In recent months, a number of major brands have faced complex legal and reputational risks that arose from the hacking of email fulfillment vendors.

These cases generally present the following challenges:

  1. Gaining a technical, business and legal understanding of what happened, to who, when and how, and developing privileged and unprivileged messaging about the event to interested constituencies;
  2. Analyzing US and non-US notice obligations to customers, business partners, government and others, as well as assisting with identifying the judgment calls regarding such notice that must often be made, in real time;
  3. Monitoring and helping in discussions with responding/complaining customers, including developing scripts, protocols and a risk-based triage approach;
  4. Analyzing relevant insurance coverage and coordinating with in-house insurance experts or brokers on notice to carriers and responses to initial denials;
  5. Preparing a litigation-ready story, and advising the on privilege issues that arise during investigation and response activities.

In light of these recent email vendor breaches, forward-looking and consumer-focused companies are working around these ongoing challenges:

  1. Your own company's policies, procedures and training, including event and litigation-preparedness ("is my own house in order?");
  2. Knowledge/due diligence concerning vendors on these issues ("are we working with the right people and how do we measure that?");
  3. The process/flow among the company and its business partners ("do we have to outsource this work at all, and, if so, is there a simpler or lower risk way to do design the system?");
  4. The information being collected ("what are we collecting, how long are we keeping it, and why?");
  5. Contracts/indemnification provisions and insurance coverage ("if the worst happens, do we have the right contractual protections and insurance coverage?").

The recent data security breaches have highlighted legal and reputational vulnerabilities for the national brands. No amount of spending on data security technology or attention to policies, procedures and training on consumer privacy issues at the national brands immunizes one from reliance on vendors. Their data security events end up becoming yours. The letter notifying customers of such a breach ends up on your letterhead.