Data Breach Management

Overview

McDermott has guided clients through assessments of and responses to hundreds of data breaches, including some of the largest cyber incidents to date as well as more limited exposures of confidential or proprietary information. We have experience in all types of cyber hazards, including state-sponsored attacks, overseas criminal hackers, ransomware, insider threats and system compromises resulting from misconfigurations.

We maintain three incident response teams (IRTs), each focused on a particular type of data that implicates a different legal regime. Our teams are available to respond to client issues seven days per week, at all times.

Our General Data IRT includes lawyers who have been recognized among the nation’s leading practitioners in cyber incident response. This team has handled breaches involving consumer, employee or proprietary information for a diverse range of clients, including technology companies, telecommunications providers, financial service institutions and retailers.

Our Health IRT includes lawyers from our Health Industry Advisory Practice Group, the only such practice to receive top-tier ratings from The Legal 500 USA, U.S. News-Best Lawyers and Chambers USA. Members of our team possess a deep understanding of health data privacy issues and deliver comprehensive breach response advice to health providers, health technology companies, life sciences companies and others in the health industry.

Our International IRT brings together attorneys from the United States, Europe and Asia and has handled breaches that have involved laws and regulations of more than 100 countries.

Each of our teams is experienced in handling all phases of a data breach response, including:

Participation in and leadership of incident response teams
Retention and coordination with forensic, cybersecurity, public-relations, and notification firms
Notice to affected persons such as consumers and business partners as well as to US federal, state and non-US regulators
Coordination with US Attorney offices, Federal Bureau of Investigation (FBI), Secret Service, Federal Trade Commission (FTC), Federal
Communications Commission (FCC), state attorney generals, regulators and other government agencies
Coordination with auditors, senior executives and boards of directors
Development of public-relations strategies
Management of post-breach cyber assessments and remediation counseling
Responses to governmental investigations
Defense of class-action and multidistrict litigation

Show Less

Results

Handled a series of large data breaches involving personnel records of employees in the United States and around the world and advised our client on its obligations under the laws of every US state and more than 50 countries; managed communications with the affected employees and various government regulators; and persuaded regulators to forego any claim against our client
Handled the response to a series of incidents involving the compromise of patient information at a leading California hospital, including overseeing the forensic investigation into the incidents, advising on the applicable legal obligations (e.g., under HIPAA and state laws), preparing a notification and communication program, and recommending appropriate mitigation measures
Advised more than a dozen health care providers on responses to ransomware incidents, including preservation of privilege, coordination with law enforcement, retention of a forensics provider, communications with affected patients and regulators, and remediation and recovery from the incident

Negotiated a successful resolution of an OCR investigation of a health care system involving the theft of a component of a medical device that potentially included the protected health information of over 500 patients, resulting in an 85 percent reduction in the financial penalties and a favorable corrective action plan
Negotiated the successful resolution of two open OCR investigations of a health care system, consolidating the investigations into a single settlement arrangement with OCR that included a reasonable resolution payment and a favorable corrective action plan
Negotiated a successful resolution of an OCR investigation of a health care system involving the mishandling of medical records related to over 5,000 patients, resulting in a successful completion of a favorable corrective action plan
Assisted a health system client on its response to an OCR investigation regarding a theft of unencrypted laptop computers and tablet computers with medical records for 2,150 hospice patients, ultimately achieving a resolution without a monetary penalty
Assisted a large emergency medical physician practice with all aspects of its response to a theft of a portable hard drive containing medical billing information for more than 175,000 patients from over 50 jurisdictions, including drafting the template breach notification letter, breach reports to the Office for Civil Rights (OCR) and state regulators, talking points for call center operators, press releases and media notices, and an indemnification claim to the medical billing agency; after responding to OCR’s investigative data requests, the matter was successfully resolved with OCR without penalty; in conjunction with counsel to the billing agency, we obtained the dismissal, at the motion to dismiss stage, of a related consumer class action
Assisted a health plan client in responding to a data breach involving over 40,000 individuals, including preparing the template breach notification letters, reporting the breach to OCR and responding to multiple investigative data requests from OCR
Assisted a large hospital system in its response to multiple investigatory requests resulting from a breach that potentially affected 3,800 individuals
Assisted a large hospital system in analyzing and preparing multiple notifications relating to a potential breach that occurred over many months and potentially affected more than 6,000 patients; subsequently assisted our client in responding to various investigative data requests from OCR related to the incident
Assisted a network of health care clinics in responding to multiple investigative data requests from OCR related to various breaches
Assisted a health system in its investigation of a breach that potentially affected approximately 800 patients, prepared appropriate breach notifications, and responded to multiple OCR investigative data requests about the breach
Assisted a large, multi-specialty physician practice in its investigation of a breach that potentially affected approximately 1,650 patients, prepared appropriate breach notifications, and responded to an OCR investigative data request about the breach

Show Less

Data Breach Management

Overview

Global Privacy & Cybersecurity Resource Center

We dig deeper to keep you informed with the latest legal insights, insightful analyses and events related to privacy.

“They are among the most skilled in terms of protecting their clients and developing the approach for the client to protect themselves."

Results

People

Key Contacts

Michael G. Morgan

Mark E. Schreiber