Data Breaches: When the Lawyers Get Involved

Posted by Tom Bain on April 3, 2013 at 3:30 PM

We all know that data breaches are situations businesses encounter can get extremely complex. State laws start to take hold around breach disclosure, expensive forensics specialists are needed to re-engineer how attacks and/or mishandling of sensitive information occurred... and now, the lawyers are jumping into the fray.

Data breaches have become big business for many law firms. Some might see it as ambulance chasing. And while it might cost breached companies a pretty penny to hire a large law firm to represent them, those costs could pale in comparison to what they might have to pay in fines and customer law suits, if they don’t have solid representation.

An interesting article in Monday’s Wall Street Journal described the newfound opportunities by the law industry, as they are positioning their cybersecurity know-how to attract new clients.

But it’s not just a cash-grab by the lawyers – an interesting example was described where companies are starting to loop their attorneys in at the first hint of a data breach. This way, the attorney-client privileges kick in immediately, they can pre-empt a potential influx of lawsuits by just taking a few simple steps:

  1. Once you have hired a law firm that has some expertise in data breaches, the law firm hires the forensics investigators. This way, the investigatory folks are beholden to the law firm, and cannot, by law, report anything they are finding as they navigate that company’s systems along the path of the breach.
  2. The law firms help navigate the myriad of state data breach disclosure laws, of which there are 27 now. This ensures that they are disclosing only what they need to legally, to their publics, regulatory bodies and customers.
  3. It prevents the breached company from being subjected to multiple law suits in the event they do not hire counsel to oversee the investigation. As an example, if a governing body appoints the forensics company to investigate post-breach, and the breached organization isn’t represented, there is nothing restricting that intelligence from hitting the open market, being reported on and being analyzed as an example of what not to do. When this happens, and customers, partners and suppliers know exactly how potentially careless the company was, they risk a major hit to their image and their wallet, not to mention if the auditors find them in non-compliance of baseline protections of sensitive data.

In a litigious society, it is imperative that companies protect themselves. That said, it’s also important to remember to employ at least the baseline level of security protections – whether that is in accordance with PCI DSS standards or other requirements like BITS in the financial services industry.

Adhering to these and best practices models like the OWASP Top 10, along with ensuring you have legal representation, can drastically reduce the risk level in the event of a data breach.

Topics: application security, cybersecurity news

Tom Bain

Written by Tom Bain