Crisis Management: Breach Response & Litigation

Crowell & Moring represents clients that have experienced security breaches involving personal information, trade secrets, and other proprietary information. We are on the ground from the initial internal investigation stage through the notification, government enforcement, and class action stages. Despite the prevalence of data incidents today, particularly cyber intrusions, a data infiltration is not necessarily a catastrophe for a business. Rather, proper crisis management, timely remedial action, accurate assessments of harm, and, if necessary, individual and governmental notifications can salvage, or at least mitigate, a breach crisis. We handle all aspects of breach response including:

  • Assisting with the legal/business decision whether to notify given the facts, and if so, the extent of notification required; we have developed detailed outlines and spreadsheets of the various requirements of and nuances between the many state security breach laws to make this a quick and effective process.
  • Drafting notifications to individuals and regulators.
  • Preparing statements for external sources, e.g., media and law enforcement.
  • Assisting with communications to other required agencies, such as consumer reporting agencies.
  • Preparing statements, e-mail notices, and personalized correspondence with employees affected by security incidents.
  • Advising clients on both legal requirements and best practices with respect to post-incident assistance to those affected (e.g., credit monitoring, insurance, etc.).
  • Defending against state and federal regulatory investigations.
  • Defending against state attorneys general lawsuits.
  • Defending individual and class action lawsuits arising from data and privacy breaches.
  • Responding to individual complaints regarding privacy and data security.
  • Conducting postmortem analysis of breach to enhance cybersecurity and corporate compliance programs to safeguard data against future security breaches.

Representative Matters

Crowell & Moring has handled major data breach litigation and demonstrated its capabilities in addressing litigation risks and legal developments in the cybersecurity arena including Advanced Persistent Threats (APT). Crowell & Moring’s litigation experience includes both federal and state actions arising out of security breaches, as well as representing companies in investigations involving such breaches.

Representative engagements include the following:

  • Defended a health care client in two separate breaches, each involving over 1.5 million members. Crowell & Moring represented the client throughout the breach response process, including the internal investigation, investigations by state attorneys general and departments of insurance and the United States Health and Human Services Office of Civil Rights (OCR) and defended the client against numerous related class action lawsuits. We resolved the OCR investigation without payment of fines or mandatory corrective actions.
  • Represented a Fortune 500 company in cyber-theft litigation including coordinating forensics efforts to track down and prove improper download of company computer files and addressed issues relating to computer management and inventory of data. 
  • Represented a major U.S. company operating as a Covered Entity in the HIPAA context when an employee of a business associate stole and sold data regarding the client’s employees. Crowell & Moring ultimately persuaded the business associate to pay for all costs related to investigation and notification and obtained a broad indemnity agreement.
  • Represented a global provider of software to the energy industry in response to a security incident. Crowell & Moring handled all aspects of the incident response including notifications to individuals, state attorneys general, and its utility clients. We also worked with the client to develop post-incident processes that were satisfactory to the utility clients, including recommending changes to the customer application and data collection process for utility rebate programs.
  • Represented a large university system in a class action brought against it in state court under the California Confidentiality of Medical Information Act (CMIA) alleging that the university had improperly disclosed confidential medical information of more than one million patients. When Crowell & Moring was retained as successor counsel, the trial court had already denied a motion for summary judgment and the university was facing potential liability for statutory penalties exceeding $1 billion. We were able successfully to resolve the action without any payment to class members.
  • Represented a transportation industry client in a breach involving sensitive employee information. Crowell & Moring coordinated the forensic investigation, reported to and assisted the FBI and local law enforcement in the criminal investigation, prepared notification to individuals and authorities, negotiated credit services and assisted with public relations issues. No enforcement actions were brought, and client received multiple letters from attorneys general praising its prompt and effective response to the situation.
  • Represented a County Organized Health System that contracts with the local health agencies to arrange and pay for the provision of state-subsidized managed care services to eligible members after a security incident involving a web portal. Crowell & Moring advised client on notification obligations under HIPAA and state law and assisted with the risk assessment and notification decision.
  • Represented a Fortune 500 health care services provider in response to a stolen laptop containing sensitive information. Crowell and Moring assisted with forensics, notification to individuals and authorities, coordination of public communications, and the defense of state and federal regulator investigations.
  • Represented a global financial institution on sophisticated international criminal attack involving theft of significant funds. Investigation involved coordinating with insurance company and multiple federal law enforcement agencies and resulted in criminal prosecution and arrest of attackers.
  • Advised a national retail chain on theft of millions of financial information records which involved extensive investigation involving federal and state law enforcement coordination and nationwide disclosures.   
  • Handled protest litigation in federal court and the U.S. Government Accountability Office involving cybersecurity requirements, adverse past performance due to security breaches, and failure to develop and maintain a compliant federal cybersecurity program. 
  • Represented a national electronic data-management company in third-party action between New York City hospital and security company over data breach, succeeding in preventing client from becoming party to the litigation.
  • Assisted a Fortune 125 manufacturer after FBI produced files showing confidential corporate data on foreign servers (including technology data of clients and vendors), counseled key stakeholders during initial crisis management, and prepared notice to government authorities for reporting inadvertent loss of export-controlled data; retained by client to develop corporate compliance program to safeguard export-controlled data against future security breaches.
  • Worked with a major aerospace company to manage cyber breach by Chinese hackers that compromised employee files and personal data, developed strategy and process for notifying government authorities and affected individuals, defended company and cooperated with state attorney general’s office regarding breach (avoided sanctions or fines).
  • Assisted a major construction company in response to FBI subpoena for access to corporate network following APT breach of network and data; negotiated scope and terms of government access to protect company’s privileges and confidential data.
  • Defended a data-management company after an employee inadvertently transmitted data pertaining to students from 48 universities to the wrong university.
  • Represented a defense contractor whose vendor's system was accessed by a Hactivist group and employee travel information and PII was compromised. Crowell & Moring assisted with the forensic investigation and coordinated notification to individuals and authorities with the vendor organization. We also assisted client with internal notifications and employee relations issues.
  • Represented a major global consumer products trading company whose payment processing vendor inadvertently sent payment data to a third party. Crowell & Moring worked with the vendor to mitigate the situation and secure the data.
  • Represented a trade association client in investigating and responding to a cybersecurity attack, including preparing notification to individuals whose information may have been accessed, retaining and directing forensic consultant to investigate cyber incident, providing guidance to client's employees to prevent similar incidents in the future, and assisting with outreach to law enforcement.