[BreachExchange] Cyber Smarts: How to Avoid a Data Breach Lawsuit

[Audrey McNeil]

http://www.adotas.com/2018/07/cyber-smarts-avoid-data-breach-lawsuit/

Anthem paid out $115 million in 2017 to settle a number of class action
lawsuits brought by victims of a data breach. That sum is the highest in
history, but it’s hardly the only astronomical figure like this. Litigation
regularly leads to multi-million dollar penalties.

The figures are only going to climb in coming years. The frequency and
scale of data breaches are both on the rise. So is consumer resentment and
regulatory oversight. That creates a perfect storm for businesses large and
small. Unfortunately, we can expect to see more data breach lawsuits and
steadily larger settlements.

At this point, companies must consider cybersecurity to be a
mission-critical concern. No company can sustain nine-figure settlements,
and for many companies, even a small settlement would mean disaster. That
makes it essential for all businesses to avoid data
breaches and the consequences of lawsuits.

Rely on these strategies to bring down risk and liability:

Practice for a Real Data Breach

Preventing a data breach is the first priority, but limiting the damage
also limits the number of plaintiffs. The best way for companies to catch
breaches faster and limit the exposed information is through planning. That
includes comprehensive cybersecurity training and education for all members
of staff. It also includes data breach simulations that allow for hands-on
training. If and when a real breach occurs, well-prepared staff can respond
swiftly and capable.

Make Careful Public Comments

When company officials make announcements about data breaches they must
pick their words carefully. Making the wrong claims or promises could later
be used by plaintiffs in court. Disclosing the data breach is mandatory,
but comments should be carefully crafted in advance. In addition to an IT
response team, companies should have a disaster PR team in place.

Own the Mistake Early

Data breach settlements are typically calculated based on the number of
victims and the scope of the damage. Part of the calculation is how long it
took the offending company to announce the data breach. Waiting too long
subjects companies to potentially much larger settlements, yet the evasion
gains them nothing. It is in the best interest to be honest and forthcoming
with the public as soon as the issue is detected.

Rely on Cyber Coverage

Cybersecurity is all about risk management. Companies must reduce the risk
of cyber attacks but also acknowledge they are likely, even inevitable.
Realistically, companies may not be able to avoid data breach lawsuits or
other expensive penalties entirely. That is where cyber coverage kicks in.
It provides financial, legal, technical, and other resources to help
companies resolve data breaches. The right cybersecurity insurance policy
is the difference between a financial penalty and a financial disaster.

Focus on Vendors

A smart way to avoid more threats is to focus on third-party cybersecurity.
Relationships between a company and a vendor, supplier, partner or other
business associate create links between their IT networks. That means gaps
in a vendor’s security measures could send threats into another network. In
the event of a lawsuit, vendors may bear some responsibility. The better
strategy, however, is to only work with vendors with acceptable levels of
cybersecurity.

Cybersecurity is easy to ignore. But after an incident, it’s impossible to
think about anything else. Don’t let your company be the next one
blindsided by a cyber attack and years of fallout afterward. Take steps now
to protect your future.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180717/d411207b/attachment.html>