BGD partner John McCauley recently discussed the rising importance of data breach litigation in a column for the Indiana Lawyer. In it, he stresses the importance of being prepared for cyber-attacks, quoting John Chambers, CEO of Cisco Systems Inc., “[t]here are two types of companies: those who have been hacked and those who don’t yet know they have been hacked.”
Cyber-attacks have increased threefold in the past two years and present a growing legal problem for companies of all sizes. Following is information regarding the three types of legal liabilities that arise from data breaches: regulatory, civil and criminal. Additional details are available in McCauley’s column on the Indiana Lawyer website.
Once an organization suspects that confidential information may have been compromised or acquired by an unauthorized person, there is a duty to investigate whether an actual breach has occurred. Although there are no federal requirements for reporting data-breaches, in Indiana, once a data breach is detected, the affected party must be notified as well as the attorney general. McCauley advises companies to familiarize themselves with notification laws in their state of residency to avoid penalties.
Civil liability concerns can arise quickly after a data breach. McCauley advises consulting counsel early in the process of dealing with a breach in order to ensure that an organization meets its obligations to identify, locate and preserve potentially relevant documents and electronically stored information; determine other potentially responsible parties; conduct a thorough investigation; and establish the protections of the attorney-client privilege. Legal counsel will also be able to assist in determining insurance coverage related to the incident.
Thus far, there have not been any criminal proceedings against organizations suffering data breaches. However, legal counsel can assist in working with the FBI, which often becomes involved based on their anti-cyberterrorism function. Individual wrongdoing by employees leading to breaches could also present legal challenges, and outside counsel can assist in helping a company conduct an internal investigation. McCauley advises that attorneys representing a company that has been a victim of a data breach should be prepared to answer inquiries, respond to subpoenas and otherwise facilitate cooperation regarding the investigation.
Overall, if a company acts swiftly and honestly, the damage from data breaches can be remedied.