Choose Site


Tech & Sourcing @ Morgan Lewis


The Morgan Lewis Data Breach Checklist is a practical tool that can be used as a guide in developing your incident response plan and as part of your data security and security breach response policies and procedures. The Data Breach Checklist provides a roadmap to follow in the event of a security incident, grouping the appropriate response procedures for a security incident into six phases.

We’ve provided a high-level summary of each phase below, but for a more complete resource, please consult the full Data Breach Checklist, which is available upon request from the contacts listed at the end of this post.

  • Phase I: Alert and Organization. This phase begins when a company is alerted to a possible data breach, at which time the company should record the date, time, and method of the alert and notify its internal Incident Response Team (IRT). The IRT generally includes representatives from IT, legal/compliance, outside counsel, HR, PR, customer service, and executive leadership. The company should identify an “Incident Lead” from its IRT. During this phase, companies should contact appropriate members of outside counsel (assuming outside counsel is not already a part of the IRT), consider hiring a forensic technology partner, and notify its insurance carrier. Also, it is highly recommended to check with counsel on the proper role and implementation of the attorney-client privilege during the data breach investigation.
  • Phase II: Initial Scoping Before Containing an Ongoing Breach. Within 24–48 hours of receiving the alert, a company should—to the extent possible—identify, document, and preserve the scope of the compromise. Also, consider notifications or other steps to take before actually stopping the breach that may prevent harm in the event that the act of stopping the breach alerts data thieves that you have discovered them. This interim step prior to halting the breach, although counterintuitive, is often vital to mitigating harm resulting from a data breach.
  • Phase III: Contain the Breach. Within 24–48 hours of the alert, you should—to the extent possible—gain an understanding of the full scope of the compromise. During this phase, take steps to contain and/or stop the breach in order to reduce any possible flow of data to unauthorized recipients.
  • Phase IV: Investigation. This phase should include a root cause analysis of the breach, the classification of the type of breach (e.g. hacking, internal, loss/theft of tangible data, etc.), and identification of all data that was compromised, including the type of information compromised and the names and locations of individuals whose information was compromised. During this phase, take steps to determine the nature of any recipients of the data—which can range from an employee or other trustworthy recipient who acquired the data in good faith in the course of business to unknown individuals or known “bad actors.” Companies should also take steps to determine the use, if any, of the compromised information. Prior to proceeding to the notification process outlined in Phase V below, unless otherwise required by law, companies should determine and undertake any necessary system or process security updates.
  • Phase V: Notifications (In Light of Information Developed in Phase IV). Prior to initiating any notifications, a company should develop a PR plan for potential media inquiries, consider notifying the company’s board of directors or other key stakeholders who should be notified before the public, and prepare for inquiries from affected individuals. If the breach involves criminal conduct (and depending upon the seriousness and other factors relating to the breach), the company should notify law enforcement. If required by law, or if it is recommended so that affected individuals can act to prevent further harm to themselves, notify the affected individuals. Consider any other notifications that may be required by law or by the type of information at issue, such as notifications to governmental agencies and/or state attorneys general. After the notification process is underway, evaluate any feedback from those notifications to determine if additional steps or notifications may be required.
  • Phase VI: Post-Notifications. Once the notifications described in Phase V are completed, companies should consider appropriate disclosures to other parties—including stockholders, investors, and the SEC, as applicable. Also, companies should consider available cost recovery mechanisms, which may include contractual or other legal obligations of responsible third parties, or claims under the company’s insurance coverage. During this phase, a company should prepare final executive, technical, and any other appropriate reports. Some of these reports may be covered by the attorney-client privilege. An important component of this phase is forward-looking, as you should also consider longer-term security upgrades or other measures to prevent reoccurrence of the security incident or similar events.

In addition to the specific procedures described above, the Data Breach Checklist emphasizes the importance of maintaining confidentiality, preserving evidence and information, and otherwise documenting events (along with dates and times), and the rationale for particular decisions throughout the data breach response process.

Please don’t hesitate to contact us for a copy of the full Morgan Lewis Data Breach Checklist. In addition, if we can be of assistance to you regarding your data collection, maintenance, protection, or suspected breach, contact a Morgan Lewis lawyer listed below:

Reece Hirsch | San Francisco
+1.415.442.1422 |

Mark L. Krotoski | Silicon Valley
+1.650.843.7212 |

Gregory T. Parks | Philadelphia
+1.215.963.5170 |