In cases where a SafeLaw policyholder suffers a data breach involving disclosure of personally identifiable non-pubic information, our privacy breach response team will assist the firm in evaluating regulatory obligations, notifying victims and remediating potential identity theft. Randy Sabett, CISSP from Cooley LLP leads the SafeLaw privacy breach response team. He is responsible for advising SafeLaw policyholders on privacy breaches and coordinating privacy breach response services on behalf of SafeLaw policyholders. The SafeLaw privacy breach response team also incorporates dedicated experts in several practice areas to successfully guide SafeLaw clients through a privacy breach. A brief summary of our privacy breach response process follows:

For most data breaches involving personally identifiable non-public information, it is crucial to determine the source, scope and potential severity of the data breach. The SafeLaw privacy breach response team includes technical forensics experts from Mandient, Verizon, and Trustwave. We will help SafeLaw clients conduct technical forensics and determine the extent of the data breach. Our privacy breach response team will also help the firm contain the breach, preserve evidence, and take steps to reestablish the security and confidentiality of firm data.

Once the firm has investigated the breach determined what information was compromised, our legal experts will help the firm evaluate the risks associated with the breach and plan an appropriate response. Our privacy breach response team will help the firm evaluate the regulatory risks, legal consequences, and potential brand damage, associated of the privacy breach. We will also advise the firm on the best approach to complying with applicable regulations, dealing with the privacy breach victims, and protecting the firm’s interests.

Data breaches involving personally identifiable information may trigger obligations under one or more state laws. In addition, law firms may be required to notify the ARDC or State Bar. Our privacy breach response team will guide the firm through state and federal regulations and local ethics rules that may apply to the different types of data that have been compromised. Moreover, we will work with the firm to determine if any contractual notification requirements exist. Our privacy experts will help the firm determine who to notify and when. In addition, our privacy breach response team will help the firm notify the victims in compliance with regulatory and ethical obligations. Randy Sabbet will work with clients to draft the victim notice letter(s). Randy will also coordinate national address lookup, letter printing services, email notice, media notice, and staggered mailing services with our notification experts including AllClear ID, Experian, TransUnion and ID Experts.

In some cases, firms may need to activate an emergency call center to manage the volume of phone calls from privacy breach victims. Randy Sabbett will work with the firm to create a script for call center employees that includes a description of the type of information exposed, the date and time of the breach, steps being taken to address the incident, and how the firm will assist the victims. Randy will help the firm train staff members to handle calls . Alternatively, Randy can help the firm engage on of our call center specialists such as AllClear ID, Experian, TransUnion or ID Experts.

Some firms choose to provide privacy breach victims with identity theft assistance and remediation. These services include free credit reports, credit monitoring, fraud resolution, identity theft restoration, and identity theft expense reimbursement insurance. The SafeLaw privacy breach response team will advise the firm on the best options available for helping victims including credit monitoring, identity theft remediation, fraud assistance and similar services. We will also facilitate the delivery of the identity theft and remediation services with our panel of experts including AllClear ID, Experian, TransUnion, Immersion Ltd. and ID Experts.

We understand that a law firm’s success is driven by its reputation. A data breach not only affects the firm’s reputation, but has the potential to severely compromise the firm’s clients as well. By the time notifications are sent to victims, there may already be rumors or media coverage regarding the breach. Therefore, it’s very important to let those affected know as soon as possible and provide them with enough information and help to mitigate any potential harm. However, notifications sent too soon or with insufficient information about the breach may cause more damage to the firm’s reputation. Our public relations partners are experienced in providing law firms with assistance with crisis communications, in crafting and presenting public announcements, and creating websites to provide answers to frequently asked questions regarding a breach. We will work with the firm and a public relations expert to manage crisis communications immediately following a privacy breach to minimize brand damage. In addition, our privacy breach response team will coordinate with public relations experts such as Flieshman-Hilliard or Levick, to design, implement and execute a public relations campaign following a privacy breach to restore the firm’s brand name.

In some cases, a privacy breach may result in lawsuits or regulatory actions brought against the firm. Randy Sabett is our lead privacy counsel for the SafeLaw privacy breach response team. However, in the event of regulatory actions or lawsuits we usually recommend 3-5 privacy defense lawyers to clients and let the client select. Some of the privacy lawyers we partner with include: recommend include: (a) David Navetta from Norton Rose Fulbright; (b) Ted Kobus from Baker Hostetler; (c) Josh Kantrow from Lewis Brisbois Bisgaard & Smith LLP; and (d) Richard Bortnick at Traub Lierberman; and (e)Jon Nieditz at Kilpatrick, Towsend and Stockton LLP. In addition, members of the PLAN network are available to our clients and provide local representation in cyber risk and data breach matters.