Data Privacy and Cybersecurity: Crisis Avoidance and Management Strategies

The world is increasingly blanketed by laws governing data privacy and cybersecurity. Tough new laws and regulations have recently been enacted, or taken effect, including in Europe, Asia and the United States. In Latin America, the new Brazilian General Data Protection Law (LGPD), which will take effect in August 2020, is a powerful example of this trend.

Globally, companies are under increasingly stringent legal obligations to carefully handle corporate data. With regard to personal data, companies must comply with privacy protections in a broad range of areas such as initial data collection; daily data usage in the ordinary course; the transfer of personal data to vendors, acquirers or other third parties; and the sending of personal data to other countries.

These data privacy requirements go hand in hand with escalating requirements on data security. Under the laws of many jurisdictions, corporate cybersecurity programmes must now be at a certain level of substantive adequacy – often defined as ‘reasonable’ or ‘appropriate’ security. These mandates generally apply both to personal data and to other important corporate data, such as intellectual property or financial information. Companies are also increasingly required to disclose breaches of data security to regulators, affected individuals, counterparties and others.

Importantly, data privacy and cybersecurity are not just legal issues. They are crucial to the trust between a company and its stakeholders. People want to know that the companies they do business with, work for or invest in will handle data with care. Missteps in privacy and cybersecurity, therefore, can create a crisis with the potential to cut deeply into a company’s reputation and balance sheet.

A prominent example in the United States is Equifax. In 2017, Equifax, one of the leading credit reporting agencies, disclosed a data breach affecting the personal data of nearly 150 million Americans. USA Today reported on the incident under the headline, ‘Equifax image is battered by data breach as consumers feel violated.’ Equifax thus far has publicly disclosed over US$1.4 billion in breach-related expenses, including US$425 million to resolve dozens of government investigations and private lawsuits.

We discuss below some of the key legal requirements that apply around the globe, starting with a focus on certain jurisdictions in Latin America, and strategies for reducing legal and reputational risks related to data management. Many best practices can help mitigate the risks that may materialise into a crisis, but the bottom line is simple: prepare, prepare, prepare. Bad data events do happen to good companies. It is best to assume that such bad events, in time, will happen to yours. Companies are thus well advised to be ready to respond vigorously and transparently, with a focus on maintaining that all-important trust.

Latin America


Key privacy and cybersecurity laws

Argentina enacted the Personal Data Protection Law Number 25,326 (PDPL) in October 2000.[2] Since 2003, Argentina has been recognised by the European Commission as a jurisdiction providing an adequate level of data protection.[3]

Key obligations of companies

Companies processing personal data must register their database or other data storage system with the Argentine Personal Data Protection Agency.[4] Personal data cannot be processed beyond the purpose for which it was collected.[5] Companies are obligated to ensure the accuracy of the personal data they process.[6] Prior to processing personal data, companies must provide notice to and obtain consent from data subjects.[7] The PDPL also requires companies to enact measures to guarantee the security and confidentiality of personal data that they hold and process.[8]

Key rights of data subjects

Data subjects in Argentina have the right to request information from data controllers and receive access to certain of their personal information.[9] Data subjects can also request the correction, modification or suppression of personal information stored by data controllers.[10]

Breach notification

There is not currently a breach notification obligation in Argentina.

Cross-border transfers

Transfer of personal data requires the consent of the data subject and is prohibited unless the receiving country provides an adequate level of protection.[11] In 2018, the Agency of Access to Public Information promulgated Provision 159/2018, the Guidelines and Basic Contents of Binding Corporate Rules for International Data Transfers. Similar to the use of such rules for data transfers out of the European Union, a company’s adoption of these model rules allows for the transfer of personal data from Argentina to a country that Argentina deems not to have an adequate level of protection.


Privacy and cybersecurity

In July 2019, Brazil amended its new data protection law, the LGPD,[12] which was originally passed in August 2018 and will now go into effect in August 2020. The LGPD was inspired by the GDPR and, while not as extensive, it shares many similarities. The LGPD applies to all processing of personal data by private entities if the data is collected or processed in Brazil, or if the processing is for the purpose of offering or providing goods or services in Brazil. As amended, the law now creates the National Data Protection Authority (ANPD), which will be responsible for overseeing personal data protection compliance and implementing and enforcing sanctions.[13] In July 2019, amendments were partially vetoed, with provisions establishing suspension of data processing and suspension of database operations as potential penalties. In October 2019, however, the National Congress reinstated both penalty provisions. While the LGPD does not take effect until August 2020, companies operating in Brazil or that collect personal data from Brazilian data subjects should begin taking steps now to achieve compliance in advance of the effective date.

Obligations of companies

The LGPD establishes 10 principles applicable to all data processing in Brazil,[14] key among them that all processing must be ‘for legitimate, specific and explicit purposes of which the data subject is informed’. Other key principles include limiting processing to the minimum necessary, free access and transparency to data subjects, and an obligation to ensure accuracy of data. Companies are also required to establish security measures to protect personal data and to appoint a data protection officer.

Rights of data subjects

The new law places ownership rights of personal data in the data subject,[15] and grants him or her the right to obtain access to and correction of personal data,[16] and the right to revoke consent to process his or her personal data.[17]

Breach notification

The LGPD creates a data breach notification obligation.[18] Companies must notify both the Brazilian authorities and data subjects of any ‘security incident that may create risk or relevant damage to the data subjects’. This notification must be completed within a reasonable time period and contain a description of the incident, the information involved, the measures taken to protect the data, the risks related to the incident and measures taken to mitigate the effects.

Cross-border transfers

The LGPD prohibits the cross-border transfer of personal data unless such transfer falls within a limited number of enumerated exceptions.[19] Exceptions include where the receiving country or organisation provides a level of data protection comparable to the LGPD or the data subject has provided specific consent for the transfer ‘distinct from other purposes’.


Key privacy and cybersecurity laws

Data privacy and cybersecurity in Chile is regulated through the Law for the Protection of Private Life (PDPL) 1999.[20]

Key obligations of companies

Companies are required to provide notice to and receive consent from data subjects prior to the processing of their personal information, unless otherwise permitted by law.[21] Personal data can only be used for the purpose for which it was collected.[22]

Key rights of data subjects

Data subjects have the right to object to a company’s use of his or her personal data.[23] Data subjects also have the right to request modification and deletion.

Breach notification

There is not currently a general breach notification obligation in Chile. Financial institutions regulated by the Superintendence of Banks and Financial Institutions (SBIF) do have regulatory obligations – updated as recently as August 2018 – that require reporting any incident that affects business continuity, the entity’s funds or other resources, the quality of the entity’s services, or the image of the entity. The SBIF has stated that it expects these reports to be made within 30 minutes – an extraordinarily short window during a high-pressure situation.

Under certain circumstances, where an incident affects the continuity of client services or the security of clients’ personal data, the affected institution may also be required to report the incident to its clients. Client notifications must be made in a timely manner; there is no fixed deadline.

Cross-border transfers

There are no regulations on the transfer of data within Chile or across borders.


Key privacy and cybersecurity laws

Colombia enacted Statutory Law Number 1581, which regulates data privacy and security, in 2012.[24] The law applies to personal data processed in Colombia or where a foreign processor is subject to Colombian legislation.[25] The law establishes eight principles for interpretation and application:

  • legality of data processing;
  • legitimate purpose for processing;
  • freedom for data subjects to control their personal data;
  • accuracy of data;
  • transparency in processing;
  • limitation of access to those with authorisation;
  • security of personal data; and
  • confidentiality of personal data.[26]

The Ministry of Trade, Industry and Tourism has enacted regulations pursuant to the law.[27]

Key obligations of companies

Companies must provide notice to and obtain consent from the data subject prior or simultaneous to the collection of his or her personal data, except where the data is publicly accessible.[28] Prior to processing, companies must develop privacy policies available to data subjects, which must inform data subjects of their rights under the law.[29] At the request of the Superintendence of Industry and Trade, companies must be able to demonstrate that they have implemented appropriate and effective measures to comply with the law.[30]

Key rights of data subjects

Data subjects have the right to access at no charge from data controllers.[31] Data subjects also have the right to request updating, rectification, or suppression of personal data held by companies to ensure accuracy of the data.[32]

Breach notification

There is no obligation to notify data subjects of a breach in Colombia, but data owners and processors must notify the Data Protection Authority of security violations where there is a risk to the administration of data subjects’ information.[33]

Cross-border transfers

Transfer of personal data to other jurisdictions generally is prohibited where the receiving jurisdiction does not provide an adequate level of protection. Transfer can nonetheless be made where the data subject has provided his or her express consent.[34] Further, consent is not required for the transfer of personal data from a data controller to an overseas data processor, where there is a contract in place that complies with Article 25 of Decree 1377.[35]


Key privacy and cybersecurity laws

Mexico enacted the Federal Law on the Protection of Personal Data Held by Private Parties in 2010.[36] The government has also issued regulations pursuant to the law, which came into effect in 2011; privacy notice guidelines, which came into effect in 2013; and parameters for self-regulation, which came into effect in 2014. The law applies to all data processing in Mexico, including when processing is done outside of Mexico on behalf of a Mexican data processor.

Key obligations of companies

Mexican law requires that all personal data must be collected and processed fairly and lawfully.[37] Further, personal data must be collected only for specified, explicit and legitimate purposes, and the amount of data collected may not be excessive in relation to the purposes for which it was collected.[38] Companies must take reasonable steps to ensure that the personal data in their databases is accurate and kept only for the time necessary to effectuate the legitimate purpose for which the data was collected.[39] Companies must also appoint a personal data officer or department[40] and establish risk-based security measures at least as robust as used to protect the company’s own data.[41]

Key rights of data subjects

Individuals in Mexico have the right to access and correct personal data, oppose the processing of personal data,[42] and revoke consent to the processing of personal information.[43] Individuals also retain the right to be notified prior to consenting to the processing of personal data.[44]

Breach notification

Mexico requires breach notification to affected data subjects where the incident materially affects the property or individual rights of a subject.[45] The notification must include information regarding the nature of the breach, the personal data compromised, recommendations to the data subject to protect his or her interest, corrective actions implemented by the company and a method for data subjects to obtain further information.[46]

Cross-border transfers

Consent is generally required to transfer personal data across borders, and privacy notices in Mexico must inform data subjects when companies intend such a transfer. The transfer cannot exceed the scope of the disclosure in the Privacy Notice, and the receiving company must follow Mexican data privacy law.[47]


Key privacy and cybersecurity laws

Data privacy and cybersecurity in Peru are regulated by the Law on the Protection of Personal Data (DPL), which was enacted in 2011.[48] Additionally, the Peruvian government issued the Security Policy on Information Managed by Databanks of Personal Data in 2013.

Key obligations of companies

Companies may only collect personal data by legal methods;[49] they can only collect and process personal data with consent from and notice to data subjects for collection and processing.[50] Data processing must be both proportional and non-excessive to the legitimate purpose of collection.[51] Companies must work to ensure the accuracy of data collected and processed,[52] and implement necessary security measures to protect personal data.[53] All personal data must be given an adequate level of protection.[54]

Key rights of data subjects

The rights granted to data subjects under the DPL include the right of access to a data subject’s personal data,[55] the right to be informed of the purpose of collection and how the personal data will be processed,[56] the right to request the correction of personal data,[57] the right to oppose the processing of personal data,[58] and the right to refuse providing personal data.[59] The DPL also grants data subjects the ability to pursue legal claims against companies that violate their data privacy rights.[60]

Breach notification

Companies must provide notification to data subjects of ‘any incident that significantly affects their property or their moral rights’. Such notification must include a description of the incident, the personal data affected, information for the data subject on how to mitigate the potential damage and the remediation steps taken by the company.[61]

Cross-border transfers

The transfer of personal data outside of Peru is generally allowed as long as the destination country provides adequate data protection measures. If the destination country does not provide adequate protection, transfer may still occur where the receiving party agrees to comply with the DPL, where the transfer is necessary pursuant to a contractual relationship with the data subject, or with the data subject’s informed and express consent.

Global developments


China continues to be one of the most active countries in expanding data privacy and cybersecurity regulation, building on past years’ efforts.

China’s new E-Commerce Law came into effect on 1 January 2019. The law requires registration by e-commerce vendors operating in China. It further reiterates e-commerce operators’ obligation to comply with Chinese personal data protection regulations, including providing customers with procedures allowing them to correct, erase or enquire about their personal data.

In May 2018, the Chinese government published the final version of the ‘Personal Information Security Specification’, a set of best practices for businesses operating in China. The Specification is intended to set a baseline reference for regulatory bodies in China to use when evaluating how companies protect personal information. Similar to other data privacy laws, the Specification emphasises that a data subject’s consent is required to collect data and that the data should not be retained beyond the minimum necessary period. The Specification also suggests substantive best practices for organisations, including incident-response planning (e.g., mock incident exercises), and preparations for notifying individuals in the event of a data breach.

The Chinese government also enacted the Cybersecurity Law in June 2017. Despite some concern that the Law was unclear, Chinese authorities wasted little time in bringing enforcement actions under the Law, with the first public actions reported in August 2017. The Law imposes substantive requirements on ‘network operators’ as well as ‘providers of network products and services’ to ensure that they are securing their data, and have adopted appropriate incident-response plans and contingency measures in the event of a data security incident. Throughout 2018, the Chinese government published many draft guidelines to assist companies in compliance with the law, including the Draft Guidelines on Multi-Level Protection Scheme for Information Systems; the Draft National Standard of Information Security Technology – Guidelines for Personal Information Security Impact Assessment; the Draft National Standard of Information Security Technology – Guidelines of Data Security Capability Maturity Model; and the Draft Guideline for Internet Personal Information Security Protection.

In June 2018, the Chinese Ministry of Public Security published a draft regulation under the Cybersecurity Law that would impose new requirements on network operators, requiring that they classify the risk inherent in their network and impose appropriate controls based on the risk level.


On 25 May 2018, the EU General Data Protection Regulation (GDPR) took effect across the European Union (including the nations of the European Economic Area). The GDPR imposes substantial new privacy and security requirements, which apply to companies with ‘establishments’ in Europe. But the GDPR also applies to companies around the world – including in Latin America – that target or monitor EU citizens.

Regarding privacy, EU data subjects now enjoy significant new rights to receive robust notice upfront of how their personal data will be used. EU data subjects also now have the right to access, correct and even delete their personal data that is held by companies. Companies, in turn, are under tough new requirements to process personal data only for the limited purposes that the GDPR permits. The GDPR also limits the ability of companies to transfer personal data outside the European Union.

GDPR is best known as a privacy regulation, but it also has a significant cybersecurity component. The regulation mandates that companies maintain substantive cybersecurity protections at a level ‘appropriate’ to the risk of harm if the data was compromised. Companies are now also required to disclose certain data breaches to government regulators and, in certain circumstances, to the affected individuals. Disclosure to the relevant regulator or data protection authority is generally due within 72 hours – an extremely short time frame that makes clear the importance of being prepared to respond to an incident.

Since the GDPR came into effect, EU supervisory authorities have demonstrated their willingness to use their newfound enforcement powers aggressively, imposing hefty fines on companies including Google and Marriott. The new operational cost to companies is illustrated by the fine imposed on a Swedish-headquartered data analytics firm for failing to mail privacy notices to over 6 million people, despite the fact that the cost of that mailing would have exceeded the company’s turnover for the year. The most substantial fines thus far have related to data breaches, but there also have been smaller fines imposed on companies for alleged over-collection, misuse or misconfiguration of data without any breach.

United States


In the summer of 2018, the US state of California adopted a significant new consumer privacy statute, the California Consumer Privacy Act (CCPA). The CCPA will apply to for-profit companies of all kinds when it takes effect on 1 January 2020. Most notably, the CCPA requires companies to allow consumers to opt out of the sale of their personal data. Covered companies also are required to give consumers extensive notice of how their data will be handled. Individual consumers have broad new rights to compel companies to provide access to their data, and to correct or delete it – similar to the GDPR.

In September 2018, the California legislature amended the CCPA to exempt entities subject to the federal Health Insurance Portability and Accountability Act (HIPAA)’s Privacy Rule. The amendments also exempted ‘personal information collected, processed, sold or disclosed pursuant to’ the California Financial Information Privacy Act and to the federal Driver’s Privacy Protection Act of 1994. These exemptions are not entirely safe harbours—some of a company’s uses may not fall within the exemptions.

Although the 2018 amendments did not extend the 1 January 2020 implementation date, they did specify that the Attorney General of California may not bring an enforcement action until the earlier of six months after publication of final regulations or 1 July 2020. The Attorney General has warned companies not to treat this delay in enforcement as a safe harbour. Public comments on draft regulations released by the Attorney General in October 2019 are being accepted until early December 2019, after which public hearings are expected.

California has also passed a series of amendments widely expected to be signed into law by the state’s governor. Of particular interest to businesses, the amendments carved out of the CCPA the personal data of employees and job applicants, as well as personal data obtained in the context of M&A diligence. Both carveouts are subject to one-year sunset provisions, meaning they will expire at 1 January 2021 unless the legislature acts again.

The CCPA is focused primarily on data privacy, but also has a security component. The CCPA grants consumers the right to sue and receive generous money damages in the event of a data breach. A separate, pre-existing California statute also requires companies to take ‘reasonable’ cybersecurity measures to protect personal data.

New York

In mid 2019, the US state of New York enacted the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which created new substantive cybersecurity requirements. The SHIELD Act also expanded the definition of personal information in New York’s data breach notification requirements.

The SHIELD Act requires any person or business that owns or licenses the computerised personal information of any New York resident to ‘develop, implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information including, but not limited to, disposal of data’. The law does not precisely define ‘reasonable’ security, but offers some guidance on minimum expectations. It appears this is intended to be an evolving standard, which will likely become more stringent over time, as the collective definition of an objectively appropriate cybersecurity programme evolves to match developing threats.

An entity is deemed compliant with New York’s new ‘reasonableness’ standard if it is subject to, and compliant with, certain other cybersecurity regimes: the federal Gramm–Leach–Bliley Act, the federal healthcare standards, the New York Department of Financial Services (NYDFS)’s Cybersecurity Regulation (DFS Part 500), or any other data security rules and regulations promulgated by the federal or New York state government.

In 2017, DFS Part 500 imposed severe new cybersecurity regulations on financial institutions. The regulation requires, among other things, a regular risk assessment process; the regular maintenance and updating of a cybersecurity programme based on the risk assessment; oversight of third-party vendors; employee training; and certain specific technical measures. In particular, encryption and multifactor authentication are required in certain circumstances. Breaches must be reported to the NYDFS within 72 hours.

Both the SHIELD Act and DFS Part 500 have national and global implications, including in Latin America, because financial institutions from around the world do business in New York under licence from the NYDFS and own and license New York residents’ information.

Other states and the federal government

All 50 US states now have breach notification laws, many of which have recently been strengthened. For example, like New York, New Jersey has expanded its definition of ‘personal information’ to include a username or email address along with a password or security question and answer that would allow access to the account. Massachusetts amended its data breach law to require, among other things, that a company to offer free credit monitoring for breaches that involve Social Security numbers.

There is no general breach notification requirement at the federal level in the United States. Notice of certain breaches involving healthcare data is required under the federal HIPAA statute. Financial institutions regulated under the federal Gramm–Leach–Bliley Act are subject to regulatory agency guidance instructing them that they should give notice of breaches.

Best practices for risk reduction and crisis management

This section focuses on how companies may respond to data breaches in a way that both meets any legal disclosure obligations and preserves trust with their stakeholders. While the guidance here is focused on security breaches, it also applies in large measure to privacy breaches that are unrelated to security issues.

Substantive cybersecurity measures

As noted, the emerging global law of cybersecurity typically states that a company’s security programmes must be ‘appropriate’ to the risk (e.g., GDPR), ‘reasonable’ (e.g., California law and HIPAA) or uses similar terminology. Notably, both the GDPR and the LGPD require both ‘technical and organizational’ measures – meaning that the cybersecurity programme must include a combination of policies and procedures, such as a well-tested incident-response plan (discussed below), alongside strong technical protections (e.g., encryption of sensitive data).

Collectively, this means that cybersecurity is not simply the domain of technical experts. The required level of protection is risk-based, and should contemplate the sensitivity of the data in question; the risk of harm if a given data set were compromised; whether best practices as recognised by the technical community are in place; and whether the cybersecurity programme is regularly evaluated and improved based on the evolving threat profile.

It is safe to say that certain measures have already been so widely embraced by the security community that they would be part of almost any ‘appropriate’ or ‘reasonable’ cybersecurity programme. As noted, encryption of data, both at rest and in transit, is required by the NYDFS cybersecurity regulation. So is the use of multifactor authentication – that is, the use of both a password and a second entry credential, such as a short-term code transmitted to the user by text message, to access an account.

Threat vectors and best practices are constantly evolving. So too will the technical community’s understanding of what are ‘reasonable’ or ‘appropriate’ security measures – and the law’s understanding. Companies should thus encourage strong communication among their information security, legal and compliance teams. This will help companies recognise and respond to new technical standards as they begin to shape into legal standards.

The incident-response plan

Good preparation begins with having a written incident-response plan (IRP). Strong IRPs have a number of recognised elements.

The IRP should identify all the key teams within a company that are essential to cross-functional incident response. Typically, the IRP will assign primary leadership roles to the information security team and the legal team. Other teams with key roles include the C-suite; communications, including media relations and social media; risk; human resources; and government relations. The privacy team and the information technology team – to the extent these are separate from information security – should generally be included as well.

The IRP should identify the specific personnel members who will form the company’s incident response team (IRT). Each business unit should have both a primary and backup person designated. Contact details for each person should be listed, including business contact information, personal email addresses and mobile phone numbers that can be used if corporate systems are compromised.

The IRP also should identify key external resources that may be engaged in an incident. The list of key external resources should typically include:

  • external counsel;
  • at least one external forensic vendor;
  • law enforcement;
  • relevant regulatory agencies;
  • the company’s insurance broker and carriers;
  • key members of the company’s external board of directors; and
  • a crisis communications consultant or vendor who can handle large-scale mailings to affected customers or shareholders.

Once again, both work and non-work contact details should be included. Many of these stakeholders should not just be listed in the IRP but should be engaged in its preparation and testing, so that they are aware of the role they would play in a breach.

External counsel and the external forensic consultant should be brought together with other key IRT members ahead of any breach so that they can all become familiar with the company’s relevant systems, policies, procedures and personnel. As the saying goes, ‘do not meet your team for the first time on the day of the game’. External counsel have a key role to play in ensuring that legal requirements are met and that the legal privilege applicable to the work of the IRT is protected to the maximum extent possible under local law.

The IRP should spell out a process for classifying incidents according to their severity and the degree of certainty regarding the facts. There is usually an early period during which an incident is suspected but not yet confirmed. It is usually best that a smaller ‘core team’ take charge of evaluating potential incidents and responding to less severe incidents. The broader cross-functional team should be engaged to help respond to larger incidents once the facts are confirmed or if there is an extended period of uncertainty.

The IRP should provide a process for responding to confirmed incidents. There should be clear pre-defined roles for each IRT member. Someone should be designated to chair the IRT and to keep a record of its work. Key documents that are likely to be needed as part of a breach response – such as notices to regulators, to affected data subjects and to the press – should be drafted in advance and appended to the IRP, with blanks left for the facts specific to a given incident.

The IRP should be as short and clear as possible. The goal is to have IRT members actually rely on and utilise the IRP in the event of a crisis. The longer and more complicated the IRP is, the greater the chance that people will simply disregard it.

Testing the incident-response plan

A well-written IRP and a well-defined IRT are essential to strong incident response, but they can be ineffective if they are not also well tested. Incident-response simulation drills, known informally as ‘tabletop’ exercises, have become an important part of many corporate cybersecurity programmes.

The best tabletops are prepared with an eye toward the specific facts and circumstances of the company. Certain personnel (often external counsel or forensic consultants) are designated to prepare the tabletop scenario, in isolation from the participants in the tabletop. This ensures that participants are responding during the drill without prior knowledge of the ‘facts.’

On the day of the drill, the members of the IRT (or whatever business units are part of the drill) gather in a room, or via teleconference or video link. The person responsible for guiding the drill then announces the ‘facts’, revealing additional facts periodically as the drill proceeds. Tabletops can last anywhere from a couple of hours to a whole day.

Over the course of the tabletop, the moderator announces a series of new factual revelations according to a stated timeline: it is Tuesday at 10am, and the hacker just did X; now we assume it is Thursday at 2pm, and law enforcement just announced Y; and so on. With each factual revelation, different participants are called on to state what they would do, and how and with whom they would communicate. There is active discussion between all participants throughout.

The results of the tabletop are often processed in two stages. Before people leave the room at the close of the drill, they step out of the role-playing format and have an immediate discussion about the lessons learnt from the drill. Afterward, thoughts are collected from participants in a more systematic manner, and the lessons learnt are incorporated in the form of revisions to the IRP.

Responding to an actual incident

With a well-tested IRP in place, a company is prepared to respond to an actual incident:

  • the IRP is activated and the IRT is periodically brought together at a set time and place. As the facts are confirmed, necessary notifications begin to go out – to civil regulators, data subjects, the press, the board, employees and other stakeholders;
  • technical measures are implemented to protect the company’s systems, for example, by cleansing malware from infected computers, or backup systems are activated to circumvent a ransomware attack that has disabled main systems;
  • a careful record is kept of all key incident response steps, with one or more IRT members specifically designated to act as the secretary or archivist of the process;
  • if criminal activity is suspected, the company makes a decision as to whether and how to engage with law enforcement;
  • evidence that may be needed to document the events is carefully retained. For example, any cleansing of infected computers is conducted by the information security team or outside forensic experts in consultation with counsel and law enforcement, so that evidence necessary for subsequent investigations and legal proceedings is preserved; and
  • all participants in the breach response process are carefully cautioned to communicate in a careful manner. Secure communication channels should be used until it is certain that intruders are not present on company systems.

As the days and weeks go by, the crisis atmosphere will begin to recede. Immediate forensic and communications measures are completed. The company can then begin to engage in a ‘lessons learned’ exercise. This involves going beyond the purging of infected computers to consider and address any more systemic weaknesses identified by the breach. Longer-term remedial measures in a large company can easily take months or even years to complete. A ‘lessons learned’ exercise specific to the work of the IRT is often useful as well, and can lead to positive improvements to the IRP.

The importance of communications in minimising legal and reputational harm cannot be overstated. The guidance here is simple: companies survive breaches best when they communicate early, clearly, accurately and tersely. There is an understandable wish to deny or minimise a cybersecurity problem, rather than admit embarrassing facts. At the other extreme, there can be a temptation to state the details with great precision, to encourage the impression that the company is fully in command of the situation. But cybersecurity incidents often do not lend themselves to either approach. Cyber forensics take time, and the facts are rarely clear at first.

Accordingly, an early statement along the lines of ‘we are aware of suspicious activity, we are investigating and we will post updates as we know more’ will often be most consistent with the facts. A company that denies the problem, or that prematurely states uncertain facts as if they were definitive, may then have to issue corrective statements as the facts change. This can create the impression that the company is not candid or competent. That, in turn, tends to create reputational damage and increases the chances of tough legal scrutiny from regulators and courts. As legal requirements for prompt breach disclosure grow, clear and careful early communication becomes ever more important.


Legal requirements concerning cybersecurity and data privacy are continuing to multiply in the Americas and around the globe. As they do, global standards are emerging for what a corporate cybersecurity and data privacy programme should look like in the ordinary course, and for how to respond when things go wrong.

History and the law provide this simple message: companies that prepare for the worst will respond the best. The key is to have a robust suite of cybersecurity and data privacy measures designed to reduce the chances of a crisis, accompanied by a robust plan for incident response when the crisis inevitably hits. That plan should be practical, business-friendly, cross-functional, written clearly and compactly, and well tested. Above all, response plans should be designed to preserve and build trust, through clear, prompt and careful communication and action followed by effective long-term remediation.


[1] Jeremy Feigelson is a partner and co-chair of the global cybersecurity and data privacy practice, Andrew M Levine is a partner, and Christopher Ford, Joshua Smith and Stephanie Cipolla are associates at Debevoise & Plimpton LLP.

[3] European Commission Decision C (2003) 1731 of 30 June 2003.

[4] Chapter IV, Article 21.

[5] Chapter II, Article 4.

[6] Chapter II, Article 4.

[7] Chapter II, Article 5.

[8] Chapter II, Article 9.

[9] Chapter III, Articles 13-14.

[10] Chapter III, Article 16.

[11] Chapter II, Article 12.

[12] Lei Geral de Proteção de Dados (Law No. 13,709/2018). English translation available at

[14] LGPD Article 6.

[15] LGPD Article 17.

[16] LGPD Article 18.

[17] LGPD Article 8.

[18] LGPD Article 48.

[19] LGPD Article 33.

[20] Act No. 19-628, available in Spanish at

[21] PDPL Article 4.

[22] PDPL Article 9.

[23] PDPL Article 3.

[24] Ley Estatutaria 1581 de 2012, available in Spanish at

[25] Law Title I, Article 2.

[26] Law Title II, Article 4.

[28] Decree Chapter II, Article 5.

[29] Decree Chapter III, Articles 13-15.

[30] Decree Chapter III, Article 26.

[31] Decree Chapter IV, Article 21.

[32] Decree Chapter IV, Article 22.

[33] Law Title VI, Articles 17(n) and 18(k).

[34] Law Title VIII, Article 26.

[35] Decree Article 25.

[37] Law Chapter II, Article 11.

[38] Law Chapter II, Article 13.

[39] Law Chapter II, Article 11.

[40] Law Chapter IV, Article 30.

[41] Law Chapter II, Article 19.

[42] Chapter III, Articles 22-27.

[43] Chapter II, Article 8.

[44] Regulations Chapter II, Articles 12-14.

[45] Chapter II, Article 20.

[46] Regulations Chapter II, Article 65.

[47] Chapter V, Article 36.

[49] DPL Articles 4, 6.

[50] DPL Articles 5, 18.

[51] DPL Article 7.

[52] DPL Article 8.

[53] DPL Article 9.

[54] DPL Article 11.

[55] DPL Article 19.

[56] DPL Article 18.

[57] DPL Article 20.

[58] DPL Article 22.

[59] DPL Article 21.

[60] DPL Article 10.

[61] Security Policy on Information Managed by Databanks of Personal Data, Section

Get unlimited access to all Latin Lawyer content