Personal data (also referenced as personally identifiable information or "PII"), is a category of data that raises significant cybersecurity and privacy concerns. Almost every business currently mines and stores personal data from its customers and consumers, particularly tech giants such as Google, Amazon, Facebook and Apple. This type of data holds a unique value, as it enables the tracking of large-scale consumer behavior. However, if it falls into the wrong hands, it also allows malicious actors to target individuals on a massive scale, which can ruin a business's reputation.
A quick glance at a daily news feed will reveal that these risks are growing and cannot be ignored. A study conducted several years ago by the Ponemon Institute revealed that nearly 50% of small businesses had experienced a data breach within a preceding 12-month period. And additional studies have shown that the number and magnitude of data breaches occurring each year continues to grow.
Given that data holds such enormous commercial value in our economy, questions inevitably arise as to how all that data can be protected in the current and rapidly evolving threat environment. Businesses and corporations may be looking for the best ways to protect their own and their customers' information and reduce their vulnerability to a data breach.
The Fallout from a Cybersecurity Breach
When a business suffers a cybersecurity breach, the consequences can unfold across multiple fronts, including regulatory, criminal, civil, and reputational (including the ways it affects the individuals involved). The fallout is rarely limited to the breach itself and often includes how the business responds, how prepared it was in advance, and whether it acted transparently after the fact.
Agencies like the Federal Trade Commission, the Consumer Financial Protection Bureau, and, more recently, the Securities and Exchange Commission have expanded their oversight of corporate cybersecurity practices. Under new SEC rules, for example, public companies must disclose material breaches promptly and demonstrate adequate governance and board-level oversight of cybersecurity risks. International regulators, particularly in the EU and China, have also imposed significant penalties under frameworks like Europe's General Data Protection Regulation (GDPR) and Chinese cybersecurity laws.
Criminal liability is an increasing concern, not just for corporations, but also for individuals. For example, the prosecution of Uber's former chief security officer, Joe Sullivan, marked a turning point. After a major data breach, Sullivan paid hackers to keep quiet and failed to inform regulators, despite having just testified before the FTC about Uber's data security. That decision led to his criminal conviction for obstruction and failure to report a felony.
Following a prominent data breach, a company may well become a target of litigation, particularly class actions, by consumers or business partners whose data was compromised. These suits may allege negligence, breach of contract or deceptive trade practices. While the legal theories vary and many remain untested, most companies choose to settle rather than risk trial, where juries might not look kindly on gaps in data protection or efforts to conceal what happened.
While not always quantifiable, reputational damage that often results from a data breach is arguably the most harmful consequence of a cyberattack. Hackers know this and frequently exploit it by threatening to publicly expose compromised data unless a ransom is paid. For a business, the long-term cost of eroding customer trust can have severe consequences that can potentially exceed any regulatory fine.
IBM estimates the average cost of a data breach in 2023-2024 to be approximately $4.9 million. High-profile companies like Target, Home Depot, Yahoo, Equifax, Twitter, and Zoom have all faced breaches, with damages and settlements reaching billions of dollars.
Mitigating Risk in the Face of Evolving Threats
For the vast majority of businesses, it's not a matter of whether they'll be targeted by hackers, but when. Across all types of liability, whether regulatory, criminal, civil, or reputational, the central question will be whether the company acted reasonably and responsibly before and after the breach. Regulators, the courts, and consumers expect a business to take reasonable measures both to prevent incidents and to mitigate the damage when a breach inevitably occurs.
The following strategies may help a business mitigate the risk of a cybersecurity breach:
- Adopting a comprehensive security framework: Using standards like NIST Cybersecurity Framework or ISO 27001 can help to ensure consistency and coverage in an organization's approach to risk.
- Regular security audits: Conduct penetration testing, vulnerability scans, and compliance reviews to identify and address gaps before attackers do.
- Robust third-party oversight: Treat partners and vendors as extensions of the network. Implement appropriate requirements for data access, monitoring and response.
- Communication protocols: When an incident occurs, prioritize thoughtful, timely, and accurate communication with regulators, law enforcement, and customers. Withholding critical information may only intensify legal and reputational fallout.
- Foster a cybersecurity culture: Train employees to recognize phishing attempts, practice strong password hygiene, and adopt security-conscious habits.
Businesses that fail to prioritize data security risk far more than financial losses; they also risk weakening market share, eroding shareholder confidence, and damaging public trust. While the landscape will continue to evolve, one truth remains constant: transparency and preparedness are the most powerful defenses against both current and emerging cyberthreats.
Unsure if your business is at risk of a cybersecurity threat? The attorneys in Calfee's Privacy and Data Security practice routinely provide risk assessments to help identify areas of potential exposure. Additionally, should a data breach happen, Calfee's practitioners have broad experience assisting companies both during and in the aftermath of security incidents.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
