Establish who is responsible for the data
It is important to establish the precise legal identities of the companies and individuals responsible for the data that has been subject to the breach as:
- they may have specific obligations to address the data breach, to notify public/regulatory authorities, or others (contractual counter-parties), and to establish the underlying facts
- they may also bear ultimate civil, criminal or regulatory liability:
- for the data breach itself
- for any underlying problem which the data breach may have disclosed
To determine what data privacy laws, or similar, may be relevant it may also be important to establish the location of the servers (and any other processing equipment) holding the relevant data (including copies of that data).
You also need to address:
- whether they need separate legal representation
- whether you need specific measures to control document generation by them, or to preserve and secure existing documents
- how they will interact with the incident management team
As the law will vary from jurisdiction to jurisdiction, you should consider who is responsible for the information in the relevant jurisdictions and seek advice if the identity of the legally responsible person is not clearly understood in all relevant jurisdictions.
