Legal Blog

Mitigating Your Risks of Cyberattack and Data Breach: Part 1 – A Four Step Data Breach and Response Plan

Data subject to a data breach generally fall into one of four categories: personally identifiable information (PII); protected health information (PHI); financial data (such as credit card or banking information) or a business’s trade secret or other confidential business; information. Each category is targeted by different actors. Insider threats such as employee (or ex-employee) negligence or malice tend to put at risk business, PII, or PHI information. Cybercriminal behavior usually focuses on financial data, though hacktivists often also target business information for political gain.

With the rise of data hacks at all types of businesses, a good data breach avoidance and response plan is crucial to reducing the risks of litigation and minimizing government scrutiny.  These are important goals in their own right, but the overall purpose is the same: to decrease the costs caused by any data breach.  This objective is important because litigation and regulatory risks are the fastest growing impacts on the damage calculus of a data breach.  Contractual litigations are becoming prevalent, and state data breach statutes are being interpreted more and more as creating private rights of action, including class actions.  The Federal Trade Commission and other Government agencies are also stepping up their scrutiny of data breaches.

The first step in any data breach and response plan is an analysis of three elements: the data systems you maintain that could be breached, the type of data which reside on each system and from whom does it originate, and the legal requirements which address the confidentiality of the identified data or systems.

After completing this analysis, the second step will require a thorough vetting of the types of risk which impact each identified system given the types of data which reside on the system.  Does the threat arise primarily because of employee issues, because access is ubiquitous, or because of the lack of electronic locks?

The third step is to implement appropriate safeguards to protect from the identified risks.  Can you limit the vendors with whom you deal or protect yourself contractually?  Can you create more impactful electronic locks, or put mechanisms into place which would find and wall off negligent or malicious personnel?

The fourth step is to determine what to do when the third step fails, considering the legal requirements which address the data identified in the first step. This last step will include an analysis of your privacy policies; federal, state, and, if appropriate foreign, legal requirements such as notice mandates; and a review of your cyber insurance coverage.

In the next posting, we’ll discuss when and how you should involve your lawyer in this four step process.


Questions about cyber security? 
Please contact Edward Tolchin at



Edward Tolchin is a Principal and Chair in the firm’s Government Contracting practice group. Mr. Tolchin’s practice is focused on government contracting, business litigation, and technology matters. In the technology arena, Mr. Tolchin has assisted in disputes, licensing, and business development matters for clients ranging from startups to Fortune 500 companies. Mr. Tolchin’s interest in and knowledge of technology issues also has enabled him to assist clients involved in security and privacy disputes and business issues in the cyber arena. Mr. Tolchin has an active blockchain practice and has written and spoken regarding the legal perspectives of blockchain enterprise development and cryptocurrencies.





Offit Kurman is one of the fastest-growing, full-service law firms in the Mid-Atlantic region. With over 170 attorneys offering a comprehensive range of services in virtually every legal category, the firm is well positioned to meet the needs of dynamic businesses and the people who own and operate them. Our eleven offices serve individual and corporate clients in the Virginia, Washington, DC, Maryland, Delaware, Pennsylvania, New Jersey, and New York City regions. At Offit Kurman, we are our clients’ most trusted legal advisors, professionals who help maximize and protect business value and personal wealth. In every interaction, we consistently maintain our clients’ confidence by remaining focused on furthering their objectives and achieving their goals in an efficient manner. Trust, knowledge, confidence—in a partner, that’s perfect.

You can connect with Offit Kurman via our Blog, Facebook, Twitter, Google+, YouTube, and LinkedIn pages. You can also sign up to receive Law Matters, Offit Kurman’s monthly newsletter covering a diverse selection of legal and corporate thought leadership content.