How to handle the legal implications of a data breach

Preparation can help limit damage and speed up recovery when the worst case happens.
19 July 2019

Preparing for the worst is the best approach in cybersecurity. Source: Shutterstock

Running a business today is not the same as it was several years ago. Business people now have multiple choices of digital solutions that can help them manage payroll, human resources, customers and even finances efficiently, but they have also opened up more avenues for irresponsible parties to exploit. 

Any organization holding personal data has a duty to ensure it’s protected, but with cyber threats evolving everyday, even the strongest defences have flaws. 

What is a data breach? 

A data breach is the unauthorized acquisition or “exfiltration” of unencrypted private information– that’s any information that can be used to identify a person, such as name, account number, credit or debit card number, biometric data, usernames, security questions and answers, email addresses, and passwords.

But data doesn’t even have to be stolen to be breached; definitions now cover unauthorized access– implying that a “data breach” happens from the moment a hacker gets into a system successfully– it’s not limited to data lost.

The results of a data breach can be devastating. A 2018 study by the Ponemon Institute reports that the global average cost of a data breach is US$3.86 million, the average cost for each lost or stolen record is US$148; with costs rapidly trending upward each year. 

For large multinationals, it can damage stock prices too – the ICO fine of British Airways, for example, saw shares dive 2 percent, while reputational damage can long affect consumer loyalty, and trust in the wider ‘digital economy’ as well. 

For SMEs, meanwhile, the results can be ‘fatal’, with the majority unable to sustain operations for more than six months after an attack. 

The legal implications of a data breach

Businesses which digitally store personal information are required to implement “reasonable” data protection measures. These are usually described in legislation, but some laws are more specific, such as GDPR, highlight data encryption as a measure that should be taken in the ordinary course of business even if a breach has not occurred. 

Being up front and transparent when an attack occurs, showing willing to solve it lawfully, can help reclaim a positive image and mitigate further damage. Generally, there are generally four legal implications arising from legislation across all jurisdictions in the event of an attack, as explained by Scott Watnik, Litigation Partner at US law firm Wilk Auslander and Co-chair of the firm’s cybersecurity practice.

# 1 | Notice

Notice of the attack must first be provided quickly to all affected individuals, and in many cases notice must also be given to certain regulatory agencies. Under the GDPR, data breaches must be disclosed within 72 hours of first detecting the breach.

In the United States, regulators include the Securities and Exchange Commission, the Federal Trade Commission, the Consumer Financial Protection Bureau, the Federal Communications Commission, and fifty State Attorneys General; whereas in the UK, the ICO is in charge.

“Immediately seek the advice of counsel to determine when and to whom notice of the attack needs to be given upon discovery of the attack,” said Watnik. 

Failing to report cyber attacks promptly can result in devastating consequences. Marriott suffered huge fines by ICO because they reported the breach in their system in November 2018, whereas it was actually discovered in September 2018.

Insurance personnel should also be contacted. Be sure they’re kept current and informed as to the nature of the breach and all post-breach efforts as they would need these information to safeguard the company and it’s management.

# 2 | Response

Certain security measures must be taken in response to the attack. There is no “one-size-fits-all approach”, But having a general response plan (sometimes referred to as a “security incident response plan”) in place is the best move, advises Watnik. 

IT personnel should also investigate the nature and extent of the data that has been accessed or compromised, and the source of the breach. In this regard, IT personnel should work with company counsel, as disclosure obligations may vary depending on the extent and nature of the data that has been breached.

A response plan should include the following measures as they may be required by statute or regulations:

  1. Operations personnel to address any consumer information needs, including the setting up of consumer call centers if needed.
  2. Experienced outside legal counsel to help navigate the legal landscape. 
  3. Public relations experts who can manage contacts with the press if and to the extent the hack is made public. 
  4. Insurance brokers and personnel to assist with providing notice to any insurance carriers, submit loss claim notices, and identify applicable policy benefits.  

“Extreme measures like shutting down all computer systems company wide for several days and effectively suspending all business operations in their entirety may need to be taken as well after an attack,” said Watnik. 

“All employee passwords may have to be reset, and all systems may have to be backed up to preserve their current state for forensic investigation.”

# 3 | Penalty

The amount of fines can vary greatly depending on jurisdiction and individual cases; as well as the nature of the compromised data, the amount of people impacted, the company’s pre-emptive and response measures, and how long the company took to provide the required notices.

Complying with legal notice requirements and having a response plan in place will help reduce the penalty and other costs resulting from a cybersecurity attack. 

According to the 2018 Ponemon Study, having a security incident response team in place can reduce the cost of a cybersecurity breach by as much as US$14 per compromised record from the average per-capita cost of US$148. 

# 4 | Litigation

Finally, litigation comes from multiple fronts including; by regulatory and prosecutorial bodies charged with enforcing the cybersecurity legislation, as well as shareholders and customers.

Generally, litigation liability arising from a cybersecurity attack would be imposed on a company and its leadership if they fail to:

  1. Provide timely notice of the hack as required by law. 
  2. Respond to, and attempt to mitigate the damage resulting from the breach.  
  3. Implement reasonable cybersecurity measures. 

Anticipating legal issues

For companies to protect themselves, Watnik suggests that cybersecurity matters should first be discussed at board level, with a focus on understanding the broad picture. The United States Security and Exchange Commission’s 2018 guidance for public companies on cybersecurity disclosures (the “Guidance”) contains a good example of what should be the focus.

In brief, the Guidance advises that board of directors should know the following:

  1. The nature and effectiveness of their cybersecurity system and how much has it been tested
  2. The cybersecurity policies & procedures to be followed 
  3. How the company stores data 
  4. Steps taken to test the cybersecurity system, and the sufficiency of the company’s current procedures.
  5. Nature and coverage extent of the company’s cybersecurity insurance; 
  6. How the company’s business practices and operations take the risk of cyberattacks into account.

Watnik also suggests forming a cybersecurity board community, engaging experts to train employees, and putting go-to procedures in place, along with a communication plan, so there’s a referral point in the event of a data breach

“Finally, the leaders of the business should make sure that they have IT staff who regularly report to them on data protection efforts and vulnerabilities,” Watnik said. 

Always be prepared

While there is no shortage of advice available for companies looking to bolster their cyber defences, the reality is that data breaches have become an unavoidable fact of business today– every organization (even the most proactive) is vulnerable. 

This doesn’t give companies immunity towards litigation liability; so understanding how to handle the legal implications of a data breach– as undesirable as the scenario is– could help limit the financial and reputational damage that comes with it. Planning for the worst is a crucial component of your business’s cybersecurity strategy