Cyber-attacks become more common with each passing year, and the increased number of attacks means more protected data is vulnerable to data breach. As more and more business has moved online in the twenty-first century, criminals have shifted their activity online as well. Companies must respond to safeguard not only their own data but also the data of their clients and customers.
While it is difficult to determine the exact number of cyberattacks in a given year, the FBI Internet Crime Complaint Center reported over 800,000 incidents in 2022, collectively resulting in a loss of over 10 billion dollars. This number is certainly underinclusive because not all incidents are reported to authorities. Whenever an entity experiences a data breach or ransomware attack, they should alert their local FBI field office to report the incident. Federal and state rules include requirements regarding notice to authorities, the public and, when such incidents result in the exposure of protected personal information, to the specific individuals affected. These regulations continue to expand. In 2024, the Securities and Exchange Commission will mandate that publicly traded companies notify the SEC of material cybersecurity incidents. Additionally, revised Federal Trade Commission rules, originally applicable to banking institutions, now extend to include non-banking financial entities such as mortgage companies, accountants, and car dealerships. The revised rule stipulates breach notification to the FTC.
Key components of a successful cybersecurity program are prevention and response. To mitigate the threat of data breaches, companies should employ a multifaceted approach to bolster their cybersecurity defense. A comprehensive risk analysis will achieve dual goals of identifying and evaluating potential vulnerabilities, while also assessing the sensitivity of data on the system. The human element is critical to cybersecurity prevention and response. Phishing attacks and identity spoofing (creating the appearance that a communication is sent from a trusted party) are commonly used tools by hackers that succeed when the target makes a poor decision. In the past, phishing attempts might be flagged by the presence of spelling errors, typos, or stilted phrasing, but hackers can now use generative artificial intelligence programs to draft very realistic phishing emails. To the extent that these attacks are reliant on human decisions, employee education programs are critical to facilitate a company’s secure navigation of the online environment. Ongoing training in cybersecurity best practices (“don’t click that link!”), and education around phishing, social engineering attacks, and multifactor authentication provide a key layer of protection from ongoing breach attempts.
On the technology side of the prevention equation, regular software updates and patching are critical, and companies should monitor network activity and regularly review activity logs for signs of unusual behavior. While cybersecurity is best understood as “everyone’s job” and not the discrete responsibility of an IT department, a robust incident response plan with clearly defined roles and responsibilities allows for a swift and coordinated breach response. Security audits and third party
assessments are particularly helpful to identify potential weaknesses. File encryption should also be considered for both active and stored data. Current regulations already require encryption of certain classes of protected data, and it’s possible that full encryption will eventually become the standard, if security breaches and cyberattacks continue to rise.
No matter how rigorous the prevention program, data breach is always a possibility. Therefore, breach response is just as important as breach prevention. Although many attacks involve ransomware, which extorts a ransom by holding data hostage, others may result primarily in data breaches and exposure. In these situations, companies may be required to notify individuals whose personal data was affected in the breach. Entities operating in the financial and healthcare sectors are undoubtedly familiar with regulations requiring them to notify customers whose data is exposed in a cyberattack or data breach. Additionally, state law governs notice requirements to individuals whose data is included in a breach. In Delaware, Del. Code Ann. Tit. 6 § 12B-101 requires any entity which conducts business in Delaware
to provide notice of breach to Delaware residents whose personal data has been exposed, if it is likely that those individuals may be harmed by the breach. (Del. Code Ann. tit. 6, § 12B-102)
Personal information is defined to include identification numbers, account numbers with passwords, usernames or security questions, medical history health insurance information, passport numbers, and biometric data. (Del. Code Ann. tit. 6, § 12B-101)
Cyber-attacks pose numerous challenges, the first of which is that such attacks may go undetected for an extended period. To mitigate this risk, companies should monitor their systems and conduct regular audits. Once detected, another challenge arises in determining which data was exposed in the breach. Depending on company information governance practices, it may not be immediately clear where protected data exists on the system. This necessitates a thorough search and analysis of large data sets to identify specific material.
Understandably, companies want to be sure that personal data was exposed before alerting individual customers of a data breach. Despite the increasing prevalence of such attacks, the mere fact of an attack can undermine customer confidence. Therefore, correctly identifying the scope of personal data affected by the breach is critical step in the response plan.
There are now many useful tools developed in the eDiscovery context which can be applied to evaluating cybersecurity breach. Modern data practices mean that implicated volumes can be quite large, and legal notice requirements may impose a tight window for review and evaluation of affected data. eDiscovery practices such as application of search terms, analytic tools, and machine learning can be employed to great effect to reduce the overall boundary of data requiring review. Attorneys
with little experience in this area can partner with technology vendors which provide cybersecurity response services. Companies should remain informed about the latest cybersecurity threats and trends, and consider collaboration with cybersecurity professionals or consultants. Compliance with data protection regulations is non-negotiable and requires a thorough understanding of and adherence to applicable law. In adopting and continuously refining these measures, companies can significantly reduce the risk of successful data breaches and strengthen their overall cybersecurity posture.