A four-step data breach and response plan can be viewed here.   Lawyers are, or should be involved in all four steps of this process, obviously being most involved in defining and implementing the legal requirements which permeate all these stages.  Let’s look at an example of the value-add of your lawyer’s early involvement in this process.  

So, say you decide to create a data breach and response plan and have accomplished the first step in defining the systems and data you hold.  You now turn to your staff and ask: “what do we do?”  

If a lawyer is involved, he or she will likely address the question in two ways: the attorney will assure that your privacy and related policies are suitable given the systems and data you maintain, and also will analyze the legal requirements that may exist with respect to the need for security and the legal requirements which will arise if there is a data breach.  This information is crucial to the first, third, and fourth steps described above.  Without this information, you may find that you are creating legal risks even before a data breach, and you are multiplying the risks many-fold after a breach.  

For example, a good privacy policy is critical.  The European Union’s General Data Protection Regulation (GDPR) was activated last month.  If you do business with Europeans who access your website, you may need to comply.  That means that your privacy policies need to comply and you may be at legal risk even without a data breach if you haven’t undertaken compliance. What if a data breach occurs?  The lawyer will determine if your privacy policy or terms of service on your website promise things such as how data is protected and what will occur if there is a breach.  If you don’t do what you promise, you may be sued by your customers or face an enforcement action by the Federal Trade Commission, or other regulatory activity.  The lawyer will determine if your policies should be reconsidered in light of this risk.