June 03, 2019
Recently, Facebook encountered the largest data breach in its history. A hack in September 2018 exploited vulnerabilities in the code that powers the social network and compromised the information of 50 million Facebook users. Given the site’s prominence, a breach might not be surprising. But if Facebook, who spends more than $3.7 billion a year on security, is not immune from these type of cyber attacks, what business possibly could be?
“This is a risk we all incur doing business in the world of internet and technology,” according to cyber expert and partner at Archer Law Robert Egan. “Businesses need to face the inevitability of being hacked at some point. It’s not a question of if, but when — and that’s why being proactive to minimize the risk is essential.”
Cyber security is quickly becoming a top concern for businesses of all sizes. The statistics are staggering: 80 percent of businesses expect a critical breach during 2019, and 74 percent of them won’t even know of the breach when it happens. Even the cost of these attacks is increasing. While every business owner understands the damage to reputation and customer relationships that could come from a breach, high-profile incidents such as those at Facebook have increased government attention and regulation on these issues.
Businesses who come under cyber attack may become the subjects of government investigations and lawsuits, as well as become legally required to pay the costs of notifying, and providing credit monitoring and identity theft insurance for the people whose personal information was accessed or stolen “There’s an ongoing trend in the law to impose liability upon businesses that do not take reasonable precautions to protect against unauthorized access to people’s confidential personal information.” observes Egan. Although the definition of reasonable precautions is imprecise, and what is or is not reasonable will vary from case to case, the one thing universally agreed upon is that doing nothing does not qualify as a reasonable precaution. And, it is not only other people’s data that is vulnerable to attack, but also each business’s own assets, including its bank accounts, confidential information and the electronically stored data that it needs to operate.
That’s why being proactive, and preparing well before an attack with the assistance of experienced counsel and technical experts, is the best course of action for all businesses. They should minimize the chances of an event by devising and implementing best technological and operating practices and policies. They should minimize the impact of an attack by purchasing cyber insurance policies. They should also create an “incident response plan” in conjunction with experienced lawyers and cyber technology consultants. Technology now touches every part of a business, so the process of building a plan cannot be isolated to one group or division of the company. It requires a holistic approach that brings together internal stakeholders and outside experts to assess risk, expose vulnerabilities, and develop a plan for response should an attack occur.
Law firms with an expertise in cyber security encourage their clients to take a comprehensive approach which should be tailored to the nature and features of each business, including its budget. A business should expect to undergo data security counseling and data security audits, HIPAA counseling, and prepare a data breach response. In anticipation of potential outcomes, firms will often consider strategies for data breach litigation, government investigation, changes in insurance coverage, and evaluation of international data privacy compliance. Not only are these fields complex — they are constantly evolving, requiring expert help for even the savviest business.
No business sees a cyber attack coming, and even after it has occurred, it may not be discovered for some time — but its impact can be expected to reverberate in perpetuity. That’s why every business must act as though it is vulnerable, and prepare. With the right counsel and planning, the worst effects of an attack can be minimized, and businesses can spare themselves the embarrassment of Facebook.