May 2023 - Reduce the Impacts of a Data Breach

Instances of cybercrime are growing, both in frequency and in sophistication. Criminals attack indiscriminately, targeting corporations, legal and other firms, nonprofit organizations, academic institutions and government agencies alike, continually finding new ways to infiltrate systems and disrupt operations.

Today, multiple threat factors are becoming involved in a single incident: encrypting systems, stealing and selling the data accessed and threatening to expose the fact that an organization’s data was stolen unless the requested ransom is paid. Up until a few years ago, exfiltration was part of only about a third of data extortion incidents, but today, very few do not include an element of exfiltration.

Dealing with any data breach is a logistical nightmare. But among the growing impacts of breaches today is the risk of class-action lawsuits. As more people understand the effects of having their data compromised, more are initiating or joining class actions – and not just for breaches that occur in large organizations. Smaller companies dealing with breaches affecting as few as 1,000 data subjects are facing litigation.

Companies can’t do much to prevent these lawsuits once a data breach has occurred, but they can take steps to mitigate the consequences:

• Pre-event: Establish strong security protocols upfront, which will help in passing a reasonableness test in the event a suit is filed.
• Post-event: Demonstrate that all regulatory compliance requirements were followed, deadlines were met and reasonable and necessary steps to address the situation were taken without delay and with as much transparency as possible.

Key tips for dealing with cyberattacks:

1. Ensure every incident is taken seriously and put in place mandatory, periodic employee cybersecurity training to help staff understand what incidents might look like, how to prevent them and to immediately report anything suspicious to IT.
2. Inform the legal department immediately of a potential incident and encourage the organization or their clients to take immediate action.
3. Instruct the organization or clients to consider retaining a third-party digital forensics expert to verify the risk is contained and it is safe to conduct business.

It’s always best to prevent a breach in the first place. Cybersecurity awareness training remains a critical function for every organization but is undervalued by many. Threats are constantly evolving, so training should, too. Keep all employees up to date on the latest protocols and best practices to prevent breaches, as they are the first line of defense against cyberattacks.

QuisLex’s Megan Silverman recently shared insights on current data breach trends and tips for reducing their impacts in an article for the ABA’s Business Law Today. Read the full text of the article here: Data Breach Trends and Tips for Reducing Impacts.