Login

In Case You Missed It!

By Susan Duarte

Your monthly source for curated updates on Marketing, Privacy, AI, and other relevant industry news.

Subscribe

September 29, 2025

ICYMI: Issue #2: September 2025

Read More

ICYMI: The Inaugural Issue

August 25, 2025

Prefer to listen instead? We’ve made an audio version of this newsletter so you can catch the highlights on the

Read More

Why I Created ICYMI: My Perspective on Making Legal Intelligence Accessible

July 23, 2025

After more than 20 years working in-house, I know the frustration all too well. You’re juggling back-to-back meetings, managing competing

Read More

Meet Susan Duarte

Susan is a trusted legal advisor for businesses ranging from startups to Fortune 100 companies, specializing in technology, advertising, data privacy, and consumer protection. She leads a skilled team in navigating complex regulatory landscapes and risk management while providing practical, proactive guidance. Recognized as the “Best In-House Counsel of the Year” by the Association of Corporate Counsel in 2024, Susan has successfully represented clients before various regulatory bodies and is known for her expertise in litigation and compliance.

Connect With Susan

Why I Created ICYMI

After more than 20 years working in-house, I know the frustration all too well. You’re juggling back-to-back meetings, managing competing deadlines, and trying to stay on top of the legal developments that could impact your business. Then another law firm alert lands in your inbox. You want to read it—you know you should read it—but there’s simply no time.

Sound familiar?

This is exactly why I created ICYMI (In Case You Missed It), and why building a dedicated space for product counsel (and really all counsel) matters so much to me.

Data Breach Guide for Legal Counsel

A comprehensive visual reference for prevention and response

Data Breach Prevention Strategy

Data Breach Prevention Flow

Data Mapping

Create a comprehensive data inventory

Legal Assessment

Document applicable laws and regulations

Data Classification

Categorize data by sensitivity and legal impact

Security Implementation

Establish administrative, electronic, and physical safeguards

Vendor Management

Assess third-party relationships and contracts

Data Mapping

  • Document all types of data collected
  • Record data sources and collection methods
  • Document storage locations and access methods
  • Map data transmission flows and recipients
  • Document retention periods and disposal methods
  • Identify backups and system logs

Legal Assessment

  • Identify applicable laws and regulations (state, federal, international)
  • Document industry standards (PCI-DSS, HIPAA, etc.)
  • Review contractual obligations related to data
  • Ensure policies align with legal requirements
  • Document compliance verification procedures

Data Classification

  • Classify data as regulated, confidential, or public
  • Assign risk levels based on legal impact
  • Document sensitivity levels for each data type
  • Establish handling procedures for each classification
  • Ensure classification is reflected in security measures

Security Implementation

  • Implement encryption, firewalls, and network segmentation
  • Establish monitoring systems for activity
  • Create BYOD and mobile device policies
  • Develop retention/destruction protocols
  • Conduct regular employee security training
  • Document security procedures and protocols

Privacy Policy Alignment

  • Review public-facing privacy statements
  • Ensure security practices align with representations
  • Document procedures to maintain alignment
  • Schedule regular policy reviews and updates

Vendor Management

  • Conduct vendor due diligence on security practices
  • Include breach notification requirements in contracts
  • Establish indemnification and liability provisions
  • Secure audit rights or security assessment reports
  • Document vendor security standards
  • Create vendor management procedures

Critical Legal Consideration

Consider purchasing dedicated cyber insurance coverage to transfer risk and provide additional response resources during an incident.

Data Breach Response Strategy

Data Breach Response Workflow

Detection & Reporting

Identify and report suspected breach

Team Activation

Engage response team and establish command

Containment

Secure systems and stop data exfiltration

Investigation

Determine scope, affected data, and root cause

Legal Analysis

Assess legal obligations and notification requirements

Notification & Response

Notify affected parties and manage communications

Detection & Reporting

  • Document initial breach indicators and discovery method
  • Record date, time, and person who discovered the breach
  • Follow established internal reporting procedures
  • Preserve evidence of the breach
  • Begin incident documentation and tracking

Team Activation

  • Alert incident lead to activate response team
  • Establish command center and communications channels
  • Assign roles based on predetermined responsibilities
  • Notify executive leadership as appropriate
  • Begin tracking response activities and timeline

Containment

  • Isolate affected systems to prevent further compromise
  • Secure physical and digital assets
  • Stop data exfiltration if active
  • Preserve forensic evidence for investigation
  • Document containment actions and timeline
  • Contact cyber insurance provider (if applicable)

Investigation

  • Engage forensic experts as needed
  • Identify compromised data and systems
  • Determine the scope and impact of the breach
  • Identify affected individuals
  • Determine root cause and attack vector
  • Document findings thoroughly

Legal Analysis

  • Determine applicable state and federal laws
  • Assess notification obligations and timelines
  • Review contractual notification requirements
  • Identify regulatory reporting obligations
  • Evaluate potential legal exposure and liability
  • Engage outside counsel as needed

Notification & Communications

  • Prepare notification communications for affected individuals
  • Notify regulatory authorities as required
  • Prepare internal and external communications
  • Establish call center services if needed
  • Offer credit monitoring or identity protection services
  • Document all communications and responses

External Resources List

  • Maintain contact information for computer forensics experts
  • Have relationship with specialized outside counsel
  • Pre-arrange call center services for notification support
  • Establish relationships with credit monitoring services
  • Document contact information for law enforcement agencies
  • Maintain list of relevant regulatory authorities
  • Keep cyber insurance provider contact information accessible

Legal Counsel Priority Actions

Immediately assess notification obligations across all jurisdictions, establish attorney-client privilege for investigation, and coordinate all external communications to maintain consistency and limit liability exposure.

Data Breach Response Team Structure

Core Response Team Members & Responsibilities

Incident Lead / CISO

Coordinates overall response and serves as final decision-maker during the incident

Legal Counsel

Assesses legal obligations, maintains privilege, and advises on regulatory requirements

IT Security

Leads technical investigation, containment, and remediation efforts

Data Privacy Officer

Advises on privacy implications and compliance requirements

Risk Management

Coordinates with insurers and assesses organizational impact

Communications / PR

Develops and coordinates internal and external communications

Human Resources

Manages employee communications and workforce implications

Customer Service

Prepares to handle customer inquiries and concerns

Legal Counsel Specific Responsibilities

  • Establish attorney-client privilege for investigation
  • Determine notification obligations across jurisdictions
  • Review and approve all external communications
  • Coordinate with external counsel when necessary
  • Advise on potential liability and risk mitigation
  • Document legal analysis and decision rationale
  • Coordinate regulatory communications
  • Review vendor contracts for breach obligations

Cross-Functional Coordination

  • Establish clear communication channels between teams
  • Schedule regular status meetings during response
  • Create documentation that flows between teams
  • Define escalation procedures for critical issues
  • Establish approval workflows for key decisions
  • Maintain consolidated incident timeline

Team Preparation Critical

Regular tabletop exercises and simulations are essential to test the response team’s readiness. Conduct these exercises at least annually and after significant organizational changes.

Data Breach Response Timeline

Initial Detection (0-24 Hours)

  • Document discovery of potential breach
  • Activate response team and establish command
  • Begin containment procedures
  • Preserve evidence and secure systems
  • Notify cyber insurance provider
  • Engage forensic experts if needed

Assessment Phase (24-72 Hours)

  • Complete preliminary investigation
  • Identify compromised data and affected individuals
  • Determine applicable legal requirements
  • Evaluate contractual notification obligations
  • Prepare initial legal assessment
  • Develop preliminary communication plan

Notification Planning (72-96 Hours)

  • Draft notification letters for affected individuals
  • Prepare regulatory notifications
  • Establish call center services if needed
  • Arrange credit monitoring services
  • Finalize external communications strategy
  • Brief executives and board members

External Communications (Per Legal Requirements)

  • Issue notifications within required timeframes
  • Submit regulatory filings
  • Activate call center for inquiries
  • Monitor media coverage and social media
  • Respond to stakeholder inquiries
  • Document all communications activities

Ongoing Response (Week 2+)

  • Continue remediation efforts
  • Complete thorough forensic investigation
  • Address secondary notification requirements
  • Manage ongoing communications
  • Track expenses for insurance claims
  • Begin developing lessons learned

Post-Incident Review (30-60 Days)

  • Conduct formal post-incident analysis
  • Document effectiveness of response plan
  • Identify areas for improvement
  • Update data protection measures
  • Revise response plan based on lessons learned
  • Conduct follow-up training

Time-Sensitive Legal Requirements

Be aware that some jurisdictions require notification within specific timeframes (as short as 72 hours in some cases). Legal counsel must identify all applicable deadlines immediately upon breach confirmation.

IT Governance & Security Framework

IT Security Governance Domains

Physical Security

Secure physical access and environment

System Security

Secure technical infrastructure

Threat Mitigation

Address specific threat vectors

Access Control

Manage human access to systems

Legal Compliance

Ensure regulatory adherence

Physical Security Governance

  • Implement physical access control for sensitive locations
  • Enforce vendor personnel access restrictions
  • Maintain security logs and video surveillance
  • Implement clean desk protocols
  • Require multifactor authentication on all endpoints
  • Inventory and track all hardware and endpoints
  • Establish secure document storage and disposal procedures

System Security Governance

  • Implement industry-standard encryption for data at rest and in transit
  • Employ firewalls and establish proxy servers
  • Enable network address translation (NAT) functionality
  • Disable unnecessary basic services (FINGER, NETSTAT, etc.)
  • Implement system backups housed away from main systems
  • Use HTTPS protocol instead of HTTP
  • Establish patching policies and schedules
  • Implement VPN for remote access

Access Control Governance

  • Enforce strong password policies (10+ characters with mixed types)
  • Require multifactor authentication
  • Implement least privilege access controls
  • Limit or disable auto-completion features
  • Establish authentication policies for website access
  • Enable HTTP strict transport security
  • Use monitoring software with appropriate disclosures
  • Implement "zero trust" administrative access

Social Engineering Defense

  • Implement email filters for external sources
  • Establish procedures for reporting suspicious communications
  • Deploy anti-phishing and anti-spam software
  • Create email/messaging usage limitation policies
  • Require verification procedures for information requests
  • Establish social media usage policies
  • Conduct regular social engineering awareness training

Malware & DoS Defense

  • Deploy antivirus software with continuous updates
  • Screen all message attachments
  • Conduct periodic scanning of all system files
  • Establish baseline threat detection for system anomalies
  • Use spyware detection and removal software
  • Implement proper resource allocation to prevent DoS attacks
  • Enable SYN attack defenses in operating systems
  • Create data traffic rerouting plans

Legal Compliance Framework

  • Document compliance with applicable laws (GDPR, CCPA, etc.)
  • Verify adherence to industry standards (PCI DSS, etc.)
  • Review vendor contracts for security provisions
  • Require vendor cyber insurance where appropriate
  • Obtain indemnification from vendors with system access
  • Establish legal response procedures for known attacks
  • Document all security training and compliance efforts

Contractual Security Governance

  • Vendor Management
  • Mandate security procedures for on-premise vendors
  • Require return of all data upon project completion
  • Obtain representations and warranties regarding compliance
  • Establish document tracking systems for vendor-shared documents

  • Security Validation
  • Establish inspection and validation rights
  • Require vendor security certifications
  • Mandate security incident reporting
  • Incorporate data breach liability provisions

Legal Counsel's Governance Role

As legal counsel, you must actively engage with IT staff in developing the security policies and procedures outlined above. Document all training efforts and policy implementations to demonstrate due diligence in case of regulatory investigations or litigation following a breach incident.

Protecting Attorney-Client Privilege

Privilege Protection Framework

Pre-Breach Planning

Structure processes to protect privilege

Two-Track Investigation

Separate legal and technical investigations

Communication Protocols

Control how information is shared

Documentation Control

Manage report creation and distribution

Training & Education

Ensure stakeholders understand privilege

Pre-Breach Privilege Planning

  • Draft incident response plan with clear privilege protection protocols
  • Specify that outside counsel will engage and direct all third-party service providers
  • Include language in third-party agreements explicitly stating privilege applies
  • Structure vendor contracts to specify investigations are in anticipation of litigation
  • Establish clear communication channels and documentation protocols
  • Create templates with appropriate privilege markings for breach response documents

Two-Track Investigation Strategy

  • Implement separate legal and technical investigation tracks
  • Legal track: Led by outside counsel with third-party forensic experts
  • Technical track: For business continuity and security remediation
  • Ensure legal track focuses on providing legal advice
  • Document legal purpose of forensic investigation in engagement letters
  • Maintain separation between tracks to preserve privilege claims

Communication Protocols

  • Limit use of transient communication channels (text, Slack, etc.)
  • Create "privilege circle" of individuals covered by attorney-client privilege
  • Mark all communications with "Privileged & Confidential"
  • Add "Created at the Direction of Counsel" to work products
  • Establish secure channels for sharing privileged information
  • Prefer verbal communications over written for sensitive findings

Forensic Report Management

  • Have outside counsel retain and direct forensic vendors
  • Limit written interim reports; favor verbal briefings
  • Mark any written materials as "DRAFT" and "Privileged & Confidential"
  • Share reports via secure methods (e.g., screen share vs. email)
  • Ensure outside counsel reviews/revises final reports
  • Focus reports on legal advice and risks rather than technical details

Distribution Control

  • Restrict final report distribution to privilege circle
  • Require privileged document tracking procedures
  • Log all individuals who receive privileged materials
  • Implement need-to-know access restrictions
  • Establish protocols for third-party disclosures
  • Create redacted versions when broader sharing is necessary

Training & Education

  • Conduct company-wide training on privilege concepts
  • Educate response team on protecting privilege during incidents
  • Provide specific guidance for technical teams on privilege issues
  • Train executives on avoiding privilege waiver in communications
  • Conduct tabletop exercises that include privilege scenarios
  • Document all privilege-related training efforts

Critical Privilege Considerations

Courts have increasingly scrutinized privilege claims in data breach litigation. Preparation alone does not guarantee privilege protection. Legal counsel should actively manage the investigation process, ensure all communications have a legal purpose, and maintain clear documentation of counsel’s involvement in directing the investigation.

Common Privilege Pitfalls to Avoid

  • Documentation Issues
  • Using technical reports focused on remediation rather than legal advice
  • Creating multiple versions of reports for different audiences
  • Failing to document counsel's direction of investigation
  • Treating forensic reports as business records rather than legal advice

  • Process Mistakes
  • Allowing company (not counsel) to directly engage forensic vendors
  • Sharing privileged information beyond the privilege circle
  • Using pre-existing vendor relationships for incident response
  • Failing to separate business and legal purposes of investigation

This guide is designed as a visual aid for legal professionals and does not constitute legal advice.

Subscribe

Subscribe to ICYMI—your monthly source for curated updates on Marketing, Privacy, AI, and other relevant industry news that actually matters.

DISCLAIMER: By subscribing to our firm’s newsletter, you acknowledge that you have read and understand the disclaimers posted to our site.