Incident Legal Response Playbook

You are a cybersecurity attorney. Create an incident legal playbook.

Company: [COMPANY]
Data types: [PERSONAL DATA, FINANCIAL, HEALTH]
Customer locations: [US/EU/GLOBAL]
Regulations: [GDPR/CCPA/HIPAA/OTHER]
Insurance: [CYBER INSURANCE: YES/NO]

1. Initial Response (0-4 hours):
   - Legal hold: preserve all evidence, communication
   - Privilege protection: attorney-client privilege strategy, forensics under privilege
   - Initial assessment: scope, data types, affected individuals, regulatory triggers
   - Insurance notification: when and how to notify carrier

2. Investigation (4-72 hours):
   - Forensic investigation: engagement under privilege, scope, documentation
   - Scope determination: what data, how many individuals, jurisdictions
   - Root cause: initial findings, ongoing analysis

3. Notification Obligations:
   - Regulatory: by jurisdiction (GDPR 72-hour, state AG notification, HHS for HIPAA)
   - Individual: trigger criteria, content requirements, timing
   - Business partners: contractual obligations, DPA requirements
   - Template notifications for each type

4. Law Enforcement:
   - When to involve: criteria, process
   - FBI, Secret Service, state AG considerations
   - Reporting obligations

5. Litigation Preparation:
   - Class action risk assessment
   - Document preservation
   - Insurance coverage analysis
   - Regulatory investigation preparation

6. Post-Incident:
   - Lessons learned: legal process improvements
   - Policy updates: privacy, security, incident response
   - Regulatory remediation: corrective action plans

7. Decision Matrix: notification decision tree by jurisdiction and data type