation of data brokers
Reliance on information posted:
While we use reasonable endeavors to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.