The age of immediate litigation?
The old adage, "proper preparation prevents poor performance," resonates when it comes to breaches and complying with privacy regulations.
Additional risks exist around response time in the aftermath of a breach. According to Sheehan, "You'll not have valuable advice in advance of a breach, which presents litigation risks, and litigation is becoming much more common it's filed immediately after a breach, and counsel is involved in mitigating litigation risks."
Companies and organizations ranging from Target to Sally Beauty Supply to Sony to the U.S. Office of Personnel Management (OPM) have seen their reputations tarnished by major breaches. And the class action lawsuits that followed shifted the courts' perception of harm, which in turn changed the established interpretation of the law and gave rise to the field of cybersecurity law.
In their paper, "Cybersecurity and Privacy Enforcement: A Roundup of 2014 Cases," Francis J. Burke, Jr. and Steven M. Millendorf, CIPP/US, noted, "In 2011, the Sony PlayStation Network (PSN) suffered a data breach that exposed personal identifiable information for millions of Sony's customers." Even though Sony took the network offline, they failed to notify their customers of the breach. The court ruled, "The plaintiffs had plausibly alleged a credible threat of harm based on the disclosure of their personal information following the attack."
Burke Jr. and Millendorf also wrote about the shareholder derivative cases in the Target breach. "The complaints further allege that these failures severely damaged the company, and note that the company is under investigation by the United States Secret Service and the Department of Justice as well as the growing multitude of class action lawsuits against the company."
Are hacked companies victims, or complicit?
"The government is going to look at how prepared you are to detect intrusion. Do you register attacks? Do you encrypt data? Most companies have outward-facing policy to the public, but if you are not being preventative, you're ignoring the issue and you subject yourself to being hacked," says Mark Harrington, general counsel at Guidance Software, which develops and provides software solutions for digital investigations.
Harrington points out that how a company is prepared and how they handle a breach is of tantamount importance, legally speaking. "The government is giving favor to companies that are well-prepared and willing to cooperate." Harrington suggests, "If you don't have the internal expertise, you should find an expert law firm, educate yourself or find a vendor."
"Not all data is equal. How is it being collected? How is it being stored? Discarded? Those who guard data have been viewed as criminals when they got hacked, and that's not fair," says Harrington. As the standards for cybersecurity continue to be established, perspectives have changed. "Now, if you had your act together and still got hacked, we're going to treat you as a victim," insists Harrington.
Sign up for Computerworld eNewsletters.