How To Protect Against and Respond to Cyberattacks – Part 1

by Milton Whitfield and Jayna Genti

The number of cyberattacks in Virginia since January of last year is roughly one attack every four seconds. According to a 2016 Cost of Data Breach Study of the Ponemon Institute, which conducts independent research on data protection, malicious or criminal attacks continue to be the primary cause of data breaches nationwide. According to the study, fifty percent of incidents involved a malicious or criminal attack, 23 percent were caused by negligent employees, and 27 percent involved system glitches which included both IT and business process failures. (The study is available at https://securityintelligence.com/media/2016-cost-data-breach-study/.)

To help you deal with this very real concern for all Virginia business and governmental entities, we shall be exploring in this and the next three issues of the Virginia Employment Law Letter (1) the financial costs of data breaches and steps you can take to improve your data protection procedures, (2) Virginia’s legal requirements for notifying consumers and other affected individuals of a data breach, (3) the federal laws that may be impacted by a data breach and the legal avenues of redress you have against the perpetrators, and (4) the recent cybersecurity initiatives being undertaken by Virginia Governor Terry McAuliffe. First, let’s turn to the monetary impact a data breach may inflict upon your operations.

Data Breach Costs

The Ponemon Institute study not only documents the prevalence of data breaches and their causes, but also the monetary consequences of a breach. According to the study, the increase in data breach costs, in large measure, is due to an increase in three types of expenditures:

  • Notification costs. These include, for example, costs associated creating a contact database, determining all regulatory requirements, engaging outside experts, postal expenditures, secondary mail contacts, and inbound communication set-up.
  • Post data breach costs. These costs encompass help desk activities, inbound communications, special investigative activities, remediation activities, legal expenditures, product discounts, identity protection services, and regulatory interventions.
  • Lost business costs. These costs arise from abnormal turnover of customers, increased customer acquisition activities, reputation losses, and diminished goodwill.

Mitigating the Damage

Fortunately, there are steps you can take to mitigate the harm from cyberattacks. The Ponemon Institute report found that you can reduce the cost of data breaches by instituting improvements in your data governance programs and investing in certain data loss prevention controls and activities. Accordingly, as part of your data governance program, you should consider (1) implementing an incident response plan, (2) appointing a Chief Information Security Officer (“CISO”), (3) creating employee training and awareness programs, and (4) developing a business continuity management strategy.

The cost of a data breach also can be reduced when you participate with other business in the sharing of information about cyber threats and attacks. Installing data loss prevention technologies, such as encryption and endpoint security solutions, also can help prevent data breaches in the first place.

If these measures are not successful and a data breach occurs, you have a number of legal obligations, particularly under Virginia law to notify affected individuals. Next month, we shall be exploring what those obligations entail.

Editor’s Note: Prior articles in the Law Letter discussing cybersecurity include “Feeling Insecure? Understand Notice Requirements Under State Security Breach Laws” (December, 2014) and “Hackers Gonna Hack: Know the Security Threats Facing Your Business” (July, 2015).

Milton Whitfield is a partner at DiMuroGinsberg, P.C. and an experienced business lawyer who specializes in representing companies in complex corporate and technology transactions, including outsourcing and licensing of business processes, information technology, and related sourcing services. He also advises companies on various energy, government contract, regulatory, and transaction matters. Milton may be contacted at mwhitfield@dimuro.com. Jayna Genti is an attorney with DiMuroGinsberg, P.C., and a former federal law clerk for U.S. Magistrate Judges Michael S. Nachmanoff and T. Rawles Jones, Jr., of the Eastern District of Virginia and U.S. District Judge David Briones of the Western District of Texas.

Published in the March, 2017 Virginia Employment Law Letter by BLR Publishing

To download a copy of the article, click here.

To subscribe to the Virginia Employment Law Letter, please contact mkraftschik@dimuro.com.

Read Part 2

Jonathan Mook co-presents “Website Accessibility”

“Website Accessibility: HR’s Strategic Guide to Meeting Digital Accessibility Standards Amid Increased Regulatory Oversight”, a Live Virtual Workshop: Tuesday, April 18, 2017

Is your organization’s website fully accessible to disabled individuals? If it’s not, you could be subjected to costly legal scrutiny, as lawsuits challenging inaccessible websites proliferate and the Department of Justice is in the process of issuing website accessibility standards.

Some federal circuit courts of appeal have already ruled that the Americans with Disabilities Act (ADA) applies to e-commerce and websites offering goods and services unconnected to a physical place. This raises the issue of what businesses should do to ensure that their websites—as places of public accommodation—are ADA accessible.

Website accessibility is especially important for the job application process. The ADA requires employers to ensure that job applicants and employees with disabilities can fully participate in the workplace, and the Equal Employment Opportunity Commission has interpreted this requirement to include computer and website accessibility.

So, how can you tell if your website is fully accessible and how it could be better optimized to ensure that it’s available and functional for anyone who visits the site?

Join DiMuroGinsberg attorney, Jonathan Mook and fellow presenters on April 18 for a comprehensive virtual workshop on emerging legal risks companies like yours now face. You’ll also learn more about HR’s role in conducting a website accessibility audit to determine whether it meets or misses the mark concerning your recruiting and other employment practices.

Click here to register. http://store.hrhero.com/website-accessibility-041817