Lots of people asked me if I had lost my mind! I already have a busy practice, and a young family. Not a lot of time on my hands, in other words. But the decision was simple. I wrote this book because it didn’t exist, and I thought it should. There are lots of freely available charts and lists of laws, and a few books that put short summaries –on a law-by-law basis- in our hands. But I wanted more. I wanted an analysis that walked me through from when I first received the client call about a suspected breach, through the investigation, to the details and minutia of notification, and beyond. This book is my attempt to give myself, and everyone else, just that. It isn’t limited to a country, or a type of industry.
The goal in my practice is to give my clients the tools to make a good decision, and to deliver information in an easy-to-understand and practical way. This book was my opportunity to do that on a broad scale.
This book was written for those of us in the business of dealing with data breaches –whether as outside counsel, in-house attorneys, IT teams, investigators, or anyone else.
I hope people use this book in a few different ways. First is the most obvious: they will use it to answer questions about whether there is a need to notify, and if so, how to do that. This book is also meant to help explain to senior leadership –and to government regulators- just how many overlapping requirements there are. I'd like to see this book serve more than just those responding to a breach, but also those receiving those same notifications. And it may even help with our national debate about data breach notification laws. Should there be more? Less?
As we contemplate changing the regulatory landscape, we can collectively imagine what those changes would look like through the lens of this "how to" book. Will the "how" be even longer? Shorter? Will we have to answer more questions during our investigatory process? Will there be more nuances in the "when to notify?"
No work is ever done. Although I think this book will be helpful –I know since I finished it that it has been for me, and for my clients! – there is more to be done. That is doubly true of this one. This is the first edition, and there will be more changes in the law, more situations that practitioners will need interpreted, and more laws to discuss. The second edition is already in the works. So if you think we should cover something that isn’t included, please let me know. This book is a tool for us all, and I hope that everyone will feel like they are a “contributor.”
These articles originally appeared in Sheppard Mullin's eyeonprivacy.com blog, which is edited by Liisa Thomas.