Even small data breaches can have significant consequences. The most obvious are IT security concerns around network compromise and data exfiltration, but any breach of cyber security also comes with potential legal liability. We understand the risks that these breaches represent and work with you to help you navigate them for the benefit of your clients. To ensure compliance with industry, state and federal reporting and disclosure obligations, corporate legal teams are often best served by partnering with third-party cyber security breach response providers like Halock. We can help determine how breaches occurred, identify what data has been compromised and formulate a cyber breach response plan that satisfies legal obligations and helps ease your clients’ concerns.
HALOCK can help.
Examples of Cyber Security Breaches — and Their Legal Impact
Depending on the type of breach experienced, legal obligations may differ. For example, if networks are infiltrated but data is not viewed or exfiltrated, reporting requirements may be limited to regulatory bodies. If customer data is compromised, meanwhile, obligations expand exponentially.
Common types of cyber security breaches that can create legal issues include:
- Data theft or loss: This includes data stolen by malicious external actors and information accidentally lost or deliberately taken by employees.
- Insecure storage or transmission: Data compromised because of insecure storage architecture or transmission methods (such as unencrypted emails) can put companies at risk of legal challenge.
- Missed patches or security updates: If needed patches or security updates aren’t applied and breaches occur, businesses may be held responsible for failing to take reasonable defensive precautions.
Failing to effectively and immediately address these issues could lead to legal repercussions — including fines and penalties; reputation loss; and class-action lawsuits or settlements, not to mention the costs associated with settling these legal challenges in court. We can help you determine what response is appropriate to better enable you to provide your clients with the legal advice and guidance they need.
Delivering on Duty of Care and Reasonable Security
While every organization encounters unique cyber security challenges, they share a common obligation: Deploying reasonable and necessary defensive solutions. Yet, what exactly is “reasonable”?
HALOCK’s security experts help companies effectively apply the DoCRA (Duty of Care Risk Analysis) standard to current defenses and across potential risks. This standard is used by legal authorities and industry regulators to determine if security precautions taken were reasonable and necessary given the type, location and common use of stored or collected data. If HALOCK teams identify potential shortfalls in current security frameworks, they work with local IT and legal teams to create a reasonable cyber breach response strategy that helps reduce total risk.
Reasonable Security is Now Defined
The Sedona Conference – an influential think tank that advises attorneys, regulators, and judges on challenging technical matters – just released its Commentary on a Reasonable Security Test. The Commentary is the first document of its kind that provides the legal community with a clear definition of a “reasonable” security control.
Example Engagement: Legal Response for a Debt Collection Service
A debt collection service reported a potential theft of debtor data by a disgruntled employee. Suspicion of theft arose from colleagues who saw the employee print a massive report just prior to quitting without notice. The debt collection service was subject to multiple regulations and wanted to be sure a criminal forensics investigation stayed within bounds of its cause to prevent regulatory complications.
HALOCK worked with counsel to carefully guide the responding detective to the few files and resources on the employee’s laptop that would have indicated whether there was reasonable suspicion of a breach. This enabled the detective to determine that there was no probable cause to take further action while preventing extraneous exploration, avoiding un-necessary breach disclosure, and providing sufficient evidence of due diligence after the suspicious activity.