Protection Before and After a Data Breach

With increased action by attorneys general and other regulators, as well as evolving case law, companies cannot afford to ignore the risk of litigation or regulatory action as a result of a data security incident.

For example, a trio of California requirements that went into effect this past January clarify the term “encrypted,” create uniform language for breach notifications, and expand the list of notifiable breaches to include loss of username, emails and passwords. Since California is a leader in data breach and privacy laws, the impact of these laws will likely reach beyond the state’s borders.

Class action law suits like those brought against Home Depot and P.F. Chang’s have heightened the risk of successful actions and large costs. In the case of Home Depot, the large settlement – reportedly $19.5 million – signals that companies that suffer a data breach could face significant legal exposure for damages. Class members were permitted to recover up to $10,000 for documented “time spent” to resolve issues.

As regulations, enforcement, case law and technology continue to evolve, litigation is a growing risk for companies that experience data breaches. Companies should establish solid relationships with regulators. They should be ready to make hard decisions about when to contact regulators, when to go public, and how to communicate the scope of an incident. Precautionary measures – including implementing appropriate risk management and assessment policies, purchasing sufficient cyber insurance and using proven experts – can mitigate data-breach risks.