Skip to main content

Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About
Trending Topics
    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Entertainment & Media
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor, Employment, and Benefits
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations
    Industries

    View All

    • Aviation
    • Cannabis
    • Consumer
    • Energy
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Nonprofit Organizations
    • Real Estate
    • Sports & Stadiums
    • Technology
    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Environmental, Social, and Governance (ESG)

      We help clients create positive return on investments in people, products, and the planet.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    • Women in Dealmaking

      We provide strategic counsel on complex corporate transactions and unite dynamic women in the dealmaking arena.

    1. Home
    2. Insights
    3. Articles
    4. When should a cyberattack be reported?

      Articles

    Article

    When should a cyberattack be reported?

    Sep 1, 2023

    LinkedInX (Twitter)EmailCopy URL

    Understand the crucial timing for reporting cyberattacks with guidance from our experienced team of lawyers. Learn more to stay protected and informed.

    Cyberattacks are on the rise, and the number of reported attacks increases each year. In this environment, businesses must know when a cyberattack should be reported and to whom.

    What is the impact?

    Businesses that experience cyberattacks face much more than financial losses. Reputational harm and potential legal liability also lurk behind every cyber incident.

    While theft of sensitive personal information, such as social security numbers or bank accounts, is one of the most common attacks, businesses should also be prepared to defend against less-publicized types of attacks, such as:

    • Ransomware—an attack in which bad actors block access to computer systems or sensitive data until the victim pays a ransom amount.
    • Funds Transfer Fraud—a form of wire transfer fraud in which bad actors imitate a business or vendor in order to fraudulently intercept and/or misdirect funds paid to that business or vendor.
    • Intellectual Property theft—new and developing technologies, including sensitive or highly regulated technologies, are increasingly targeted by cybercriminals for either sale on the black market or to leverage ransom demands.

    How long to report a data breach?

    The clock starts ticking as soon as unauthorized parties gain access to a business’s data or confidential information, and in the digital age, businesses should be prepared to report and respond to cyber incidents.

    Cyberattack response plans are highly individualized depending on the circumstances of the attack, the type and volume of data stolen, restoration needs, and whether any compliance issues are at stake. But one thing all cyber incidents have in common is the three parties, listed here, who should be informed of the incident immediately.

    • Cybersecurity and data privacy attorneys
    • Clients and customers
    • Insurance carriers

    Cybersecurity and data privacy attorneys

    Businesses should inform their attorneys of any cyberattacks immediately. Cybersecurity and data privacy attorneys can act swiftly, efficiently, and effectively to help contain threats to operational continuity and optimize incident response, allowing teams to focus on keeping the business moving forward.

    Clients and customers

    Every state requires that businesses inform customers of data breaches that involve personal information. While every situation is unique, it is important to immediately notify all clients and customers whose data may have been compromised, even if the full scope of the attack is not yet known. Transparency can help companies maintain customer relationships, avoid negative press, and minimize litigation risk.

    Insurance carriers

    When a cybersecurity incident occurs, time is of the essence. Cyber insurance carriers can help companies mitigate financial losses after an attack. The sooner the insurance carrier is made aware, the faster they can process claims and help companies assess their coverage and navigate costs—such as provisional credit monitoring services for impacted clients, lost revenue when an incident compromises operations, ransom payments, and privacy investigations or lawsuits.

    How to start a claim for a confirmed breach

    Cyber insurance can help reduce or alleviate financial losses after a cyber incident. Businesses should work with their cyber insurance broker and cybersecurity counsel to report incidents to their insurance carrier as soon as possible.

    Submitting a cyber insurance claim

    To initiate a cyber insurance claim, businesses must provide certain information about the incident, including the type and time of attack, the scope of damage, and evidence confirming the attack, such as a screenshot of a ransom demand. The insurance carrier will then review the information provided to determine whether and what type of coverage should be provided.

    Reporting and documentation

    Providing additional evidence of a cyber incident can improve the outcomes of an insurance claim. Businesses should preserve and record as much information and evidence as possible, including, but not limited to:

    • Detailed information about the incident and its potential for damage;
    • Evidence that the incident occurred, such as screenshots, data logs, and other digital evidence;
    • Records of costs incurred following the incident, including investigation costs, data recovery, and system restoration; and
    • Digital forensic reports or security audit findings.

    It is important for businesses to maintain open communication with their insurance carrier and adhere to any deadlines required throughout the claims process.

    When should a business engage with law enforcement and regulatory authorities after a cyberattack?

    Cyberattacks can uncover potential data privacy compliance issues. While cooperating with regulators and law enforcement agencies may help businesses reduce the risk of harsh penalties, determining whether and when to report a cyberattack to the applicable authorities will be a difficult and complex decision and should not be taken lightly. Businesses should consult with experienced cybersecurity counsel to evaluate and avoid unsuspected pitfalls.

    Cybersecurity lawyers can help businesses evaluate the scope of the threat, ensure compliance with notification regulations and laws, and serve as a liaison between the business and any applicable state, federal, or international law enforcement agencies on matters involving cyberattacks.

    What is the average settlement in a privacy dispute?

    As privacy lawsuits are on the rise, so are settlement amounts. Costs incurred during operational recovery and mitigation efforts can be tremendous, even without factoring in damages sought through litigation. Settling lawsuits early may help businesses constrain costs after a cyberattack.

    Settlement amounts vary widely, and factors influencing settlement costs include the number of impacted individuals and the type of data compromised (for example, financial or healthcare data).

    Cyberattacks on the healthcare industry that target personal health information tend to lead to the highest settlement costs, whereas exposure may be lower for industries that collect less sensitive data.

    Nixon Peabody cybersecurity attorneys can help you

    We help businesses of all sizes protect and defend their data security. When an incident occurs, our cross-functional response team, which includes Certified Information Privacy Professionals (CIPP/US), is prepared to act immediately and guide clients through each step of a breach response, including mitigation strategy, dispute resolution, and enforcement actions.

     

    Practices

    Cybersecurity & PrivacyTCPA & Consumer PrivacyHealth Information - Privacy, Security & Data Sharing

    Insights And Happenings

    • Video

      Cybersecurity in the EU beyond the GDPR

      Cybersecurity & Privacy
      Dec 29, 2023
    • Video

      Intimate privacy in the digital age

      Cybersecurity & Privacy
      Dec 5, 2023
    • Video

      Data Protection Laws in Mexico

      Cybersecurity & Privacy
      Nov 6, 2023
    The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • Cookie Preferences
    • Privacy Policy
    • Terms of Use
    • Accessibility Statement
    • Statement of Client Rights
    • Purchase Order Terms & Conditions
    • Nixon Peabody International LLC
    • PAL
    © 2025 Nixon Peabody. All rights reserved