Spencer Fane LLP Logo

Breach Investigation and Notification

The Spencer Fane Data Privacy and Cybersecurity team provides support to companies in cyber crisis mode to not only meet legal requirements for data breach notifications and disclosures, but also to determine how and why a breach occurred. Our attorneys have the depth and breadth of experience and readily available resources necessary for swift and detail-oriented responses, allowing clients to minimize interruptions to operations and financial loss, while maintaining the trust of their customers, vendors, and other partners while working through a difficult situation.

Because each cyber incident is unique, our attorneys give each case the individual attention and tailored service needed to assure the approach is appropriate based on the needs of the company and the industry involved. When we learn of an incident, we don’t make assumptions or pull template policies or procedures, but instead work to identify the specific details of the incident and apply the necessary resources to effectively manage the situation from start to finish.

When taking action, our attorneys always focus on what’s best for the client and its operations. While we take into account national best practice standards and what others in the industry have been doing, we tailor each solution to the client’s needs. Our team develops a suggested course of action based on experience to guide the development and execution of effective incident response plans, analysis of breach notification requirements, management of notification obligations, work with affected business partners, and resolution of resulting regulatory investigations or litigation.

Representative Experience 

  • Analyzed a wide variety of privacy and security incidents occurring within organizations that are covered entities or business associates to determine the probability of compromise to the protected health information and whether notification is required under HIPAA or state law.
  • Managed the investigation of a breach at a large physician group that included financial information collected through an online payment portal and online employment applications and provided notifications to affected individuals across 42 states.
  • Coordinated the investigation and notification process on behalf of a critical access hospital following the unauthorized access and disclosure of patient records by one of its former employees.
  • Participated in the development of notifications on behalf of one of six covered entities affected by a business associate breach that involved collective notification to over 3 million individuals.
  • Managed the incident response of a consumer products firm regarding a breach of customers’ personal data from its e-commerce platform, including investigation, response and notification requirements