Mitigating Liability from a Cyber Breach

Cameron G. Shilling
Director, Litigation Department & Chair of Cybersecurity and Privacy Group
Published: New Hampshire Business Review
June 17, 2024

All businesses – in all industries and of all sizes – are targets for cyber criminals. Thus, implementing measures to reduce the risk of a breach is the best technique to avoid it. However, since highly sophisticated cyber attacks are unavoidable, cybersecurity safeguards are equally critical to limit the scope of a successful breach, if or (more likely) when one occurs.

While some business are mature with respect to cyber security safeguards or have already experienced a breach, others lack such a foundation. In either event, after a breach has occurred, the following techniques will help a business reduce its liability.

Act Immediately. Hours matter. After a breach occurs, it is imperative to determine, as rapidly as possible, how the breach occurred, the scope of the information that may have been compromised, and the individuals potentially affected.

While cyber security attorneys and experienced businesses know that assessing a breach and recovering from it can take weeks or even longer, the individuals whose information was compromised do not understand such a delay. The most common complaint from such individuals – and the most prominent allegation in class action lawsuits arising out of cyber breaches – is that the company failed to timely notify individuals.

Businesses victimized by breach can readily avoid that problem by promptly notifying individuals. Even if a business does not yet know all of the facts needed for formal notification, informal notification can mollify individuals and reduce allegations of delayed notification.

As a rule of thumb, businesses that experience a breach should notify affected individuals (either informally or formally) within three to six weeks after learning of the breach. While such a deadline may not be required by state or federal law, prompt notification significantly reduces liability based on the belief or allegation that the business failed to notify promptly.

Be Sympathetic. Individuals affected by a breach are scared and angry, looking for information and affirmation. All of us have had to deal with customer ‘service’ representatives that deliver ‘disservice’ and non-information. Don’t fall into that trap.

Businesses impacted by breach are more commonly handling their own call centers, or cannot avoid such calls given their close relationships with customers. When doing so, honest sympathy is golden. Acknowledge the fear, anger, and concern. Provide real information. Convert a potential problem into an opportunity to solidify your relationship with customers.

Offer Protective Services. The best – indeed, the very best – strategy to reduce or eliminate liability after a breach is to offer all affected individuals credit and identity monitoring and restoration services. When individuals enroll, such services monitor their credit accounts as well as the Internet and the dark web to determine whether their credit or identity is being misused. Equally important, if that occurs, such providers have representatives available to address those issues and restore the individual’s credit or identity.

Some insurance carriers only provide credit or identity monitoring without providing any restoration services, or they only offer such services if the breach involved limited categories of personally identifiable information. Individuals affected by breach neither understand nor place much value on such technicality.

Businesses that experience breach should consider offering full credit and identity monitoring and restoration to all individuals if any sensitive information was compromised. Doing so is the best method to mitigate costs incurred by those individuals, and the best defense if the individuals fail to enroll in such services and later seek to recover costs associated with a cyber incident. Moreover, even if an insurer refuses to provide those services for some or all individuals, the costs to the business of doing so are marginal compared to the costs of resolving a lawsuit arising out of a breach in which those services were not offered.

Consider Ransom. Many businesses eschew ransom demands because they are able to restore their systems without paying ransom. Thus, sophisticated hackers now abscond with information before encrypting a company’s system, in order to demand ransom in return for a promise not to sell such information on the dark web. Worse yet, if the business does not pay the ransom, some hackers notify the affected individuals about the breach, and demand that the individuals pay ransom to avoid disclosure of their information.

As a result, businesses victimized by ransomware should consider whether to pay ransom to protect information from disclosure. When doing so, they must involve appropriate law enforcement, in order to determine whether the hackers can be relied-on to comply with their promise not to disclose the information if ransom is paid, and to ensure that any ransom payment complies with federal regulations concerning prohibited financial transactions.

Fix Problems. A breach of any significance is likely to attract scrutiny from regulators, particularly if it involves sensitive information (e.g., health or financial information) or information about a sensitive class of individuals (e.g., children or elderly). While businesses affected by breach cannot alter their pre-incident level of compliance, they can implement appropriate steps to comply with applicable law thereafter. When doing so, businesses should ensure that such endeavors are protected by attorney-client privilege, to ensure that any disclosure of such subsequent remedial measures is done strategically.

Businesses that have experienced breach know how critical it is to implement reasonable measures beforehand to avoid or minimize the scope and impact of such incidents. However, for businesses that have not done so, there are techniques that can reduce or eliminate liability. While no business wants to experience breach, no breach should be a company-ending event, as long as the appropriate techniques are implemented to protect the company.