PHILADELPIA—Attorneys speaking here at the NetDiligence Cyber Risk & Privacy Liability Forum said the road to potential litigation following a data breach starts with notification letters.
The language chosen to construct a notification letter to affected consumers can mean millions of dollars down the line. Letters have been used in litigation to demonstrate inadequacies and misrepresentations.
“Don’t screw up the notice,” Robin Campbell, senior counsel and co-chair of the Crowell & Moring’s Privacy & Cybersecurity Group, answered flatly when asked how companies can stay unattractive to plaintiffs’ attorney.
Chandler Givens, the only plaintiffs’ attorney on the panel discussing breach and coverage litigation, said there is no mystery to acquiring clients. Websites tracking breaches are readily available and when a firm recognizes a viable opportunity, it purchases a Google advertisement.
He agreed discrepancies in the notice—mixed messages within the notice language, what company leadership is saying and what counsel is saying—raises red flags. If everyone within and hired by the company are not on the same page at the start, it implies confusion and uncertainty.
“If they don’t know the message, God know what else they don’t know,” Givens said.
It is important to hire counsel—a breach coach—to craft a unified company message without making any false claims or misstatements. “You need to choose words carefully in the letter,” said Ted Kobus, partner at Baker Hostetler.
Panicked companies have sent out notices without consulting counsel. The result is the release of information companies “don’t want to be sending to millions of people,” added Campbell.
During a later panel, Bob McEwen of McEwen and McMahon offered this advice for data breach notification-letter writing: “Here’s what we know, here’s what we don’t know, here’s what we’re doing and here’s how we’re helping consumer.”
Corporate public relations must work with breach coaches to “craft messaging that won’t lead to class-actions.” He said. “Communicate but communicate information not subject to change.”
In-house PR is more often than not retained for marketing and communications purposes, not crisis management, McEwen added. If the PR division does have crisis management experience, it is not likely in the context of a data breach.
Notification letters may be more important than ever if Givens’ courtroom observations are accurate. He said he has noticed a shift at the pleading stage: recognition that people are really affected by data breaches.
Lawsuits have failed when plaintiffs had to prove damages suffered but that “sentiment is tired,” insisted Givens.
Chad Hemenway is Managing Editor of Advisen News. He has more than 15 years of journalist experience at a variety of online, daily, and weekly publications. He has covered P&C insurance news since 2007, and he has experience writing about all P&C lines as well as regulation and litigation. Chad won a Jesse H. Neal Award for Best Single Article in 2014 for his coverage of the insurance implications of traumatic brain injuries and Best News Coverage in 2013 for coverage of Superstorm Sandy. Contact Chad at 212.897.4824 or [email protected].
