Failure to Disclose Data Breach May Include indiviudal CRIMINAL Liability FOR IN-HOUSE COUNSEL

Last updated on September 8, 2020

Take a deep breath. First off, the risk of potential personal or criminal liability discussed in the article noted below stems from the U.S. Second, it relates to a particular set of circumstances involving Uber and a U.S. Federal Trade Commission Investigation. Take another deep breath. Ok, give this post from Vinson & Elkins a read as it does raise many salient points for Canadian GC’s to consider, especially where the organizations they work for have operations in the U.S., especially in consumer markets.

General Counsel and in-house legal departments have long struggled with articulating the risk of and determining the appropriate response to breaches of the company network and the potential exposure of confidential information about employees and third parties. It’s rarely a simple question. Even defining a breach is not a straightforward task. And, decisions about whether to disclose, what to disclose, and how soon to disclose are often intertwined with one another and hampered by incomplete and emerging facts. Disclosing “everything” to everybody is not realistic or advisable. General Counsel know this is an area where being second guessed goes with the territory. But until now, criminal prosecution of individual company executives was not one of the expected consequences of not having disclosed an issue. After the recently announced felony charges against a former Uber executive for failing to inform the FTC of a breach, General Counsel should now consider this disturbing possibility and how to mitigate this risk.

Read the full article at Vinson & Elkins.