Legal Steps to Take Before and After a Data Breach

Legal Steps to Take Before and After a Data Breach

Data breaches have been around for as long as companies have. In the beginning, a data breach could be as simple as having someone see a patient’s medical file unauthorized. With the advent of technology, however, data breaches have become more sophisticated and digital. According to recent reports by Risk Based Security, there were already 2,935 reported breaches in the first three quarters of 2020 alone, making it the “worst year on record.”

As we rely more and more on digital transactions, we become more vulnerable to data breaches; but it’s especially more alarming for companies. Based on 2020 cybersecurity data, CSO claims that data breaches can cost enterprises an average of $3.92 million. On top of financial losses following a data breach, companies also suffer what’s considered to be the biggest long-term consequences: customer distrust and diminished reputation. Your company has sensitive information about customers who trust you and expect you to have cybersecurity measures in place.

The costs of preparing for a data breach may be quite high, but it’s nowhere near how much it would cost you to recover from one. So be proactive and set up a data breach plan, and make sure that you know what legal steps to take both before and after a breach.


Assessing your liability

In a lot of cases, business owners may be held liable for damages sustained by a data breach. So make sure that you properly assess your liabilities—this could lie in your business’ legal structure—and plan accordingly. The degree of liability is determined by your business’ legal structure: sole proprietorship, partnership, LLC, or corporation. ZenBusiness outlines how an LLC may offer you the protection that you need, since this legal structure allows you to separate business assets from your personal assets. As opposed to a partnership or sole proprietorship legal structure where you’re personally liable for all business damages and suits, your LLC company is treated as its own legal entity with its own responsibilities and rights.

Back up everything

This may sound like an obvious thing to do, but you’ll be surprised how a lot of companies don’t take it seriously. Backing up information is now made easier than ever because of cloud backup services. However, be wary about backing up all your files to a single location. It may benefit you to use multiple locations and more than one backup service. This is a necessary preparatory step that will prove useful in a recovery scenario. A number of data breaches also actually wipe out data; which means that your business operations may be stalled for a prolonged period until you get your database back up.

Assessing your vulnerabilities

At this point, you may want to consider bringing in a cybersecurity professional to help you identify your company’s weak points. Find a reliable cybersecurity agency that can go through your systems and operations, and help you understand how threats can reach your team. When you see where threats can penetrate your network, it’s easier to put an effective detection and response system in place. While a detection and response system can’t guarantee your cybersecurity, it still offers you a good deal of protection. You should even make a breach to-do list for your team, so there’s an added layer of protection apart from the one coded into your system. This assessment should be a continuous process done periodically.

Attack simulation

One way to check if you’ve identified all the possible weaknesses of your system is to simulate a data breach incident. You can create a controlled environment that mimics your daily operations and have a security specialist orchestrate real-time attack exercises. These simulations can help you evaluate whether or not your detection system is able to spot these attacks. Additionally, a simulation can also be a drill for your team to practice how to respond to malicious attacks.

Updating your policies

Most states have legislation that require companies to comply with cybersecurity measures and protocol for notification should a breach occur. However, these laws vary greatly from state to state. For example, the New York Department of Financial Services Cybersecurity Requirements states that organizations must report any breach within 72 hours from becoming aware of it. While this has become a pretty standard timeframe for most states, there are a number of state-specific regulations that you should make sure to follow and be updated on.


Notify Law Enforcement and Appropriate Parties

In the event of a security breach, you’re legally obligated to notify law enforcement and all involved and affected parties. You should immediately contact your local police department and report your situation—the sooner law enforcement are on the case, the more effective they can perform the investigation. However, the local offices of the FBI or the US Secret Service are also available for you to reach out to, if your local police aren’t familiar with data breaches and cyber attacks.

Identify what information has been compromised

Once you’ve confirmed that a breach has occurred, the next thing you need to know is which data and what types of information have been compromised. This is important to know to help investigations move forward. This is also useful knowledge to have so you can contact the right agencies to help you manage the incident. For example, if you find out that credit card information has been stolen, you can call the issuing banks to notify them directly. But if information like Social Security numbers were stolen, then you’d need to contact the Social Security Administration.

Put up a security fix

Immediately after a data breach occurs, the best next thing you can do is to prevent further access. However, Vice President of Cloud Research at Trend Micro, Mark Nunnikhoven advises that "The first thing you should not do after a breach is create your response on the fly." If you’ve done the proper preparatory steps, you should have a quick short-term fix planned. Put this in place and test it as thoroughly as possible, making sure that the attackers won’t be able to access your data using the same process. But remember that this is just a quick security fix, and that this should be rectified and strengthened during the recovery process.

Determine the cause of the breach

Being able to identify what caused the breach and how it happened helps you plan a stronger defense so it doesn’t occur again. This also shows you vulnerabilities that you may not have been aware of previously. When you’re aware of the cause of the breach, you’re able to explain to other stakeholders and to your clients more comprehensively, and assure them that you’re doing proactive steps to ensure a similar breach won’t happen again.

Take ownership and provide due compensation

At the end of the day, it’s your business and you should be able to take ownership of anything that might happen within it—and you have to provide whatever compensation is required by law. This is why it’s important to assess your liabilities and update your policies before a breach even occurs. Taking ownership also helps you redeem your company’s reputation and regain your customers’ trust.

As we move forward into a more digital-reliant world, it’s important for you to prepare for even more threats and possible data breach. Learn more by checking out our ‘Cybersecurity Threats to Watch for in 2021’ write-up!

Legal Disclaimer

Jan 12th 2021 Allen Brown

Recent Posts