Proactively Fend Off Your Organization’s Next—Inevitable—Data Breach

Consequences of Data Breaches

Data breaches are expensive by any measure, including—but not limited to—the cost of response and recovery, reputational impact, diminished goodwill, loss of productivity, lost business, subsequent product discounts, penalties, and litigation.

Costs. The average financial cost of a single data breach in the U.S. reached $9.44 million this year, and a majority of organizations increased their prices as a result of the attack. These costs are further exacerbated by the pervasiveness of remote work; on average, containing a breach that was caused by remote work costs $1 million more than breaches unrelated to distance working.

These costs are also long-lasting. Organizations in highly regulated environments, such as the health-care, financial, and energy industries, pay a quarter of their breach-related costs more than two years after the fact. On average, it takes organizations 207 days to even recognize that a breach has occurred and another 70 days to contain it.

Reputational impact. After shelling out steep figures to recover and resecure their data, compromised organizations are left with bruised reputations. For example, although Uber paid hackers a relatively small amount ($100,000) to delete stolen data and keep the breach under wraps, the company suffered far greater consequences in reputational damage: Uber’s consumer perception dipped 141% after disclosing the data breach. Although most consumers realize that the companies they use are vulnerable to cyberattacks, 87% of consumers are willing to take their business elsewhere if (or, rather, when) a data breach occurs.

Litigation. In addition to exorbitant costs, lengthy delays, and a tarnished brand, breached organizations can also expect drawn-out and complicated litigation. Consumer class action suits now routinely follow cyberattacks, typically alleging a violation of a state data privacy statute, common-law negligence, breach of contract, breach of warranty, breach of fiduciary duty, false advertising, and/or deceptive trade practices.

To date, five states—California, Colorado, Connecticut, Utah, and Virginia—have enacted comprehensive consumer data privacy laws. The laws’ specific provisions vary, but most include the right to access and delete personal data and the right to opt out of the sale of personal information. Only the California Consumer Privacy Act of 2018 (CCPA) contains a private right of action, allowing California consumers whose personal data was disclosed in a data breach to sue an organization for failing to maintain “reasonable security procedures and practices.” The CCPA authorizes statutory damages of up to $750 per consumer per incident. Given the law’s recency (it became effective in January 2020), litigation trends are just beginning to form, but CCPA cases are steadily increasing. In 2021, 110 CCPA cases were filed, including 17 that resulted in class settlements with an average settlement value of $3.1 million.

Organizations beyond the CCPA’s reach shouldn’t lighten up, however. The list of states considering comprehensive data privacy legislation continues to grow. Four states—Michigan, New Jersey, Ohio, and Pennsylvania—are actively considering comprehensive data privacy bills, including two (New Jersey and Pennsylvania) that contain a private right of action in their current form.

In states lacking consumer privacy laws, courts have struggled over the past decade to map data security failures onto existing legal frameworks. That said, a new trend is beginning to emerge: courts are entertaining common-law negligence claims against defendant organizations for failing to safeguard personal data. Hundreds of plaintiffs hailing from nearly every state have alleged that organizations should be liable for negligently maintaining their personal data that was stolen during a data breach. However, courts have grappled with two fundamental questions in these cases: First, is there a common-law duty to safeguard data? And second, does the mere disclosure of personal information constitute harm, or must plaintiffs show more? Some courts have found additional grounds for dismissal under the economic loss doctrine.

For years, plaintiffs faced nearly insurmountable odds as courts dismissed case after case for failing to establish a duty and/or damages. But a door appears to be cracked open (and perhaps is slowly opening farther) in the wake of a 2018 Pennsylvania negligence case. In Dittman v. UPMC, the University of Pittsburgh Medical Center (UPMC) allegedly failed to keep employees’ information safe and prevent vulnerabilities in its computer system. As a result, hackers accessed the personal information of UPMC’s 66,000 employees, which led to the filing of fraudulent tax returns using the stolen data. The superior court held that UPMC had no common-law legal duty to safeguard employees’ sensitive personal information, and, further, Pennsylvania’s economic loss doctrine precluded employees from recovering. However, the Supreme Court of Pennsylvania reversed on both counts. UPMC’s affirmative conduct—requiring employees to provide personal and financial information, which it stored on computers lacking adequate security—created a risk of a data breach; therefore, UPMC owed its employees a duty to use reasonable care in protecting them from cyberattack-related harms. Further, the court decided that because this duty arises independently from any contractual obligations, Pennsylvania’s economic loss doctrine did not bar the employees’ claim. In 2021, the parties settled for $2.65 million. (UPMC experienced another cyberattack in 2020.)

Dittman is considered a landmark case that may open the floodgates to data breach–related negligence claims. Notably, the court did not ground its decision that a legal duty existed in the employment relationship, but rather relied on traditional principles of tort law, which can easily be applied to other contexts and states. Additionally, this case marks a shift in courts’ perceptions of what efforts are reasonable to prevent cyberattacks. While the superior court somewhat belittled the risks of data breaches and refused to require organizations to incur breach-prevention costs, the Pennsylvania Supreme Court ruling reflected a more modern view of cyberattacks, obligating organizations to take reasonable measures to secure data. Dittman has been referenced in nearly 100 cases across the country in the four years following its decision.

Preparation

Considering these exorbitant costs, long delays, and shifting tides in breach-related litigation, organizations would be wise to take the risks of cyberattacks seriously. The stakes are high; preparation is worth getting right.

Invest in data security. The significant uptick in data breaches has generated an equivalent increase in data protection solutions for companies of all sizes and budgets. Organizations should consider which cybersecurity tools address their particular vulnerabilities, including network security monitoring, encryption tools, web vulnerability scanning tools, network defense tools, antivirus software, firewalls, and managed detection services. Companies utilizing cloud-based integration should invest in solutions tailored to cloud vulnerability because 45% of breaches occurred in the cloud and organizations with a high level of cloud migration paid $1.28 million more per data breach in 2021.

Additionally, organizations should consider investing in cyber insurance to cover financial losses resulting from data breaches. Cyber insurance policies are relatively new and lack widespread standardization, so coverage can vary wildly. First-party coverage protects your organization’s data and generally covers costs for legal counsel to determine notification requirements, the recovery and replacement of stolen data, customer notification services, lost income due to business interruptions, crisis management, cyber extortion, forensic services to investigate the breach, and fees, fines, and penalties related to the incident. Third-party policies protect organizations from liability if a third party brings claims. This coverage typically includes payments and settlements to consumers affected by the breach, losses related to defamation and copyright infringement, and accounting costs. Organizations should also make sure that their policy covers cyberattacks on their data held by third parties, as well as those occurring outside the U.S. Organizations may wish to contractually require that all relevant business partners hold cyber insurance policies, as well.

Develop data privacy policies and response procedures. The first time an organization contemplates its response to a cyberattack should not be in the midst of one. Internal policies and response plans are critical to a relatively quick and inexpensive resolution; in fact, organizations that assemble an incident response (IR) team and test their response plan save an average of $2.66 million per breach.

Companies should begin by identifying the members of their cyber IR team. This is typically a small group of people who will assemble in the case of a data breach and implement the organization’s response plan. IR teams often include the head of the organization, legal counsel, the company’s insurer, data forensics experts, and a public relations manager. As data breaches grow increasingly complicated, data forensics has become a critical tool for organizations to piece together the scope of the incident and methods to stem the damage. Outside data forensics experts typically oversee the recovery and investigation of data breaches and testify about their findings in data-related litigation. Not only should each individual on an organization’s IR team be identified in advance, but its members also should meet (in person, if possible) prior to a cyber incident to make sure that they function well as a group.

The organization—ideally, with its IR team—should develop an IR plan to govern the company’s procedures in the event of a cyberattack. The plan should codify each team member’s responsibilities in the response; identify the necessary subteams; outline the investigation, containment, and recovery processes; and describe the organization’s plan to communicate the breach internally and externally. These procedures should standardize the IR team’s behavior and ensure that the response is handled in an efficient, documented, and repeatable way with as few mistakes as possible.

That said, organizations shouldn’t be fooled into believing that responding to a cyber incident is akin to implementing a routine company policy. Cyberattacks are fast-paced and high-stakes, so IR teams must be prepared to make potentially very serious decisions quickly. The best way to equip an IR team to operate smoothly, calmly, and sensibly amid the chaos is to practice implementing the IR plan—don’t just draft and file it. Conducting periodic tabletop exercises, which simulate actual data breaches, will develop IR “muscle memory” and provide the team an invaluable opportunity to evaluate and refine the IR plan.

More generally, organizations should develop a privacy compliance program to monitor and maintain their compliance with existing data-related laws. Not only will this program give companies confidence that their data collection is aboveboard, but it also will help identify which levers to pull in the event of a cyber incident. Organizations should begin by gathering information relating to their data collection: What types of personal information are collected? By what methods? For what purpose? Who can access this data? Next, organizations should analyze their data-related legal obligations and current compliance. To ensure ongoing compliance, the program should require the submission of a data protection impact assessment (DPIA) for every new project impacting personal data. DPIAs are mandated by Europe’s General Data Protection Regulation (GDPR), but even organizations outside of GDPR’s scope will benefit from keeping a pulse on changes to their data collection. Finally, the compliance program should include a data retention policy that lays out what personal data the organization must keep (and for how long), as well as how to properly dispose of it. On average, each record disclosed in a data breach costs organizations $164, so companies can save millions of dollars in the event of a breach by minimizing the amount of data they retain.

As a final point, organizations should ensure that every communication to and from their legal counsel is marked “privileged.” Under the attorney-client privilege doctrine, confidential communications between an attorney and client are legally privileged and thus not discoverable in litigation, but disclosing the communication to a third party could waive this privilege. Inadvertent disclosures generally do not waive attorney-client privilege; however, in a data breach, records containing confidential attorney-client communications may be disclosed, which could waive the privilege unless it is clear that the disclosure was inadvertent. Marking each confidential communication “privileged” will help establish that the organization intended to keep those records confidential and preserve its privilege if it is ever in question.

Educate employees on cybersecurity best practices. Because 82% of all data breaches can be chalked up to “human error,” organizations can minimize the likelihood of a data breach by providing cybersecurity awareness training. According to one study, organizations that provided employee training were 70% less likely to be breached; and when cyber incidents did occur, they detected and isolated cyberattacks faster, saving an average of $247,000 per attack. Recall Benjamin Franklin’s quip about an ounce of prevention.

Organizations should teach employees how to identify malware, phishing, ransomware, and social engineering threats; to maintain secure passwords; to keep their personal accounts (e.g., social media, email, etc.) separate from business information and devices; and to decide whom to contact about suspicious activity. Frequent training not only refreshes employees’ knowledge on a regular basis but also reinforces the notions that data breaches are high-stakes and that prevention is a top priority. Organizations can verify that their cybersecurity training is taking root through periodic drills and assessments.

Response

It is the moment that your organization hoped would never arrive: your network has been breached. Fortunately, your organization painstakingly prepared for this incident (see above), so you’re equipped to hit the ground running.

Secure your vulnerabilities immediately. When an organization recognizes that a breach has occurred, it must secure all remaining vulnerabilities as quickly as possible. While your team will know the best approach given the facts at hand, in many cases it is prudent to immediately take the affected equipment offline to try to stop the proverbial bleeding.

Abide by Office of Foreign Assets Control regulations. In the case of a ransomware attack, it may be tempting to pay off the hackers to quickly regain control of the network. Before making any payments, however, organizations should ensure that the payment would not run afoul of the U.S. Department of Treasury Office of Foreign Assets Control (OFAC) regulations. OFAC discourages making ransomware payments in general—as it tends to only encourage future ransomware attacks—and it expressly prohibits paying ransoms to entities on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List) or those covered by comprehensive country or regional embargoes (e.g., Cuba, Iran, North Korea). OFAC maintains the authority to impose civil penalties based on strict liability for violating these regulations. Although there have not been any OFAC enforcement actions against organizations paying ransomware payments to date, companies should remain aware of the risk and check these lists before paying ransoms.

Mobilize your cyber IR team. Next (but certainly within a few hours of recognizing the breach), a breached organization should contact each member of its IR team. Every individual should be well-versed in their responsibilities and prepared to efficiently implement the IR plan (thanks in large part to the tabletop exercises the organization facilitated in advance). At this point, a data forensics expert (the cyber equivalent of crime scene forensics) will examine the network for signs of a lingering attack and attempt to identify the source and scope of the breach in order to firm up the organization’s defenses.

Memorialize everything. Cyber incidents, by nature, are fast-paced and fluid. Before long, dozens of people will be involved, simultaneously working to contain the emergency. Amid this chaos, organizations can easily lose valuable information that could aid their investigation or help establish their defense in a subsequent lawsuit (e.g., that the organization took reasonable care to secure personal data and quickly stem the damage).

As the cyber incident unfolds, every relevant fact should be recorded in order to establish a working timeline: Who recognized the breach first? What did they see? Whom did they tell? At what time? All of this information will be useful as your organization determines the source, size, and scope of the breach; its legal defenses; and its strategy to prevent the next attack.

Notify the appropriate parties. Failing to sufficiently communicate a breach to the necessary parties can turn an inconvenient incident into a public relations disaster—or, moreover, a violation of the law. Organizations should begin by determining their legal obligations under each relevant state’s breach notification laws. These laws, which vary state by state, generally require breached organizations to notify affected individuals within a fairly short period of time that their information was disclosed, allowing them to quickly mitigate the risks of their data being exploited. Notably, a breached organization may be subject to several states’ notification laws, depending on how many individuals from each state were affected. Because state breach notification laws differ regarding what constitutes a “breach,” which entities are covered, what is “personal information,” the timing and method of notice, and exemptions (e.g., for encrypted data), organizations should scrupulously comply with each relevant law’s specific requirements. Other notification laws may apply, depending on the nature of the organization or personal data disclosed. For example, banking institutions and health-care data are subject to federal notification requirements due to the sensitivity of the data involved.

Organizations should also consider contacting local law enforcement if they suspect that a cybercrime has been committed. Local Federal Bureau of Investigation offices and the U.S. Secret Service are also available in case the local police are unfamiliar with data breach investigations. Additionally, organizations may consider contacting other businesses that may be able to stem the damage from the cyberattack. For example, if personal credit card or bank account information was leaked in a data breach, an organization may wish to alert the relevant banks and credit card companies so that they can monitor the affected individuals’ accounts for fraudulent purchases.

Finally, an effective data breach communication strategy involves thoughtful, open, and straightforward communication with the public. Many breached organizations have sought to keep the incident close to the vest and experienced far worse reputational damage when all came to light. For example, after Uber experienced a data breach in 2016 that affected 57 million individuals, the company waited about a year to report the breach. Not only was Uber forced to pay $148 million to settle claims, but the company also suffered far greater reputational damage for the cover-up than it almost certainly would have for the data breach. What’s more, Uber’s former chief security officer was convicted for obstructing justice and concealing knowledge that a federal felony had been committed and faces up to eight years in prison for his role in the cover-up. Although the public need not be made aware of the breach immediately, organizations can build trust by being forthright about the incident at the appropriate time.

Recovery

Initiate dual-track investigation. As soon as the ongoing threat is over and your data is again secure, an investigation into the source, size, and scope of the breach will pick up speed. These investigations, typically performed by external forensics experts and counsel, often result in a comprehensive report on how the organization’s data was breached, what information was disclosed, how the organization responded, and methods for preventing the next cyberattack.

This step in the recovery process can pose a conflict for organizations: on the one hand, these reports are necessary to analyze the breach and bolster the company’s defenses against the next attack; on the other hand, investigative reports could produce incriminating evidence that might be used against the company in litigation. Courts have allowed these reports into evidence, deciding that the disclosure of attorney-client confidential communication and work product to third parties (namely, outside forensics experts) waived their protection. Other courts have admitted these reports because they were not prepared exclusively for legal purposes, in anticipation of litigation, as the attorney-client privilege and work product privilege necessitate.

For example, in the midst of Capital One’s breach-related lawsuit, a court determined that Capital One’s forensic incident report was not privileged work product even though it was commissioned by outside counsel. Several factors led to the court’s conclusion, including the fact that Capital One paid for the report as a “business critical,” rather than a “legal,” expense; that Capital One’s relationship with its vendor was nearly identical before and after the breach; and that Capital One widely disseminated the report outside its legal team for a variety of business purposes. Because the prospect of litigation did not substantially change the incident response services that Capital One commissioned, they likely served a dual purpose and were therefore not covered by the work product privilege.

Organizations can increase the likelihood that these privileges attach to their investigative reports by clearly separating their business and legal functions and by maintaining two separate investigations—an internal business investigation (lacking privilege) and an external legal investigation led by outside counsel (preserving privilege). While the business track digs into how the breach occurred and how the organization should respond—mindful of the nonprivileged aspect of these efforts—the legal track allows the company’s lawyers to collect the necessary information to provide the company with legal advice and protect the company’s interests in a suit.

In re Target Corp. Customer Data Security Breach Litigation exemplifies successful implementation of both strategies. After several class action lawsuits were brought against Target relating to a data breach, Target spun up a “Data Breach Task Force” and initiated a dual-track investigation. On one track, the business investigated the breach’s source and scope. On the other, the Data Breach Task Force educated its in-house and outside counsel on the breach as they prepared for litigation, and outside counsel hired Verizon to complete a forensic investigation. The court maintained that the task force’s communications were privileged because the group’s function was exclusively to protect Target’s interests amid ongoing litigation and because its reports were generated to inform the attorneys about the breach as they prepared for the litigation.

Following their respective data breaches, Target and Capital One employed nearly the same playbook but obtained vastly different results. Organizations can learn from this discrepancy to ensure that their investigative reports remain privileged. First, the prospect of data breach–related litigation should create a meaningful difference in your engagement with your outside counsel and relevant vendors. Capital One’s relationships were nearly identical before and after the data breach, whereas Target instituted a new Data Breach Task Force to directly protect its legal interests. Second, organizations should consider instituting—and strictly adhering to—a dual-track investigation. Courts scrutinize companies’ investigations to determine if the legal investigation also served a business purpose. Even seemingly minor facts (e.g., how a vendor expense was categorized) weigh heavily on courts’ decisions, and the mere appearance that business and legal functions are separate (such as by labeling work as “under the direction of counsel”) is insufficient to convince a court that investigative reports should be covered by these privileges.

Implement changes to fend off the (inevitable) next attack. In the months following a data breach, it might be tempting to close the book on this rather unnerving incident and move on to the organization’s pressing priorities. Before you do, be sure to take full advantage of the invaluable opportunity to review your organization’s response. Organizations should assemble their IR teams to analyze each aspect of the company’s response to the breach. What made the organization vulnerable to a breach? Was more data exposed than necessary? Where can the IR team realize greater efficiency? What feedback have you received since the incident? After a comprehensive evaluation, the organization should update its internal data privacy policies and privacy compliance framework to internalize these lessons learned and further strengthen its cyber defenses.

Additionally, organizations should not think of data breaches as isolated incidents that are unlikely to reoccur. In fact, organizations that have experienced one breach are more likely—not less likely—to experience a second (or third, or fourth . . .) breach. In 2013, Yahoo experienced the largest data breach on record, which affected three billion accounts. The very next year, Yahoo faced a second breach, affecting another 500 million accounts. In 2022, T-Mobile confirmed its seventh data breach in four years. Regrettably, Yahoo and T-Mobile are not anomalies; 83% of organizations that experienced a cyberattack have experienced more than one breach.

The cause for repeated breaches varies, but it is often traceable to existing vulnerabilities and undertrained employees. For example, once hackers get access to an organization’s system, they can create a “secret door” through which they come and go without detection until the company patches the vulnerability. Other repeat breaches are caused by employees creating weak passwords, falling for phishing scams, leaving work devices unsecured, and clicking on links containing malware. If breached organizations do not thoroughly analyze the source of the incident and operationalize the lessons learned, they will become low-hanging fruit for subsequent breaches.

All told, data breaches present a dreadful combination: they are both high-risk and nearly inevitable. The upshot is that organizations need not wrestle with whether to prioritize their cybersecurity—they undoubtedly should.

Conclusion

No organization is impervious to a cyberattack—no organization is too small, too large, too obscure, or even too prepared—so every organization should take practical steps to further minimize its risk of a breach. Perhaps most significantly, organizations (and their attorneys) should implement comprehensive privacy compliance programs and internal privacy policies to batten down the hatches: they should map and categorize the data they process, confirm their compliance with relevant privacy and cybersecurity laws, and routinely rehearse their response plan to hone IR muscle memory. Further, because an organization’s security hinges on every employee’s cyber awareness (not just that of its attorneys, C-suite executives, or IT professionals), organizations should frequently train their employees to identify and defend against threats.

Given the astronomical costs involved with recovering data, restoring a brand, losing customers, suffering productivity losses, and defending against litigation, organizations must proactively prepare for a cyberattack—their continued existence may hinge on it. In the event of a breach, organizations that painstakingly prepared will be well positioned to respond quickly and recover thoroughly, sharpening their swords to fend off the next (inevitable) attack.