Establish who is responsible for the information

  • You must establish the precise legal identities of the organisations and individuals responsible for the information which is the subject of the breach:
    • they may have specific obligations to address the information breach, to notify public/regulatory authorities, or others (contractual counter-parties), and to establish the underlying facts
    • they may also bear ultimate civil, criminal or regulatory liability:
      • for the information breach itself
      • for any underlying problem which the information breach may have disclosed
  • You also need to address:
    • whether they need separate legal representation
    • whether you need specific measures to control document generation by them, or to preserve and secure existing documents
    • how they will interact with the incident management team
  •  As the law will vary from jurisdiction to jurisdiction, you should consider who is responsible for the information in the relevant jurisdictions and seek advice if the identity of the legally responsible person is not clearly understood in all relevant jurisdictions