Crisis Data Breach Response: Legal Counsel

Posted by Mark Greisiger

A Q&A with Jon Neiditz, Partner at Nelson Mullins
As part of an ongoing series of posts, I’m talking to experts in the field about the true costs associated with “crisis” data breach response services. Today we’re looking at legal counsel, and I spoke with Jon Neiditz, partner at Nelson Mullins and the founder and coleader of its Information Management practice.

When and how do clients engage with your services?
In the best-case scenario, I’ve already been helping the organization develop their information security and incident response program. But I often get calls from an organization that I don’t have a prior relationship with. They’ve had a data breach and they’ve called their broker or insurer and the broker or insurer sends them to me. In general, I like to be involved from moment one.

What happens after the call?
First of all, you need to focus on identifying and containing the incident and harm. Second, you need to access regulatory requirements and legal exposure in all 50 states plus international laws. And then you need to think about every contractual relationship with your vendors. I basically act as a breach coach—I’m not setting up the call center or the credit monitoring or mailings, but I’m making sure all these things happen in a seamless way that enhances trust and communication. I generally advise people not to use a single vendor but to use whichever ones offer the best service, and most are generally good at one thing.

What problems or hurdles do you typically encounter?
In general, there really aren’t that many problems these days. People seem to be willing to do what they need to do. That being said, if there’s not an incident response program in place, decisions are not made in an efficient way. You have to have the right forensic resources with a plan. One thing that can be a problem is if there’s an outside PR firm that doesn’t understand breach-related risk. They need to be in sync with everyone else. The other problem is that companies need to be careful about contacting vendors because there are many ways that vendors can charge lots of money in these situations where they don’t need to. Vendors, not excluding lawyers, will try to take advantage, so negotiating things up front and creating caps on fees can be very important. One way to save money, for instance, is to pay for credit monitoring on an enrollment basis rather than a per-record basis—only 10 percent of people will actually enroll in the service, so that way you’re not paying for services people aren’t using.

What are the approximate costs for legal counsel for a data breach?
I’m astonished whenever I see the costs that are put out there. I have never, in the largest breaches I’ve dealt with, come close to US $100,000 in total legal costs. Small ones are $1,000 to $2,000 and medium sized ones are between $10,000 to $30,000. If you handle a lot of these cases as I have, you can make the services very cost-effective for clients and that’s what I try to do.

In conclusion…
Thanks, Jon, for sharing your experience. At NetDiligence®, we have found that a privacy lawyer (a.k.a. Breach Coach®) such as Mr. Neiditz can be a valuable first call for some clients in the initial crisis phase following a data breach event. Often, the client is panicking, and rightfully so—not many companies are pros at handling these types of emerging incidents and we know that they can turn catastrophic if they’re not dealt with properly. Moreover, some grounded/expert legal advice can often help the client calm down and review their response and legal compliance duties in conjunction with the actual breach facts at hand (and there’s a kneejerk response that’s costly and unnecessary for both the business and their victimized customers).