Legal Considerations of a Breach

scalesI am a big adherent of Gibb’s Rule 13, “Never, ever involve lawyers.”  Unfortunately, if your business suffers a data breach, Rule 13 goes out the window.  You will be sued.  Count on it.

But here are some things that you should do to protect yourself and your business from the worst legal repercussions:

  • Have a plan – If you have a response plan prepared before your first breach occurs, this will help you act quickly to avert the worst of the damage, and will help you show that you have performed your due diligence.
  • Train – Your staff needs to understand what the risks are, and how to be alert for them, and what to do when the inevitable happens.
  • Email – The single biggest threat to your network integrity is the phishing or spearphishing email.  Teaching good email practices are key to your success.  Have a procedure for employees to follow if they get a suspicious email, and what to do after they click on the link or open the attachment.  The last thing you want is for them to hide the mistake, make it easy for them to report incidents to you.
  • Go public – As the best defense is may be a good offense, plan to blow the whistle on yourself.  You need to tell your stakeholders about the breach yourself.  Waiting for the media to break the story will just help you look your worst.  Be direct with those who were affected by the data loss, and help them understand their exposure and your plans for remediation.
  • Big things first  – The first thing to do is stop the damage from expanding.  Take the compromised system offline, save it for forensic examination, report the breach to the police, and the FBI’s Internet Crime Complaint Center.
  • Play it straight – This may drive your attorney crazy, but being open and honest about the situation will prevent you from looking like part of the problem.  Tell people what you plan to do about it, then do it.
  • Document it – Keep meticulous records of everything you do, everything you try, what you say, and who you say it to.  Later on, during the trial, these records will pay big dividends by showing that you were on top of the situation and did your best to remediate it.
  • Compliance – If you are regulated under PCI-DSS, HIPAA, GLBA, or other laws, make sure you follow the regulations during your emergency.

Solid preparation and written cybersecurity policies and incident response plans will be your best investment to help you prevent a breach from happening, or recovering successfully from one that does happen.  This is not something you want to put off another year.  By then it may be a moot point.

More information:


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.