Whether accidental or due to a deliberate penetration of information systems, data breaches – while not solely a 21st-century phenomenon – are an increasingly sophisticated headache for global corporate entities. As personal information and corporate data have become commoditized, the legal, gray and black markets for information have seen the exponential rise of an industry whose primary function is reactive data breach management, remediation and mitigation. After a data breach, an organization’s primary objectives are complying with the regulatory obligation to notify potentially impacted individuals while limiting its financial exposure. This requires the review of many thousands – sometimes millions – of documents. For many companies, the data remediation action ends when all required notifications are sent. This complacency can have grave consequences; there are other significant post-data breach business risks that should be evaluated. It is in a company’s best interest to utilize its expert resources to help mitigate those risks in parallel with fulfilling the legal requirements of remediation and notification.
To understand the business risks of a data breach beyond the costs of conducting remediation, companies need to be aware of the current corporate cybercrime landscape. In August 2020, INTERPOL assessed the impact COVID-19 has had on cybercrime incidents, noting that they were seeing a dramatic shift away from attacks on individuals and a significant increase in attacks on larger enterprises. In a related press release, INTERPOL noted that, “With organizations and businesses rapidly deploying remote systems and networks to support staff working from home, criminals are . . . taking advantage of increased security vulnerabilities to steal data, generate profits and cause disruption.”[1] Sophisticated criminals and criminal organizations are masters at identifying changing cultural, political and market conditions to capitalize on opportunities that maximize illicit financial gains. The pandemic has led to a wave of uncertainty and anxiety that spans the hierarchies of corporate organizations. The resulting instability of global economic conditions, along with already troubling sociopolitical volatility, has left institutions less prepared than ever to contend with the sudden onslaught of online assaults by highly skilled hackers who are often one step ahead of even the most protective IT security programs.
The fact that data breach risks are always looming, regardless of threat level, is nothing new. Corporations that have faced one before are well-aware of the potentially enormous cost of remediation. Data privacy attorneys are particularly well-acquainted with what a data breach means for their clients and the existence of aggressive regulations from multiple jurisdictions that dictate the manner and time frame for notifying individuals whose personally identifiable information (PII) has been compromised. Regulatory bodies are often inflexible, and the speed at which corporations must fully implement a remediation and notification plan is often faster than one might consider reasonable. Once a breach is identified, companies are in triage mode to protect their reputation and mitigate their financial exposure while simultaneously isolating the impacted servers to mitigate the damage from an attack, boosting their cyber resiliency to help prevent further attacks and implementing a data breach remediation review to send the required notifications to individuals.
However, the lost confidence and financial harm stem from more than the theft of PII. Companies understand that it is their proprietary, confidential data that makes what they sell valuable. This information would be exceptionally valuable to competitors and, if stolen, could be made public to embarrass or sold for profit. According to a 2020 IBM study, it takes an average of 200 days before a company realizes a cyberattack has occurred, by which time it can be nearly impossible to recover from the loss of corporate secrets. Exposed competitive information like pricing or fees negotiated with other companies, marketing plans and product development documents are just a sample of the types of information that could be floating around cyberspace for months unbeknownst to a company. Furthermore, private internal or external email or chat conversations could be the source of embarrassment – or even regulatory interest – if made public.
Separate from internal information, confidential data belonging to other entities like vendors, partners, customers, etc. helps keep companies profitable and running smoothly. Protecting these relationships is critical, and they can be easily damaged if a company has put another company’s information at risk. Identifying breached sensitive business data as soon as an intrusion is spotted is a first step toward preventing an irretrievable breakdown of business relationships. With certain exceptions – like law firms – regulations do not necessarily demand that a company do anything to mitigate the risks that may come from the loss of another company’s information. However, statutory obligations are not the only considerations. Commercial relationships are almost invariably governed by contracts between parties which often contain data security requirements, call for cyber insurance and – if written appropriately – have strong indemnification language. With this heightened exposure, it is incumbent on companies to be proactive in identifying compromised business data and notifying their owners.
If a company is prepared with a comprehensive data breach review plan that accomplishes the identification of PII for remediation and notification, as well as identifying internal company-owned data and third-party business-owned data, it will be in a much better position to limit financial exposure, reputational harm and loss of critical relationships. To do this most effectively and efficiently, it is important to have a data remediation review team with members who are not only skilled at thoroughly identifying PII of all types as well as the contact information of impacted individuals for legally required notifications, but also have significant experience identifying critical business data and categorizing it in reports so that internal departments and outside companies can be notified with specificity about data that has been potentially compromised. The tight timelines for completing PII remediation and notification do not mean business data should be sidelined. Data remediation review teams are able to review documents for both PII and business information simultaneously if they have the training and experience to know what to identify. A single review with this dual purpose allows companies to accomplish what might otherwise be overlooked or delayed with minimal additional time and cost.
[1] “INTERPOL report shows alarming rate of cyberattacks during COVID-19,” August 4, 2020, available at: https://www.interpol.int/en/News-and-Events/News/2020/INTERPOL-report-shows-alarming-rate-of-cyberattacks-during-COVID-19