Resolving data breaches
Whether accidentally or as a result of an intentional intrusion into information systems, data breaches – although it is not just a phenomenon of the 21st century – are increasingly causing headaches for global business units. With the marketing of personal and corporate data, the legal, gray, and black information markets have seen the exponential rise of an industry whose primary function is to reactively manage, remediate, and mitigate data breaches. After a data breach, a company’s primary goal is to comply with the regulatory obligation to notify potentially affected individuals while limiting financial risk. This requires the review of many thousands – sometimes millions – of documents. For many companies, the data cleansing campaign ends when all required notifications have been sent. This complacency can have serious consequences; There are other significant business risks from a data breach that should be assessed. It is in a company’s best interest to use its expert resources to mitigate these risks in parallel with meeting legal requirements for remediation and notification.
To understand the business risks of a data breach beyond the cost of making corrections, organizations need to understand the current corporate cybercrime landscape. In August 2020, INTERPOL assessed the impact of COVID-19 on cybercrime-related incidents and found that attacks on individuals shifted dramatically and attacks on larger companies increased significantly. In a related press release, INTERPOL stated: “Because organizations and companies are rapidly deploying remote systems and networks to support employees who work from home, criminals are criminals. . . Use heightened security vulnerabilities to steal data, generate profit, and cause disruption. “ Sophisticated criminals and criminal organizations are masters at identifying changing cultural, political, and market conditions in order to seize opportunities that maximize illicit financial gains. The pandemic has created a wave of uncertainty and fear that has spread across the hierarchies of corporate organizations. The resulting instability in global economic conditions and the already worrying socio-political volatility have prepared institutions less than ever to cope with the sudden onslaught of online attacks by highly skilled hackers, who are often one step ahead of even the most protective IT security programs.
The fact that no matter the threat level, there is always a risk of data breach emerging is nothing new. Companies they have faced before are aware of the potentially enormous costs of remediation. Privacy lawyers are particularly knowledgeable about what a privacy breach means to their clients and the existence of aggressive regulations from multiple jurisdictions that dictate the nature and timeframe for notifying people whose Personal Information (PII) has been compromised. Regulators are often inflexible, and the speed at which companies have to fully implement a recovery and notification plan is often faster than one thinks is appropriate. Once a breach is detected, organizations are in triage mode to protect their reputations and reduce their financial exposure. At the same time, the affected servers are isolated in order to reduce the damage caused by an attack. This will increase the resilience of the cyber to prevent further attacks and will perform a review to remediate data breaches and send the necessary notifications to individuals.
However, the lost trust and financial damage came from more than just personal data theft. Businesses understand that it is their protected, confidential data that makes what they sell valuable. This information would be extremely valuable to competitors and, if stolen, could be embarrassed or sold for a profit. According to an IBM study from 2020, it takes an average of 200 days for a company to discover that a cyber attack has occurred. Until then, it can be nearly impossible to recover from the loss of corporate secrets. Uncovered competitive information such as prices or fees negotiated with other companies, marketing plans, and product development documents are just a few examples of the types of information that could float in cyberspace for months without a company knowing. Additionally, private internal or external email or chat conversations can be the source of embarrassment – or even regulatory interest – if they are made public.
Regardless of internal information, confidential data from other companies such as suppliers, partners, customers, etc. help ensure that companies remain profitable and function smoothly. Protecting these relationships is vital and can be easily compromised if one company has compromised another company’s information. Detecting breached sensitive business data as soon as an intrusion is detected is a first step in preventing an irreversible breakdown of business relationships. With certain exceptions – as is the case with law firms – regulations do not necessarily require that one company take action to mitigate the risks that may arise from the loss of information from another company. Legal obligations aren’t the only considerations, however. Business relationships are almost always governed by contracts between parties, which often include data security requirements, require cyber insurance, and – when properly written – have strong compensation language. Given this increased exposure, it is up to companies to proactively identify compromised business data and notify its owners.
When a company is in place with a comprehensive data breach screening plan that allows for personal data identification for remediation and notification, as well as identification of in-house and third-party data, it is in a much better position to limit financial risk the damage to reputation and the loss of critical relationships. To do this in the most effective and efficient way, it is important to have a data scrubbing review team with members who are not only able to thoroughly identify all types of personal information, as well as data subject contact information for legally mandated notifications, but critical information is also experienced in identifying critical business data and categorizing it in reports so that internal departments and external companies can be specifically informed of data that may have been compromised. The tight deadlines for completing the PII correction and notification does not mean that business data should not be considered. Data correction review teams can review documents for PII and business information at the same time if they have the training and experience to know what to identify. A single review with this dual purpose enables organizations to accomplish what might otherwise be overlooked or delayed with minimal additional time and expense.
 “The INTERPOL report shows an alarming rate of cyber attacks during COVID-19”, August 4, 2020, available at: https://www.interpol.int/en/News-and-Events/News/2020/INTERPOL-report -shows- alarming rate of cyberattacks during COVID-19