For company executives, data breaches are traumatic. They must rush to patch data leaks and work with law enforcement while also reassuring anxious customers and employee about fraud and identity theft. And then there’s the lawsuits.
After cyber criminals strike, class action lawyers are rarely far behind. In the wake of breaches at retailers like Home Depot (HD), Michaels, and Target (TGT), lawyers have been quick to pounce by filing complaints seeking millions of dollars in the name of consumers.
The outcome of such cases has been mixed, but the good news for executives is they can take steps before and after a breach to minimize exposure to civil lawsuits. Here are five tips:
Run a data breach simulation
Just like other corporate emergencies, executives can practice how to respond to data breaches. Many firms run training exercises and role play scenarios to prepare their staff for a cyber attack. This helps ensure that, in the event of a breach, executive teams can respond quickly and know in advance who is responsible for what.
Watch what you say
Margaret Dale, who advises clients about cyber crime at the law firm Proskauer, says it’s critical for company officials to be mindful of what they say in public after a data breach. While it’s important to reassure customers and investors, an executive’s comments can also expose the company to liability.
“You have to be really carefully about you say. You can be sure the plaintiffs will use it against you later on,” said Dale, who adds that companies should have a team in place to handle communications.
Know the law and speak up quickly
Following recent data breaches, some retailers have ended up on the hook for big civil penalties, but others have not. Why the difference? One explanation lies in how companies responded after the breach occurred. Home Depot, for instance, dithered before warning people their data was compromised–which is part of the reason the company is now poised to pay a multimillion dollar settlement.
There’s also an extra incentive to speak up quickly because of laws in nearly every state that require companies to notify customers about a data breach. So how long can a company wait? The state laws typically don’t specify a precise time, but refer instead to acting in a “reasonable” time.
Get Data Sheet, Fortune’s technology newsletter
Do Your Homework on Your Vendors
If cyber criminals want to plunder a company’s customer data, they have multiple ways to go about it. They can attack a firm directly, or they can look for a weak point among third parties attached to the firm’s network. For instance, the massive Target hack began with attackers obtaining log-in credentials from an outside company that supplied air conditioning to the retailer.
According to Dale, the lawyer, companies should carry out due diligence on the vendors they hire to ensure those outside firms are properly focused on cyber security.
Offer Credit Monitoring Services*
Today, in the wake of a data breach, most retailers are quick to offer free access to services that monitor for credit and identity theft. Doing so is not just good customer service. It can also help to undercut class action claims that customers have suffered a real harm from the data breach.
There’s a reason this suggestion comes with an asterisk, however. In one high profile case, involving Neiman Marcus, an appeals court pointed to the retailers’ offer of credit monitoring as evidence that customers had suffered enough harm to bring a lawsuit. In other words, the free offering made it look like Neiman was admitting fault. The upshot is, when it comes to offering credit monitoring, companies might be damned if they do and damned if they don’t. The good news, though, is legal scholars are starting to see the Neiman case as an outlier.
