Thank you for sharing!

Your article was successfully shared with the contacts you provided.

database hackedBy now, many attorneys are generally aware of the existence of data breach notification laws and may have even had the misfortune of receiving a data breach notice in the mail. The long string of high-profile breaches spanning back many years has raised awareness of the need to notify individuals whose personally identifiable information has been compromised in a data breach. One might envision the scenario of a hacker penetrating a system to steal sensitive business, financial or personal information, or a ransomware attack in which a threat actor encrypts a company’s data for the purpose of extorting the company. In addition to the damage that can be done due to the loss of funds or private information, if the incident results in unauthorized access or exfiltration of personal information, legal obligations may arise to notify the individuals whose information was accessed or taken.

Yet many practitioners outside of the privacy and data security space may not appreciate the variety of other types of incidents that can potentially give rise to data breach notification obligations. Suppose an employee loses a device containing unencrypted personal information by theft or mistake. Or, an unauthorized individual might gain access to paper or electronic records containing an individual’s personal information through criminal conduct or mere happenstance. Perhaps an employee inadvertently misdirects an email containing unsecured personal information to the wrong recipient. Other common incidents include a business email compromise incident, in which a threat actor gains access to a company employee’s email account, possibly through an email phishing campaign, and hijacks and re-routes emails for the purpose of committing fraud. Each of these incidents requires an analysis as to whether it rises to the level of a reportable breach under applicable data breach notification laws.

Such an analysis begins by conducting an investigation as to the nature and scope of the incident and the types of data involved. In the case of an electronic system breach, it may require a thorough forensic investigation of the affected systems. Once a determination is made whether the data involved included individuals’ personal information, the business will need to identify those individuals whose person information was impacted.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Law Firms Mentioned

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.