Businesses are being hacked with increasing regularity. How you respond after discovering your business has experienced a cyber attack is important to limiting your exposure to legal liability. Cybersecurity incidents come in many forms and present a range of serious risks.
1) Unauthorized Intrusion. Common vectors of intrusion are unprotected ports, unpatched software, and stolen or weak credentials. An unauthorized intrusion into your company’s environment may result in the improper disclosure of personal data or confidential information subject to NDAs. This may require you to notify affected persons or entities under breach notification laws or resolve contract claims.
2) Ransomware. While some ransomware attacks raise similar concerns about unauthorized access to information, the more obvious problem is the permanent loss of business data. Losing sales, inventory, and employment records can make conducting business impossible. Restoring your systems can be difficult and paying ransoms is risky. Getting your systems back online quickly can prevent cascading operational failures following a ransomware attack.
3) Phishing. Email phishing is a form of social engineering and low-tech hacking, yet the consequences can be just as devastating. Sending sensitive information to an imposter who has spoofed your vendor’s email account or has even spoofed a person within your own company can lead to financial loss. Other times, a hacker can use a seemingly legitimate email to deliver malware as an attachment or a link within a message, thereby exposing you to more serious attacks.
4) Malware. Malware comes in many forms, but almost always has a nefarious objective. This may include providing an attacker remote access to your environment, launching command and control (C&C) attacks, logging your keystrokes and passwords, or leveraging your network as a Botnet. Often, malware infections come from poor information security practices and lurk undetected until substantial damage has been done.
5) Insider Threats. Many of the most severe cyber attacks come from within the organization itself. When role-based access controls are not properly implemented and enforced, or user credentials are not properly managed, untrustworthy or disgruntled employees and contractors may have access to valuable sensitive information. They can easily steal or destroy mountains of data or take other actions that compromise your business or IT environment.
Responding
If your company does not have internal competencies in cybersecurity incident response, then it is prudent to engage professional assistance to triage, contain, eradicate, and remediate the attack. Such experts are trained in phased incident response protocols and digital forensics and should be retained through legal counsel to help protect your right to attorney-client privilege.
The best incident response teams and cybersecurity attorneys will be prepared to deploy immediately on a 24/7 basis to provide you with assistance. When addressing a live security incident, time is of the essence because an attacker could be active in your environment or ransomware could be continuing to propagate across systems. You should not waste time in responding.
Legal Liability
It is essential to understand the scope and nature of an attack to properly mitigate your legal exposure. Breach notification laws are complex and require nuanced analysis based on the specific facts and circumstances of your situation. Competent legal counsel should understand these nuances, including under state, federal, and foreign laws.
Legal counsel should also help you determine your right to file a claim on your insurance, which may include cyber liability protection. Depending on the nature of your business, you could face both first party and third party liability for claims arising out of a data breach. Knowing whether you are covered, the type of coverage you have, and your policy limits are and how coverage amounts may be appropriated is important to reducing your exposure.
The most common types of legal liability include those related to compliance failures, e.g. not providing proper notification, and negligence and breach of contract claims related to the improper disclosure of personal or confidential business information. Severe breaches often involve investigation by regulators, including state AGs and the FTC. If you are in a regulated industry, special investigations may occur, and claims involving a breach of fiduciary duty and professional sanctions are also possible.
Lastly, there are many sources of indirect legal liability that can arise following a cybersecurity incident. Examples include companies who fail to fulfill contractual obligations because their systems are down, including missing deliveries or deadlines to customers, or failing to make timely payments to vendors, contractors, and employees. Skilled legal counsel can examine the totality of your risks to advise you accordingly.
About the Author
Will Orlewicz is a cybersecurity attorney at Relic Law PLLC, a boutique data privacy and cybersecurity law firm assisting clients in Detroit and Chicago. For more information, please visit Relic Law PLLC at https://www.reliclawpllc.com/
DISCLAIMER: THIS ARTICLE IS OFFERED FOR GENERAL INFORMATIONAL PURPOSES AND IS NOT LEGAL ADVICE. NO ATTORNEY-CLIENT RELATIONSHIP EXISTS. YOU SHOULD CONTACT YOUR OWN LEGAL COUNSEL TO DISCUSS YOUR CASE.
© 2020 Relic Law PLLC