Victor Schwartz, Co-Chair of Shook's Public Policy Practice, talked to Law360 about corporate obligations following a data breach in “'Meaningful Disclosure' A Must in Wake of Data Breaches,” a discussion of Altaba's (formerly Yahoo) recent massive data breach. The SEC fined the company $35 million for waiting two years to disclose the breach.
“[A] company's first move following a breach should be to assess its regulatory obligations, whether it be with the SEC in terms of its shareholders or the Federal Trade Commission to deal with privacy issues,” Schwartz said.
In addition, companies should notify clients and customers affected by the breach and advise them on what they can do to protect themselves. “If I tell you the building is on fire but I don’t tell you how to put it out, I’m not helping you,” Schwartz said.