There’s no doubt about it, cyber-attacks are increasing. A consequence of this is a rise in cybersecurity litigation. Interestingly, that litigation may not necessarily be directed against the cybercriminals. Instead, it is likely to be another threat that the breached company has to deal with.
Just as cyber-attacks are generating publicity, so too are the subsequent litigation activities. What makes them newsworthy seems to be the dollar amount. For instance: the extramarital dating company Ashley Madison is reported to be facing a USD578 million class action over its data breach. Target, whose 2013 hack resulted in 110 million customers credit card details being available online, have spent USD290 million following the breach on settlements and legal fees for a pending Federal Trade Commission (FTC) probe. And Sony has agreed to pay as much as USD8 million to settle claims.
Why is litigation gaining momentum? In lots of ways, it’s because of the headlines. The risk of being hacked is now so well publicized; many believe that companies have no excuse not to take reasonable actions to protect online systems and data.
Who’s driving this?
It’s probably fair to say that 5 groups can be identified:
- Financial institutions. They are suing the hacked retailers, e.g. Target, to recover their losses.
- Employees. Staff could claim that the company didn’t do enough to protect their private data.
- Regulators. Here it is about government officials, e.g. FTC, going after companies who have not enforced a federal court order, e.g. LifeLock. And under new EU data privacy laws, companies can be fined up to 4% of global turnover for breaking data protection regulations.
- Shareholders. This group can file a suit where named board members have failed to live up to their legal duty to protect sensitive data.
- Company Vs Company. This last group is not as common as the others at the moment. It is, for instance, where the company who manages the outsourced data is sued.
How to mitigate the risk
It’s important to remember that cybercrime readiness is about more than just technology. It’s about how quickly you can take action. Based on that, there’s a raft of activities which companies can undertake. Simply put the activities can be broken down to pre- and post-attack.
Preparations pre-attack would include IT security assessments, penetration testing and cyber incident planning services to help organizations understand their security posture and implement measures to reduce their exposure. Another critical aspect is employee training.
For post-attack activities, it is having experts on hand 24*7 for incident response services, preserving digital forensics and advice to isolate the incident in order to continue normal operations within the shortest amount of time.
The extent that a cyber-attack impacts your organization comes down to how prepared you are and how fast you can respond. Getting the basics right can significantly lower the overall risk.