Cyberattacks are on the rise, and the number of reported attacks increases each year. In this environment, businesses must know when a cyberattack should be reported and to whom.
What is the impact?
Businesses that experience cyberattacks face much more than financial losses. Reputational harm and potential legal liability also lurk behind every cyber incident.
While theft of sensitive personal information, such as social security numbers or bank accounts, is one of the most common attacks, businesses should also be prepared to defend against less-publicized types of attacks, such as:
- Ransomware—an attack in which bad actors block access to computer systems or sensitive data until the victim pays a ransom amount.
- Funds Transfer Fraud—a form of wire transfer fraud in which bad actors imitate a business or vendor in order to fraudulently intercept and/or misdirect funds paid to that business or vendor.
- Intellectual Property theft—new and developing technologies, including sensitive or highly regulated technologies, are increasingly targeted by cybercriminals for either sale on the black market or to leverage ransom demands.
How long to report a data breach?
The clock starts ticking as soon as unauthorized parties gain access to a business’s data or confidential information, and in the digital age, businesses should be prepared to report and respond to cyber incidents.
Cyberattack response plans are highly individualized depending on the circumstances of the attack, the type and volume of data stolen, restoration needs, and whether any compliance issues are at stake. But one thing all cyber incidents have in common is the three parties, listed here, who should be informed of the incident immediately.
- Cybersecurity and data privacy attorneys
- Clients and customers
- Insurance carriers
Cybersecurity and data privacy attorneys
Businesses should inform their attorneys of any cyberattacks immediately. Cybersecurity and data privacy attorneys can act swiftly, efficiently, and effectively to help contain threats to operational continuity and optimize incident response, allowing teams to focus on keeping the business moving forward.
Clients and customers
Every state requires that businesses inform customers of data breaches that involve personal information. While every situation is unique, it is important to immediately notify all clients and customers whose data may have been compromised, even if the full scope of the attack is not yet known. Transparency can help companies maintain customer relationships, avoid negative press, and minimize litigation risk.
When a cybersecurity incident occurs, time is of the essence. Cyber insurance carriers can help companies mitigate financial losses after an attack. The sooner the insurance carrier is made aware, the faster they can process claims and help companies assess their coverage and navigate costs—such as provisional credit monitoring services for impacted clients, lost revenue when an incident compromises operations, ransom payments, and privacy investigations or lawsuits.
How to start a claim for a confirmed breach
Cyber insurance can help reduce or alleviate financial losses after a cyber incident. Businesses should work with their cyber insurance broker and cybersecurity counsel to report incidents to their insurance carrier as soon as possible.
Submitting a cyber insurance claim
To initiate a cyber insurance claim, businesses must provide certain information about the incident, including the type and time of attack, the scope of damage, and evidence confirming the attack, such as a screenshot of a ransom demand. The insurance carrier will then review the information provided to determine whether and what type of coverage should be provided.
Reporting and documentation
Providing additional evidence of a cyber incident can improve the outcomes of an insurance claim. Businesses should preserve and record as much information and evidence as possible, including, but not limited to:
- Detailed information about the incident and its potential for damage;
- Evidence that the incident occurred, such as screenshots, data logs, and other digital evidence;
- Records of costs incurred following the incident, including investigation costs, data recovery, and system restoration; and
- Digital forensic reports or security audit findings.
It is important for businesses to maintain open communication with their insurance carrier and adhere to any deadlines required throughout the claims process.
When should a business engage with law enforcement and regulatory authorities after a cyberattack?
Cyberattacks can uncover potential data privacy compliance issues. While cooperating with regulators and law enforcement agencies may help businesses reduce the risk of harsh penalties, determining whether and when to report a cyberattack to the applicable authorities will be a difficult and complex decision and should not be taken lightly. Businesses should consult with experienced cybersecurity counsel to evaluate and avoid unsuspected pitfalls.
Cybersecurity lawyers can help businesses evaluate the scope of the threat, ensure compliance with notification regulations and laws, and serve as a liaison between the business and any applicable state, federal, or international law enforcement agencies on matters involving cyberattacks.
What is the average settlement in a privacy dispute?
As privacy lawsuits are on the rise, so are settlement amounts. Costs incurred during operational recovery and mitigation efforts can be tremendous, even without factoring in damages sought through litigation. Settling lawsuits early may help businesses constrain costs after a cyberattack.
Settlement amounts vary widely, and factors influencing settlement costs include the number of impacted individuals and the type of data compromised (for example, financial or healthcare data).
Cyberattacks on the healthcare industry that target personal health information tend to lead to the highest settlement costs, whereas exposure may be lower for industries that collect less sensitive data.
Nixon Peabody cybersecurity attorneys can help you
We help businesses of all sizes protect and defend their data security. When an incident occurs, our cross-functional response team, which includes Certified Information Privacy Professionals (CIPP/US), is prepared to act immediately and guide clients through each step of a breach response, including mitigation strategy, dispute resolution, and enforcement actions.