by Milton Whitfield and Jayna Genti
The number of cyberattacks in Virginia since January of last year is roughly one attack every four seconds. According to a 2016 Cost of Data Breach Study of the Ponemon Institute, which conducts independent research on data protection, malicious or criminal attacks continue to be the primary cause of data breaches nationwide. According to the study, fifty percent of incidents involved a malicious or criminal attack, 23 percent were caused by negligent employees, and 27 percent involved system glitches which included both IT and business process failures. (The study is available at https://securityintelligence.com/media/2016-cost-data-breach-study/.)
To help you deal with this very real concern for all Virginia business and governmental entities, we shall be exploring in this and the next three issues of the Virginia Employment Law Letter (1) the financial costs of data breaches and steps you can take to improve your data protection procedures, (2) Virginia’s legal requirements for notifying consumers and other affected individuals of a data breach, (3) the federal laws that may be impacted by a data breach and the legal avenues of redress you have against the perpetrators, and (4) the recent cybersecurity initiatives being undertaken by Virginia Governor Terry McAuliffe. First, let’s turn to the monetary impact a data breach may inflict upon your operations.
Data Breach Costs
The Ponemon Institute study not only documents the prevalence of data breaches and their causes, but also the monetary consequences of a breach. According to the study, the increase in data breach costs, in large measure, is due to an increase in three types of expenditures:
- Notification costs. These include, for example, costs associated creating a contact database, determining all regulatory requirements, engaging outside experts, postal expenditures, secondary mail contacts, and inbound communication set-up.
- Post data breach costs. These costs encompass help desk activities, inbound communications, special investigative activities, remediation activities, legal expenditures, product discounts, identity protection services, and regulatory interventions.
- Lost business costs. These costs arise from abnormal turnover of customers, increased customer acquisition activities, reputation losses, and diminished goodwill.
Mitigating the Damage
Fortunately, there are steps you can take to mitigate the harm from cyberattacks. The Ponemon Institute report found that you can reduce the cost of data breaches by instituting improvements in your data governance programs and investing in certain data loss prevention controls and activities. Accordingly, as part of your data governance program, you should consider (1) implementing an incident response plan, (2) appointing a Chief Information Security Officer (“CISO”), (3) creating employee training and awareness programs, and (4) developing a business continuity management strategy.
The cost of a data breach also can be reduced when you participate with other business in the sharing of information about cyber threats and attacks. Installing data loss prevention technologies, such as encryption and endpoint security solutions, also can help prevent data breaches in the first place.
If these measures are not successful and a data breach occurs, you have a number of legal obligations, particularly under Virginia law to notify affected individuals. Next month, we shall be exploring what those obligations entail.
Editor’s Note: Prior articles in the Law Letter discussing cybersecurity include “Feeling Insecure? Understand Notice Requirements Under State Security Breach Laws” (December, 2014) and “Hackers Gonna Hack: Know the Security Threats Facing Your Business” (July, 2015).
Milton Whitfield is a partner at DiMuroGinsberg, P.C. and an experienced business lawyer who specializes in representing companies in complex corporate and technology transactions, including outsourcing and licensing of business processes, information technology, and related sourcing services. He also advises companies on various energy, government contract, regulatory, and transaction matters. Milton may be contacted at email@example.com. Jayna Genti is an attorney with DiMuroGinsberg, P.C., and a former federal law clerk for U.S. Magistrate Judges Michael S. Nachmanoff and T. Rawles Jones, Jr., of the Eastern District of Virginia and U.S. District Judge David Briones of the Western District of Texas.
Published in the March, 2017 Virginia Employment Law Letter by BLR Publishing
To download a copy of the article, click here.
To subscribe to the Virginia Employment Law Letter, please contact firstname.lastname@example.org.