Polsinelli attorneys have a long history of counseling clients impacted by data breaches and other cyber incidents. In fact, one of our shareholders handled one of the first data breach cases shortly after California passed its breach notification law in 2003. Since then, our attorneys collectively have handled thousands of data security incidents and have counseled clients through nearly every conceivable breach, from system-wide ransomware attacks, cyber extortion events, and email system compromises to lost and stolen computer systems, ATM skimming incidents, website compromises, misdirected emails and employee theft. 

When an incident occurs, we provide comprehensive assistance, including overseeing forensic investigations and crisis management activities, notifications to affected individuals, regulators and payment card issuers, and responding to federal and state regulatory inquiries and litigation defense. We also assist organizations in preparing for data incidents by developing incident response plans, employee training and board counseling. Our interdisciplinary approach encompasses all data and system security aspects before and after an incident.

Polsinelli’s team includes

• Incident response attorneys who are some of the most experienced in the country
• Alumni of enforcement agencies charged with enforcing privacy and security regulations, such as the Department of Health and Human Services – Office for Civil Rights (OCR)
• Attorneys with international backgrounds who are equipped to counsel organizations on evolving international data breach regulations
• Former in-house data privacy attorneys who understand the regulatory landscape and the logistical and business considerations associated with incident response

Polsinelli attorneys have served a broad range of clients in multiple sectors, including

• Banking, credit union and financial services
• Health care providers, suppliers, technology and diagnostic companies
• Life science and pharmaceutical
• Senior housing and long-term care
• Technology
• E-commerce and managed service providers
• For-profit and not-for-profit education
• Tribal and gaming
• Insurance carriers, brokers and agencies
• Federal government contractors
• State and local government
• Manufacturing
• Accounting, legal and other professional services

Regulatory Investigations

Polsinelli is uniquely equipped to represent organizations in investigations brought by industry regulators, State Attorneys General and other enforcement agencies post-breach. Polsinelli attorneys have assisted clients in hundreds of data breach-related regulatory investigations. Team members include alumni of the United States Department of Justice (DOJ) and other enforcement agencies, including the U.S. Department of Health & Human Services – Office for Civil Rights. Having sat on the other side of the table, Polsinelli's attorneys understand the steps organizations need to take to be in the best possible position to respond to an investigation.

Tabletop Breach Exercises

In today’s complex risk environment, organizations should assume that it is not a matter of if it will suffer a data incident but when and prepare accordingly.

Incident response preparedness should not be limited to creating plans or procedures that are then filed away in a policy manual. Rather, organizations should test their preparedness and ensure key stakeholders have thought about how an organization will respond to an incident. Polsinelli’s Tabletop Breach Exercises are designed to do just that.

Polsinelli incident response attorneys are some of the most experienced in the country. Our attorneys draw from this practical experience and work with a client’s organization to develop a realistic breach scenario. Polsinelli attorneys will then facilitate a mock breach exercise that will require team members to:

• Rapidly assess a stream of incoming information
• Establish response strategies
• Think short-term and long-term about how various actions or inactions could impact the organization’s reputation and operations

The exercise can be conducted solely with an organization’s incident response team or built into a broader employee training session.