Data Breach Response

Despite an organization’s best efforts, data breaches can occur that expose the personal information of an organization’s customers, employees, students, patients or other individuals. From situations where a company’s computer system has been hacked to simple failures to shred confidential documents, data breaches are a concern to all businesses.

In addition to the possible harms to the affected individuals, data breaches result in significant challenges for the organization that experiences the breach. Nearly every state has at least one data breach notification statute. This, combined with federal requirements in some sectors, such as the Health Insurance Portability and Accountability Act (HIPAA) breach notification rules for protected health information, has created a web of notification obligations. Data breaches also can have implications extending far beyond notifying the potentially affected consumers, including the risk of regulatory probes, of litigation and, of course, the potential for serious damage to the organization’s reputation.

Planning for or Reacting to a Data Breach

Whether your organization is proactively developing a data breach response plan or responding to a breach that already has occurred, AGG can help. To assist organizations in responding to or preparing for data breaches, whether large and small, AGG has established a Data Breach Response Team that cuts across several of the firm’s practice groups. Members of the AGG Data Breach Response Team have extensive experience with the many aspects of responding to a data breach, ranging from the assessment of whether a breach occurred, to initial consumer and regulatory notifications, to post-breach activities such as responding to regulatory inquiries or bringing or defending litigation.

AGG’s Data Breach Response Team can assist an organization with preparation of a proactive data breach response plan so that it knows what to do if a breach occurs. It can offer an organization that has experienced a data breach (or is working to assess whether a data breach has occurred) with comprehensive legal services to respond effectively to the breach and any subsequent investigations or litigation. The Data Breach Response Team is a specialized team led by our Privacy Practice Group based in Washington DC.

Our Team's Data Breach Services include:

  • Assisting in the preparation and implementation of a data breach response plan
  • Working with law enforcement and information security specialists to investigate the breach or potential breach
  • Assessing whether a data breach triggers notifications under state or federal laws
  • Preparing consumer notification communications in accordance with applicable law
  • Preparing other required notifications, such as notices to state attorneys general and others to whom notice may be required
  • Addressing issues that arise concerning other parties, such as the organization’s insurer(s), business partners and other stakeholders
  • Preparing responses to inquiries from the media, privacy or others
  • Representation before the Federal Trade Commission, Department of Health and Human Services, state attorneys general, or other state or federal regulators in regulatory inquiries and/or investigations
  • Responding to congressional requests for information and/or preparing a representative of the organization to testify before Congress
  • Assessing whether a breach may be “material” for purposes of Securities and Exchange Commission reporting requirements
  • Defending against suits brought by consumers, shareholders or business partners
  • Identifying enhancements to the organization’s privacy and security program to mitigate against the possibility of future breaches
  • Identifying potential insurance coverage for data breach claims

Examples of our Data Breach Team's significant accomplishments include: 

  • Handled the first data breach triggering significant nationwide consumer notifications
  • Provided advice to numerous clients, including consumer reporting agencies, information companies, e-commerce retailers, financial institutions, healthcare providers and others regarding whether breach notification is required, investigation of the breach and resolution of breach related issues
  • Represented clients before the Federal Trade Commission in connection with investigations involving multiple data breaches
  • Represented clients before state attorney general committees