Editor’s Notes: The writers of Solutions Review are not licensed attorneys and therefore cannot give legal counsel or advice. This article is meant as a review of cybersecurity best practices, and is not meant to be a treatise on legal liability in cybersecurity. Please consult a licensed attorney to receive actual legal advice on cybersecurity compliance and liability for your enterprise.
The bill for a data breach on your enterprise can be staggering. The basic costs of a single security event include hiring cybersecurity consultants to assess the damage, dealing with the public relations fallout, conducting the internal investigation, and suffering the lost customers and contracts.
That just covers the basics of breach remediation; just informing your regulators of a data breach can cost your enterprise even more. Yet the legal fees that your enterprise could accrue in the wake of post-breach cybersecurity litigation, though often forgotten, can be monumentally expensive. In the case of the historic Equifax data breach, the charges from legal fees alone could be in the millions, if not tens or hundreds of millions.
Perhaps this is unsurprising. Post-breach cybersecurity litigation can involve consumer class action suits and public settlements, individual lawsuits, and private settlements—not to mention potentially hundreds or thousands of attorney time.
Is there anything you can do to mitigate the costs of post-breach cybersecurity litigation? Potentially, yes. Following some key cybersecurity best practices can possibly help you prove compliance and reduce liability issues.
Here are a few ideas to potentially mitigate post-breach cybersecurity litigation costs:
Be Aware of Cybersecurity Risks. Be Prepared.
A key step to both mitigating a cybersecurity threat and future post-breach cybersecurity litigation is to recognize the most common kinds of cyber threats that face your enterprise’s industry in particular. These can include IT environment failures, data corrupting viruses, cryptojacking malware, IoT infiltration, or ransomware. Your cybersecurity platform needs to begin with knowledge and awareness, or it won’t be effective.
As a part of this new awareness policy, your IT security team needs to conduct a cybersecurity risk analysis to see how your enterprise’s IT environment stands up to those threats. This risk analysis should seek out any potential attack vectors and work to limit or eliminate them—whether by closing discovered security holes or enacting breach prevention and SIEM threat management solutions.
If possible, hire an outside consultant to perform this cybersecurity risk assessment. Doing so provides an outside perspective on your IT environment, and therefore a more accurate understanding of what vulnerabilities are apparent to outside threat actors. After that, you’ll know what you should prioritize in your endpoint security, SIEM, and identity and access management solution selections.
The best way to potentially mitigate post-breach cybersecurity litigation costs? Prevent the breach from happening in the first place. Granted this is often easier said than done—no cybersecurity prevention method is 100% effective—but having proper cybersecurity solutions and policies in place can help your enterprise reduce its liability in post-breach cybersecurity litigation. It can help you demonstrate compliance and reasonable efforts to enact safety, which can be a huge help.
Have an Incident Response Plan In Place
An incident response plan is essential for any enterprise in the event of a data breach. When properly enacted, it helps clarify the chain of command and channels of communication while a security event is ongoing. Therefore, an incident response plan can help ensure that affected parties, customers, legal teams, and shareholders are alerted to a data breach promptly.
Plenty of recent cybersecurity lawsuits have (according to public sources) fixated on the absence of communications to affected parties from breached enterprises as an example of neglect. Neglect can be a pretty serious legal issue, and thus it is in your best interest as an enterprise to avoid such charges. Making sure your employees know the incident response plan—simply having one isn’t enough—can help prove that you aren’t negligent in your cybersecurity. Affected parties, regulators, and investors should be alerted promptly after a breach is discovered.
Post-Breach Cybersecurity Litigation Common Sense
Again, we can’t give proper legal advice as we are not lawyers. But here are two facts we can say with certainty: your enterprise more likely than not will suffer a data breach in the next few years, and the chances of a data breach will increase if you choose not to invest in cybersecurity solution. Taking no steps to prevent a data breach might make your enterprise look more liable in the wake of a cyberattack, and it may also spell a compliance issue that can be even more costly.
So maybe it’s time to start preparing?
Latest posts by Ben Canner (see all)
- Key Findings: 2020 Gartner Peer Insights Customers’ Choice for Security Information Event Management (SIEM) - July 10, 2020
- 2020 Vendors to Know: SOAR - July 8, 2020
- Should We Move to a New Definition of SIEM? - July 6, 2020