- International Practice
- Securities Regulation
- Climate Change
- Financial Institutions
- Labor and Employment
- Strategic Communications
- Corporate and Securities
- Financial Restructuring
- Educational Institutions
- Private Funds
- Intellectual Property
- Public Finance
- White Collar Defense
- Environmental Strategies
- Internal Investigations
- Real Estate and Projects
Cyber intrusion has become commonplace, and many believe that it is not a question of whether a data breach will occur but rather when. Data breaches now involve sophisticated attacks on information systems in order to disrupt critical infrastructure or obtain personal identification information, customer data, trade secrets, or other highly-sensitive and critical information. Some of the most trusted companies in the United States and internationally have suffered internal or external efforts to compromise their data security, placing millions of people at risk, damaging business reputations and exposing trade secrets to the public.
The motivations of those seeking to compromise cybersecurity are as varied as their methods. Some seek to acquire personal identification or financial information to use or sell on the black market. Some seek trade secrets or other insider information to compete with or attack a company directly. Some seek to retaliate for perceived wrongs. And still others seek to access and destroy information systems to advance a political motive. Whether you are a retail company, a financial institution, an energy company, a governmental agency, or a business, if you have a computer hooked up to a network, your information and operations are continuously at risk.
At Bracewell, our team is adept at helping clients develop and implement information security plans, manage all aspects of a data breach and use effective media and governmental communications during and after a breach. Likewise, when a data breach occurs, sound preparation with our clients serves as the best defense against the breadth, time and expense of the response effort, and insulates management from the public, regulatory and shareholder scrutiny that inevitably follows.
Our development and implementation of an information security plan begins with a system assessment, where we pinpoint the vulnerabilities of our clients’ information systems and ensure that the right policies and procedures are in place to protect that information. We help identify the right constituents to be a part of a crisis response team, train employees, conduct simulations, identify and recommend cyber breach insurance coverage, and take any steps needed to demonstrate for their customers our clients’ commitment to the protection of customer data. In the context of transaction, we provide due diligence for the data security of a target, assess compatibility with existing client systems, negotiate risk allocation provisions in relevant commercial agreements, and advise on post-closing integration.
In the event that a breach occurs, Bracewell attorneys implement an aggressive strategy to contain the damage while mitigating the cost and exposure to our clients. Our team operates with a four-prong approach: investigate, isolate, contain, and secure. We investigate how the breach occurred, isolate the affected systems, contain the damage, and secure the systems. Once the parameters of the breach have been determined, Bracewell attorneys help with the enormously complex series of notifications required under state, federal, and international laws.
A key component to successfully navigating a data breach is the use of strategic communications. Bracewell has an in-house team experienced with handling media communications and government relations. When warranted, they prepare news releases, communications to customers, train responsive staff, and implement social media programs to restore a breach victim’s reputation and minimize its exposure. Our team is also adept and comfortable navigating the regulatory requirements of the Federal Trade Commission, the Securities and Exchange Commission and the supervisory authority of Congress, ensuring that our clients are prepared to respond to governmental oversight effectively and efficiently.
The services contained within our data breach practice range from the proactive to the reactive and include:
- Crafting and implementing a personalized written information security plan
- Assessing and implementing data retention and data protection policies and procedures
- Analyzing and recommending third party data breach protection products
- Managing the crisis response team and forensic investigation
- Investigating and isolating the breach, containing any damage, and securing affected systems
- Developing and implementing a public relations strategy
- Analyzing and conducting federal, state, and international breach notifications
- Drafting notifications and communications to customers, clients, third parties, and media
- Assessing and making law enforcement or state agency referrals
- Managing post-breach litigation, including class-action litigation by affected customers
A mishandled data breach can be an arduous and consuming crisis whose effects can linger for years. Our goal is to help clients turn their data security and privacy policies into a strength they can market to their customers and as a model within their industries, applying them whenever a breach occurs to minimize exposure and limit costs. Our team of seasoned attorneys and crisis management professionals – which includes former top ranking members of the Department of Justice and other government agencies – has the experience and determination to do it right.