The Sedona Conference Published a Guide for Responding to a Data Breach

The Sedona Conference Published a Guide for Responding to a Data Breach

Legal consequences abound at every corner in healthcare. Each month this blog discusses examples of what those consequences can be.

No healthcare organization looks forward to the day they have to deal with a data breach. Unfortunately, data breaches happen seemingly on a daily basis. Healthcare providers are not immune to such breaches. Fortunately, a comprehensive guide now exists that can assist any organization, including healthcare providers, should it have to respond to a breach.

Last month, The Sedona Conference published for public comment The Sedona Conference Incident Response Guide (Guide), available online at The Guide is the product of The Sedona Conference Working Group 11 on Data Security and Privacy Liability and is described it its Introduction as follows:

“In today’s connected world, compromise of electronically stored information (ESI) is inevitable— even for the most prepared organization. An effective and efficient response is critical to expediting recovery and minimizing the resulting harm to the organization and other interested parties, especially affected consumers. The best time to plan such a response is before an incident occurs.


This Incident Response Guide… is intended to help organizations prepare and implement an incident response plan and, more generally, to understand the information that drives the development of such a plan. It has been created by thought leaders in the industry, including privacy counsel from Fortune 500 companies, government attorneys, and attorneys from several of the nation’s most prominent law firms. It reflects both the practical lessons learned and legal experience gained by the drafters from direct experience responding to incidents, from representation of affected clients, and from the promulgation of rules and guidelines on national and international levels, and is intended to provide general guidance on the topic.


This Guide is designed as a reference tool only and is not a substitute for applying independent analysis and good legal judgment in light of the needs of the organization. The reader should note that this Guide is up-to-date only as of the date of publication. This is a rapidly changing area of law, so care should be taken to understand and comply with the most current requirements. Nothing contained in this Guide is intended to establish a legal standard or a yardstick against which to measure compliance with legal obligations. A reader should neither assume that following this Guide will insulate it from potential liability, nor that failure to adhere to this Guide will give rise to liability. Rather, the purpose is to identify in detail issues that should be considered when addressing the preparation and implementation of an incident response that is suitable to his or her organization.

While this Guide was drafted with small to medium-sized organizations in mind, it is anticipated that the breadth of topics covered and the chronological sequence of the material will prove a useful reference for even the most experienced cybersecurity lawyer and sophisticated organization.”

The Guide is organized into the following sections:

  • Pre-Incident Planning
  • The Incident Response Plan
  • Executing the Incident Response Plan
  • Key Collateral Issues
  • Basic Notification Requirements
  • After-Action Reviews

The appendices include, among other things, model templates intended to be of practical benefit such as an Incident Response Plan and a Notification Letter.

The Guide is not intended to be definitive. Rather, it “attempts to strike a balance between being reasonably complete, but at the same time, not so voluminous and legal-authority laden that it is not practical to use during the exigencies of an incident response.” The Guide offers healthcare professionals—as the governing bodies and attorneys of healthcare providers—a “window” into what steps could be taken to plan for and respond to a data breach.

Comments on the Guide are due by June 19, 2018. Comments should be submitted to


**Editor’s Note: The views expressed in this column are those of the author alone and should not be interpreted otherwise or as legal advice.

Ron Hedges, JD, is a former US Magistrate Judge in the District of New Jersey and is a writer, lecturer, and consultant on topics related to, among other things, electronic information. He is a Senior Counsel with Dentons US LLP.
Leave a comment

Send a Comment

Your email address will not be published. Required fields are marked *