Friday, September 29, 2023

Hit By A Security Breach? 4 Legal Repercussions That Could Happen TO YOU!!!

 


The one thing that most businesses don’t want to experience is that of a security breach, and especially a large.  But there is no doubting the fact that we are all prone to becoming a victim of it, the key is just learning how to mitigate that risk from actually happening. 

But it’s not just recovering from one that you need to be worried about.  Given today’s litigious society, there are a whole host of legal issues that you need to be aware of, and even comply with.

Here are the top four you need to know about:

1)     Your Cyber insurance carrier:

You may have Cyber insurance through an established carrier, so you think financially that you are all protected, right?  WRONG.  After you have been breached, one of the first things that you will want to do is file a claim, and expect an immediate payout, just like car insurance.  But unfortunately, it does not quite work that way.  Even before you get your insurance policy, most likely, you will have filled out some kind of questionnaire, assessing the fact that you have all of the needed controls in place.  But after your claim is filed, it is highly likely that your insurance company will revisit that same questionnaire again, and may even want to audit to some degree or another your IT/Network Infrastructure to make sure that those same controls are still in place and working.  If this scenario does happen, answer all questions truthfully.  Any misrepresentation on your part, even by accident, could lead in payout, and even termination of your Cyber insurance policy.  More information on this can be seen at the link below:

https://www.darkreading.com/risk/10-key-controls-to-show-your-organization-is-worthy-of-cyber-insurance

2)     The auditors will come out:

If your company is a large enough one, and is publicly traded, the chances are high that you will face an even harsher audit, and this time with some serious financial penalties.  For example, with the GDPR, you could face fines up to 4% of your total gross revenue, and with the CCPA, the fines can be as much as $7,500.00 for each PII dataset that was compromised.  Once again, you will want to be truthful about everything, but since this is much more serious than an audit by an insurance company, you will probably want to have your lawyer next to you.

3)     Wire transfers not going through:

In the case of a Ransomware attack, if you do decide to make a ransom payment (it is highly advised that you do not do this), you will most likely try to send it via transfer.  But it is not as easy as that.  Given the tighter financial regulations today, many financial institutions will not wire that money to a foreign organization, unless it is an established one.  Further, to make things worse, the US Treasury Department's Office of Foreign Asset Control even made it an act of treason if you make a ransom payment to nation state threat actor.  Also keep in mind that if you do make a Ransomware payment, your insurance company will not reimburse you for it!!!  More information about this can be seen at the link below:

https://www.darkreading.com/risk/us-treasury-warns-of-sanctions-violations-for-paying-ransomware-attackers

4)     Notifying impacted parties:

Remember, it is not just your company that is impacted, but your customers as well.  Therefore, you have a legal obligation to inform them if they have any of their confidential information or data stolen.  The laws have become strict now, and in some situations, you must provide written notification (USPS mail or email) of what has happened.  Then, you need to provide a proper course of action, such as offering free credit reporting and monitoring services.  But even if you take all of these precautionary steps, you could still face a barrage of lawsuits, so be ready for that as well. 

My Thoughts On This:

The best advice that I can give you here is to first conduct a comprehensive Risk Assessment Analysis, then from there, make sure that you have all of the needed controls deployed, and that they are optimized and updated at all times. 

Then if anything happens, and your business does indeed become the victim of a security breach, at least you will have everything done in your power.  That is all anybody can ask for.

Also, try to find a good lawyer that has a solid Cyber experience, especially when it comes to compliance and the data privacy laws.  They will truly become your best friend and advocate if you are hit.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...