[BreachExchange] Data Breaches Plague Organizations for Years

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jan 9 20:24:08 EST 2018


Once an organization's network is breached, extinguishing the flames is
just the first step in a long, painful and costly journey to recovery.
There's still the wreckage to sift through, investigators to perform
analyses, insurance claims and, of course, a business to reconstruct and
secure. It isn't business as usual once operations are restored; a breach
can plague an organization for years.

Financial aftermath smolders

Not long after the event, the breach's impact on stock price and earnings
becomes clear. In July, just weeks after it was breached by the NotPetya
malware, FedEx announced it expected a material loss associated with the
attack. Medical software vendor Nuance issued a similar warning that
revenue and earnings results would be negatively impacted by the

Studies have shown that after a breach, a company's revenue losses average
between $2 and $4 million, the stock price drops between three and seven
percent, and a significant number of customers are lost.

Then come the lawsuits

In the months following a breach, litigation notices arrive, kicking off a
process that could drag on for years. In just the last 24 months, nearly
$370 million was paid to settle data breach lawsuits in the US. Among them,
two settlements totaling nearly $45 million by Home Depot, and a $28
million settlement by the poster-child of data breaches, Target.

But the largest class action lawsuit in history belongs to Yahoo! A week
after it announced a 2014 data breach had compromised the private
information of 500 million users, attorneys filed a negligence lawsuit
against the tech giant for failing to protect consumers. The potentially
devastating effects from the loss of personal information can mean huge
settlements for victims.

 Then shareholders arrive with flaming torches

Investors are increasingly looking to hold company directors and officers
accountable for breaches, citing violation of fiduciary duty, waste of
corporate assets, and gross mismanagement.

After the Target breach, shareholders filed a suit against 13 officers and
directors, alleging breach of fiduciary duty and waste of corporate assets.
A similar suit against Wyndham Worldwide was filed in 2013. In February of
this year, Yahoo shareholders filed a complaint claiming the company failed
to properly alert consumers that 1.5 billion users' data was stolen by

 Shareholder lawsuits are a red flag for company directors, a warning that
they must keep on top of cybersecurity issues. While the Target and Wyndham
suits were dismissed, it wasn't without significant legal costs. And
lawyers will continue to pursue this type of litigation in an effort to
capitalize on the chronic cybersecurity risks companies face.

Next come the Feds

Depending on the nature of the breach, the information compromised, and the
readiness and response of the company, both federal and state enforcement
authorities – now cracking down on data breaches -- may also come knocking.

If a company is found to have violated the Health Insurance Portability and
Accountability Act, the Department of Health and Human Services will get
involved. Managed care provider WellPoint shelled out $1.7 million in 2013
to settle alleged HIPAA violations related to a breach four years earlier.

If a company fails to provide adequate security or fails to live up to
their stated security standards, they can be sued by the Federal Trade
Commission. If security lapses can be classified as unfair, deceptive or as
abusive conduct, the Consumer Financial Protection Bureau can bring action.
If a communications company fails to properly protect customer information,
actions by the FCC can result. And so it goes. Government is on high alert
when it comes to breaches.

Finally, got cyber insurance?

Whether covered or not, cyber insurance may not be the panacea
organizations hope for. As data breaches occur with increasing frequency,
insurance companies are looking to cash in on what could be a
multi-billion-dollar market. But it's a new frontier and the industry is
grappling with the fact that a single vulnerability could trigger billions
of dollars in losses. So buyer beware!

For organizations that go this route, it's not always clear what such
coverage entails, where existing liability policies end and cyber insurance
begins, and whether they're comprehensive in terms of exposure. Sony went
to court to force their insurers to cover the PlayStation Network breach
and a judge ruled that the policy covering the "publication" of private
information could not be triggered by hackers. The parties eventually
settled out of court before an appeals panel ruling. There will certainly
be more litigation over what is and isn't covered in the future.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180109/a056f89a/attachment.html>

More information about the BreachExchange mailing list