Cyber attacks have increased in frequency and show no signs of abating. From criminal hackers to nation-state intruders, organizations are constantly facing a barrage of threats from well-funded, dedicated and sophisticated adversaries. In this volatile environment, company management and boards of directors will be judged and held accountable—by courts, regulators, shareholders and the public—for how well they prepare for and respond to data breaches and other cybersecurity events.

Given the financial and reputational costs associated with data breaches and cyber attacks, companies need a law firm with significant experience managing these events and mitigating their associated risks.

Services

We work with clients to address a broad range of issues related to cybersecurity incidents, and have been called upon to assist with every phase of data breach management, from preparedness and prevention to mitigation and resolution. Our experience with data breaches runs the gamut; we assist clients with all types of events, such as helping to minimize fallout resulting from the theft of a laptop, managing the aftershock of a large-scale data compromise, and intervening in massive cyber-extortion schemes against publicly traded companies.

Our lawyers have served as lead counsel on watershed cybersecurity incidents with far-reaching, global implications. We have extensive experience working on cybersecurity matters with federal law enforcement authorities, the Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC), state attorneys general, EU data protection authorities and numerous other foreign government regulators.

Minimizing Risk: Breach Preparedness Activities

The best time to prepare for cyber events and data breaches is before they occur. While successful attacks may be inevitable, businesses can take steps to minimize the likelihood that they will be targeted by attackers and make it more difficult for hackers to obtain valuable information. We routinely work with clients on key breach readiness activities, including developing incident response plans and breach notification procedures; running executive-level tabletop exercises; crafting vendor management programs; analyzing cyber insurance portfolios; and engaging third-party experts in advance of an incident (including forensic investigation firms, credit monitoring and identity protection services, PR firms, call centers, and mail house and email distribution services). We also frequently meet with senior management to discuss cybersecurity legal developments, and have led numerous full board and audit committee discussions on these topics.

Post-Breach Counseling

When cybersecurity incidents occur, taking the right actions can restore consumer confidence and protect brands from further erosion. We handle all aspects of cyber events, including directing forensic investigations; analyzing legal requirements under state, federal and international laws; preparing regulatory and individual notifications; managing investigations and enforcement actions; handling discussions with payment card issuers; and developing board, business partner, public relations, call center and investor relations communications. We also provide ongoing privacy advice, conduct internal investigations, and address securities law issues and related topics to help companies emerge from the crisis that reverberates long after the triggering event. In addition, we handle the myriad resulting lawsuits involving consumers, employees, business partners, shareholders, insurers and others. We also work closely with internal legal and information security teams to conduct postmortem and lessons-learned exercises.

When a prior data breach or cybersecurity event is revealed in the course of an M&A transaction, the results can be devastating. Working together with our firm’s M&A lawyers, we guide companies through the risks and potential liabilities associated with inadequate privacy and data security practices in high-stakes corporate transactions. We work with clients to evaluate and address privacy- and data security-related challenges in the time-sensitive period preceding a transaction, and in post-closing integration.

Top-Tier Reputation

Our preeminent cybersecurity practice group has advised companies across industry sectors in the largest reported data breaches in history. Named the world’s leading global privacy practice by Computerworld magazine in each of its surveys of more than 4,000 corporate privacy leaders, our privacy and cybersecurity practice has been highly lauded for years. The Legal 500: United States ranked Hunton & Williams as a top firm for cyber law, data protection and data breach response. Chambers and Partners also has recognized the preeminence of Hunton & Williams’ privacy and cybersecurity practice in its Chambers Global, Chambers Europe and Chambers UK guides, identifying the firm in “Band 1” for privacy and data security. Our experience and commitment to excellence uniquely position us to advise companies around the world and across the spectrum of data breach and cyber events.

Experience

  • We have assisted clients on a wide range of cybersecurity incidents, including the following:

    • Represent Yahoo! in all aspects of its nation-state and criminal cybersecurity attacks that compromised more than 1.5 billion user accounts. We are managing the company’s responses to investigations by state, federal and international regulators and by business partners. We also directed the various forensic investigations and are handling 41 related class action lawsuits.
    • Assisted a major health insurer with a crippling ransomware event, potentially affecting nearly 50 enterprise clients and 4.7 million individuals. We assisted in the preparation of more than 100 communications documents, including legal memoranda, individual and regulatory notifications, and remediation materials.
    • Advised Morgan Stanley in its handling of a cyber attack perpetrated by an insider, including the company’s response to an SEC investigation and enforcement action, as well as an FTC investigation.
    • Advised JPMorgan Chase on its significant cyber intrusion involving more than 83 million households and small businesses.
    • Advised a Fortune 10 company with a data security incident extending to nearly 80 countries and affecting more than 4,000 enterprise customers and 90 million individuals. We managed the entire event globally and handled investigations by multiple international data protection authorities.
    • Represented a well-known global hotel company in its data breach affecting more than 100 hotels and over 40,000 payment cards, including directing the forensic investigations; managing all notifications to media, regulators and individuals; and handling all regulator investigations.
    • Represented a major global retailer that experienced a significant intrusion into its computer systems. This breach resulted in one of the largest payment card frauds in history. We advised the company on its compliance with relevant regulatory obligations, including notification to affected individuals, media outlets and state regulators. We also managed state and federal government investigations, an FTC enforcement action and federal law enforcement activities.
    • Assisted a health plan provider with its data breach involving 1.2 million individuals. We advised the company on its response to the breach, including directing the forensic investigation and advising on compliance with relevant regulatory obligations, such as notification to affected individuals, media outlets and government regulators. We also managed a state attorney general’s investigation and handled the class action lawsuit resulting from the incident.
    • Managed the New York State attorney general’s investigation of a prominent global hotel chain following a series of data breaches and negotiated a favorable settlement on the client’s behalf in connection with the investigation.
    • Represented a global financial institution that was victimized by a sophisticated international organized crime ring, which breached the company’s network and perpetrated a large-scale theft utilizing the ATM network. We led the investigation into the cyber intrusion, managed the breach notification response, worked closely with US and international law enforcement agencies, managed communications with financial institution regulators, assisted the company in assessing and responding to litigation risks from customers and other third parties, and defended the company in ensuing class action lawsuits.
    • Represented two large global retailers in their investigations into and responses to cybersecurity incidents involving the companies’ point-of-sale PIN entry devices. We oversaw the extensive forensic investigations using external consultants, coordinated with law enforcement, assisted with state attorneys general investigations, oversaw extensive and lengthy FTC investigations (successfully avoiding FTC enforcement actions), and advised on class action litigation.

Insights