David Balser, a partner at King & Spalding, writes:
When a company discovers that it has been a victim of a data breach, it is essential to act quickly. In particular, an issue of critical importance is when and how a breached company discloses the data breach to customers, business partners, regulators and the general public.
With respect to public-facing statements specifically, it is critical to be mindful of how such statements could be used against the company in any future litigation or regulatory investigation that may arise out of the breach. In some cases, the most beneficial statements from a business or public relations perspective may have the potential to create exposure in and complicate subsequent litigation.
There are obvious benefits to waiting until a company has a complete understanding of the cause and scope of the breach before making a public disclosure. But there are a host of statutes that require notification to affected individuals within a particular time period and provide a private right of action to assert a claim if the breached company fails to give the required notice.
Read more at Corporate Compliance Insights.