Welcome to our seventh Data Security Incident Response Report (DSIR). It has been quite a year from many perspectives. Thank you to everyone we have continued to partner and work with to create this report.

We are excited to soon launch a new digital platform version, and we intend to update this version throughout the year with real-time data. The DSIR will continue to share data and insights about security incidents, regulatory enforcement actions, class actions, transactions, digital innovation, compliance projects, data governance, and advisory matters to help organizations develop solutions to address the issues that data and technology create.

We kicked off 2020 with the formation of a practice group focused on “everything data”—the Digital Assets and Data Management (DADM) Practice Group. At that time, no other law firm had prioritized these issues on the practice group level. We had big plans associated with the launch of DADM, and like those of everyone else, our plans for 2020 were disrupted. Fortunately, however, the members of our group quickly pivoted to meet the evolving needs of our clients. Also, the timing of our launch was fortuitous. Before the pandemic, it was already a cliché to say that every company is in some way a technology company. This is definitely the case after COVID-19 due to remote working and the temporary closure of brick-and-mortar businesses.

The DSIR we published in April 2020 anticipated some of the work-from-home challenges due to the pandemic. Our teams went from spending a significant amount of time on-site with clients to learning how to engage, advise, and train through videoconferencing. We scrapped a six-month effort to have a vendor build us a custom data security incident case management solution and, instead, had our IncuBaker legal technology team build it using existing resources. We saw some (but not many) incidents occur due to the rush to support remote work. In the summer and fall, we faced a surge of ransomware matters. Then, we definitely experienced an impact from the pandemic (in practical ways, such as dependence on technology that was not available heightening the need to pay a ransom and challenges in collecting evidence to do an investigation). Collaboration, teamwork, and resilience, helped us face these pandemic-driven obstacles and solve problems.

It would not be appropriate to discuss the past year without also addressing systemic racism and inequities seen across underrepresented minority groups. Diversity, equity, and inclusion are priorities for our practice, and significant time has been spent by leaders in our group to address these issues as part of our strategic planning. Law firms generally still have a lot of work to do in this regard; however, it is worth noting that: over 50% of our practice group is composed of female lawyers, nearly 30% of our lawyers are persons of color or LGBTQ+, and women and persons of color hold over 70% of our group’s leadership positions. We will continue our commitment to not only hiring lawyers and staff from underrepresented groups but also integrating them into our group once they are hired so that they have a successful path forward.

We hope you enjoy this edition of the DSIR, and we welcome you to contact our DADM group members with questions or suggestions.

Photo of Theodore J. Kobus III Theodore J. Kobus III

Ted Kobus stands at the forefront of cyber protection — no small role in an era defined by crippling data breaches and daily digital threats. He has earned authority in the areas of privacy, data security and cybersecurity, leading clients to entrust him…

Ted Kobus stands at the forefront of cyber protection — no small role in an era defined by crippling data breaches and daily digital threats. He has earned authority in the areas of privacy, data security and cybersecurity, leading clients to entrust him with more than 6,000 data breach responses. Businesses, government and other organizations turn to Ted for sound advice on compliance, developing response strategies, breaches implicating domestic and international laws, and defense of both class action litigation and regulatory actions. Notably, he has developed key relationships with the U.S. Department of Justice (DOJ), where he and his team have helped to establish protocols to protect corporate victims following a data breach. He knows the most proactive regulators involved in this space and interacts with them regularly.

Ted has led the defense to hundreds of regulatory investigations, including those brought by the Attorney General Multi-State, Department of Health and Human Services Office for Civil Rights, Departments of Insurance, SEC and FTC. In the healthcare space, Ted has defended more than 200 OCR investigations and has negotiated more privacy/security-related resolution agreements than any other lawyer.

Ted is consistently ranked in Chambers USA: America’s Leading Lawyers for Business, and he is one of only a handful of attorneys nationwide named an MVP by Law360 for Privacy and Consumer Protection. He is a regular contributor to BakerHostetler’s Data Counsel blog, and he frequently speaks at major industry events regarding data breach response, risk management and litigation issues affecting privacy. Ted has spoken at the National Association of Attorneys General on data security issues in a closed session, as well as the National Security Cyber Specialist’s Training Conference organized by the DOJ.

Ted is the firmwide chair of BakerHostetler’s Digital Assets and Data Management Group and a member of the firm’s Policy Committee.