Legal Blog

Mitigating Your Risks of Cyberattack and Data Breach: Part 2 – Legal Perspectives of Creating a Data Breach and Response Plan

Click here to read Part 1

A four-step data breach and response plan can be viewed here.   Lawyers are, or should be involved in all four steps of this process, obviously being most involved in defining and implementing the legal requirements which permeate all these stages.  Let’s look at an example of the value-add of your lawyer’s early involvement in this process.

So, say you decide to create a data breach and response plan and have accomplished the first step in defining the systems and data you hold.  You now turn to your staff and ask: “what do we do?”

If a lawyer is involved, he or she will likely address the question in two ways: the attorney will assure that your privacy and related policies are suitable given the systems and data you maintain, and also will analyze the legal requirements that may exist with respect to the need for security and the legal requirements which will arise if there is a data breach.  This information is crucial to the first, third, and fourth steps described above.  Without this information, you may find that you are creating legal risks even before a data breach, and you are multiplying the risks many-fold after a breach.

For example, a good privacy policy is critical.  The European Union’s General Data Protection Regulation (GDPR) was activated last month.  If you do business with Europeans who access your website, you may need to comply.  That means that your privacy policies need to comply and you may be at legal risk even without a data breach if you haven’t undertaken compliance.

What if a data breach occurs?  The lawyer will determine if your privacy policy or terms of service on your website promise things such as how data is protected and what will occur if there is a breach.  If you don’t do what you promise, you may be sued by your customers or face an enforcement action by the Federal Trade Commission, or other regulatory activity.  The lawyer will determine if your policies should be reconsidered in light of this risk.

And, what does the law require even apart from your policies?  A lot.  Most states, for example, have a set of procedures in place which governs whom you need to notify, when you need to send notices, and how to send the notices.  The Maryland data breach notification statute is codified at Md. Code, Com. Law §§ 14-3501 et seq. That statute defines PII, provides for notice to affected parties and the Attorney General, may require notice to credit reporting agencies in certain circumstances, and describes when and how notice is to be given.  All this information should be keyed into your data breach and response plan, so you are not starting too late to comply with the law.

Be prepared is not just the Scout motto or a song from Lion King.  It is a requirement in the world of cyber security.


Questions about cyber security?
Please contact Edward Tolchin at



Edward Tolchin is a Principal and Chair in the firm’s Government Contracting practice group. Mr. Tolchin’s practice is focused on government contracting, business litigation, and technology matters. In the technology arena, Mr. Tolchin has assisted in disputes, licensing, and business development matters for clients ranging from startups to Fortune 500 companies. Mr. Tolchin’s interest in and knowledge of technology issues also has enabled him to assist clients involved in security and privacy disputes and business issues in the cyber arena. Mr. Tolchin has an active blockchain practice and has written and spoken regarding the legal perspectives of blockchain enterprise development and cryptocurrencies.





Offit Kurman is one of the fastest-growing, full-service law firms in the Mid-Atlantic region. With over 170 attorneys offering a comprehensive range of services in virtually every legal category, the firm is well positioned to meet the needs of dynamic businesses and the people who own and operate them. Our eleven offices serve individual and corporate clients in the Virginia, Washington, DC, Maryland, Delaware, Pennsylvania, New Jersey, and New York City regions. At Offit Kurman, we are our clients’ most trusted legal advisors, professionals who help maximize and protect business value and personal wealth. In every interaction, we consistently maintain our clients’ confidence by remaining focused on furthering their objectives and achieving their goals in an efficient manner. Trust, knowledge, confidence—in a partner, that’s perfect.

You can connect with Offit Kurman via our Blog, Facebook, Twitter, Google+, YouTube, and LinkedIn pages. You can also sign up to receive Law Matters, Offit Kurman’s monthly newsletter covering a diverse selection of legal and corporate thought leadership content.