Legal Considerations of a Breach

scalesI am a big adherent of Gibb’s Rule 13, “Never, ever involve lawyers.”  Unfortunately, if your business suffers a data breach, Rule 13 goes out the window.  You will be sued.  Count on it.

But here are some things that you should do to protect yourself and your business from the worst legal repercussions:

  • Have a plan – If you have a response plan prepared before your first breach occurs, this will help you act quickly to avert the worst of the damage, and will help you show that you have performed your due diligence.
  • Train – Your staff needs to understand what the risks are, and how to be alert for them, and what to do when the inevitable happens.
  • Email – The single biggest threat to your network integrity is the phishing or spearphishing email.  Teaching good email practices are key to your success.  Have a procedure for employees to follow if they get a suspicious email, and what to do after they click on the link or open the attachment.  The last thing you want is for them to hide the mistake, make it easy for them to report incidents to you.
  • Go public – As the best defense is may be a good offense, plan to blow the whistle on yourself.  You need to tell your stakeholders about the breach yourself.  Waiting for the media to break the story will just help you look your worst.  Be direct with those who were affected by the data loss, and help them understand their exposure and your plans for remediation.
  • Big things first  – The first thing to do is stop the damage from expanding.  Take the compromised system offline, save it for forensic examination, report the breach to the police, and the FBI’s Internet Crime Complaint Center.
  • Play it straight – This may drive your attorney crazy, but being open and honest about the situation will prevent you from looking like part of the problem.  Tell people what you plan to do about it, then do it.
  • Document it – Keep meticulous records of everything you do, everything you try, what you say, and who you say it to.  Later on, during the trial, these records will pay big dividends by showing that you were on top of the situation and did your best to remediate it.
  • Compliance – If you are regulated under PCI-DSS, HIPAA, GLBA, or other laws, make sure you follow the regulations during your emergency.

Solid preparation and written cybersecurity policies and incident response plans will be your best investment to help you prevent a breach from happening, or recovering successfully from one that does happen.  This is not something you want to put off another year.  By then it may be a moot point.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.