Experts offer insights about the legal and financial hits, as well as the devastating loss of reputation, your business might suffer if it is the victim of a data breach.
The consequences of a data breach involve a complex sequence of events specific to the victimized business and its responsibilities to regulators, governments, and customers. A report from Veritas said some people believe CEOs should be held responsible for ransomware attacks, even with potential jail time.
Some of the most important challenges that may arise after a data breach include disruption of business operations, loss of investor and customer trust, and even civil litigation, said a team from Proskauer Rose LLP in the May 2020 article Cybersecurity: Threats, Consequences, and the Regulatory Framework by Alexandra Bargoot, Margaret Dale, Anthony Drenzek, and Samuel Waldon.
The real earnings-crushing consequences come from data breaches with the potential to garner attention from governmental and regulatory bodies such as the Security Exchange Commission (SEC) and the Federal Trade Commission (FTC).
SEE: Security Awareness and Training policy (TechRepublic Premium)
The SEC has the Congress-enabled authority via the Gramm-Leach-Bliley Act of 1999 to require regulated organizations, such as investment advisers and broker-dealers, to implement policies and procedures designed to protect against data breaches.
For public companies, the SEC uses a different approach. "The SEC has taken somewhat extraordinary steps to explain the obligations of public companies to disclose cyber-breaches," noted Bargoot, Dale, Drenzek, and Waldon. "In February 2018, the SEC issued clear guidance on disclosure obligations for public companies, explaining that public companies must disclose material cyber breaches and any material risks of cyber breaches in their public SEC filings."
Companies that are the victims of a data breach may also be in trouble with the FTC because of the Federal Trade Commission Act Section 5: Unfair or Deceptive Acts or Practices. "The FTC has applied the act to cybersecurity breaches by stating that businesses operate deceptively when they fail to live up to their stated data-security practices or when they fail to employ reasonable and appropriate measures to prevent unauthorized access to personal information," the authors of the Proskauer Rose LLP article stated.
Put simply, even if a company is a victim of a breach, on some level, company management is still responsible.
SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)
If you don't notify those whose personally identifiable information (PII) has been compromised, you can also be in trouble with your state government.
"These laws vary in terms of statutory structure and prosecutorial discretion," noted Bargoot, Dale, Drenzek, and Waldon.
When you're required to notify clients of a breach is different from jurisdiction to jurisdiction, the authors of the article said. "Some states only require that an entity notify the attorney general and only if the breach hits a particular threshold, while others require that entities notify individuals that a breach has occurred compromising their information no matter the significance."
SEE: Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic)
Your business reputation
There's a saying that "good news travels fast, but bad news travels even faster," which is even more apparent in the digital age. Even those who may have never heard of your company will likely hear about a breach within days.
"The damage a data breach can have on a business can be devastating, particularly if the breach was an avoidable one or put customer data at risk," said Maddie Davis in her July 2019 Cybint article, 4 Damaging After-Effects of a Data Breach. "Lost confidence, negative press, associated identity theft, and potential customers' views toward your company can all take a hit, leaving dark clouds over your reputation and creating long-term complications."
Davis offered the following statistics:
- 65% of affected individuals report lost trust in an organization that exposed their sensitive PII.
- 85% of the affected individuals will likely tell others about their experience (more than 30% using social media and 20% commenting on the website of the breached company).
A company's loss of esteem has the potential to cause the most damage, yet it is the hardest to quantify. Bargoot, Dale, Drenzek, and Waldon agree: "With all the attention pointed at you after a breach, it's crucial to ensure your aftermath-management is handled properly. If not, you risk losing current and potential customers to competitors who may be viewed as more secure."
How to avoid and, if necessary, handle data breaches
Read these TechRepublic resources to learn the recommended preventative steps to take to avoid a data breach, as well as what to do if your company suffers a cybersecurity attack.
- How organizations should handle data breaches
- You've been breached: Eight steps to take within the next 48 hours (free PDF)
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Information security policy (TechRepublic Premium)
- Quick glossary: Cybersecurity attacks (TechRepublic Premium)
- The biggest hacks, data breaches of 2020 (ZDNet)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)