July 26, 2022
The theft of business information by a party seeking to obtain an unfair competitive advantage or simply plunder assets has likely been with us since the dawn of human business activities themselves. In recent years, however, the risks posed to businesses of all sizes have become greater than ever in a world of previously unimagined interconnectivity and ever-increasing amounts of customer and client data stored in business files.
In 2021 alone, 50 million Americans had their private health data accessed in security breaches, a threefold increase since 2018, according to data provided by the HHS. According to the Identity Theft Resource Center’s 2021 Data Breach report, there were 1,862 recorded data breaches in 2021, a 68% increase over the previous year.
Whether the source of a company’s data breach is phishing, ransomware, or employee theft, there is no indication that such data breach numbers will fall anytime soon. While businesses should do everything reasonably possible to prevent data breaches, what they do to respond to a data breach when it does occur has enormous implications for not just their reputation going forward, but in what consequences a business might face in subsequent civil lawsuits and government investigations and proceedings related to the breach. A few basic steps to such an approach are outlined below, but in all cases businesses are strongly encouraged to work with experienced legal counsel in addressing security breaches.
Stopping A Breach & Assessing The Damage
Obviously, the most important step in most security breach situations is to take prompt action to stop the breach in order to limit the damage. This starts with having proper notifications in place to let you know when a breach is occuring. You should immediately mobilize all internal and external technical support personnel who can assist in stopping the breach, and may mean swiftly retaining outside technical consultants skilled in responding to and terminating the breach. Even if the efforts are not immediately successful, it may be important to later be able to demonstrate that all such actions were taken as quickly as possible to protect internal, client, and consumer data.
It is then important to fully assess the damage that was done as the result of the data breach, e.g., the full scope of the specific data that was potentially exposed and to whom it may have been exposed. It may be possible to do this with purely internal resources, but hiring an independent forensic investigation team to properly document/capture the breach while instilling remediation steps may well be helpful in both assessing the damage and, again, making it clear that your business is doing everything it can to effectively respond to the breach. At this point it is again important to engage with experienced data breach legal counsel if that has not already been done.
Notifying Those Affected
Notifying the persons and entities affected by the data breach as quickly as possible is an important and critical step in your data breach response. Such persons and entities may include not just those who had their information breached – such as employees and customers – but also investors and business partners.
Although making this notification promptly is important, it is also critical to include the relevant details and make accurate claims. This is a key area where working with outside counsel to appropriately craft such communications is important, both reputationally and with respect to legal obligations and ramifications. In so doing, an affected business needs to balance the necessity of providing sufficient information to affected parties to protect themselves with not sharing information that could further exacerbate the damage or which is unnecessary and/or unproductive in addressing the breach.
Moving Into The Recovery Phase
Moving forward from the breach, your outside counsel and technical consultants will work with you to set in place to limit the negative consequences of the breach, as well as to prevent future breaches and restore consumer and investor confidence.
Part of this process will likely involve a security audit – which in many cases would be done by an outside consultant for purposes of objectivity and expertise both in addressing legal and consumer issues following a breach and in improving processes going forward – which will be a comprehensive analysis of what exactly went wrong in leading to the breach and fixes that might be available to prevent future attacks.
The security audit is often just one part of a business’ recovery plan to anticipate and avoid future attacks. Unfortunately, if your business has been successfully attacked as part of a data breach, this may give the signal and know-how to the same hackers or to others aware of the breach that your business is a susceptible target going forward. Thus, it is critical to work in tandem with your in-house staff, outside technical consultants, and experienced data breach counsel to develop more secure systems and optimized procedures to help avoid future breaches and to respond as effectively and efficiently as possible in the event one occurs again.
Working With Outside Counsel
Cybersecurity and data privacy legal challenges require thoughtful and experienced guidance to help individuals and businesses navigate complex issues to limit legal liability and collateral consequences to their financial and reputational interests. A key aspect of responding to a data breach is working with outside counsel experienced in proactively and effectively addressing the challenges that such an event engenders. The attorneys of Zweiback, Fiset & Zalduendo have decades of experience in litigating and advising on complex cybersecurity and data privacy issues to put in service of whatever legal challenge you are facing. Our attorneys creatively and efficiently strategize towards positive resolutions of cybersecurity and data privacy legal challenges that serve our client’s comprehensive, long-term goals.
If you or your business are seeking to create policies and infrastructure to comply with regulatory requirements relating to a data breach, or have recently experienced a data breach or other potential legal challenge in the area of cybersecurity and data privacy, contact our office to speak with an experienced attorney regarding your situation today.