There’s no way to guarantee your organization will never suffer a data breach or the resulting PR black eye to your brand’s reputation. The faster your investigation can determine what happened and what specific records were exposed, the faster you will regain your customers’ trust. But, as Equifax is learning the hard way, if the word “negligence” becomes associated with your case, the financial and legal repercussions can be long-term and severe.
A proposed class-action lawsuit was filed against Equifax following the news that a breach compromised the private information of about 143 million people. According to Bloomberg, the complaint filed in a federal court alleges that the company tried to save money instead of implementing adequate safeguards.
“Equifax should have known that failure to maintain adequate security safeguards would eventually result in a massive data breach,” the complaint states. “Equifax could have and should have substantially increased the amount of money it spent to protect against cyber-attacks but chose not to.”
Once investigators and/or the media invoke any variation of the word “negligence,” lawsuits are sure to follow. For another example, just read the headline of this Bloomberg report on the Yahoo! Inc. breach that exposed personal information of at least 500 million users: “Yahoo’s Massive Data Breach Draws Negligence Suits by Users.”
In the healthcare sector alone last year, there were 76 class action data breach lawsuits up seven percent from 2015. Bryan Cave, a St. Louis-based international law firm, analyzed data breach lawsuits in 2016 at the state and federal levels and found that nearly all cases (95 percent) that alleged negligence led to the data breach.
The defense of “we implemented security software, and assumed our data was safe” will no longer fly with government investigators and judges. If a breach goes undetected for a long period of time, and then you have to spend days or weeks fruitlessly trying to determine the cause and what was lost, it’s a good bet that the U.S. Justice Department or a regulatory body like the FTC will determine your organization was negligent.
Speed is the most important factor in mitigating the damage a breach can cause. You need to establish full visibility over all your data in order to quickly identify suspicious activities, such as an employee emailing files to a personal email address or downloading them to a USB thumb drive.
You must also be able to determine what files were exposed or stolen so you can present a complete report to independent investigators.
Determining the root cause of a breach and what files were affected are the keys to avoiding the charge of negligence and the potentially crippling consequences associated with that word.