How to Prepare for Cybersecurity Incidents and Enforcement Actions

Morgan Lewis

Morgan LewisAs financial damages caused by cyberattacks continue to rise, many companies are looking for ways to both prepare for potential risk and respond to an actual incident. Proactive companies aim to understand the cyber landscape and risks and key elements in incident response, as well as anticipate and mitigate potential litigation and regulatory investigations and review.

Here we provide a key overview of the current state of cyberincidents, best practices for incident response, and insight into the expectations of regulatory bodies.

  • The average total cost of a data breach in the United States has grown from $3.54 million in 2006 to $8.19 million in 2019, a 130% increase over 14 years. For the healthcare industry alone, the average cost of a data breach is 65% higher than the average. And smaller organizations had higher costs relative to their size than larger organizations.
  • Malicious attacks were the costliest, with a per-record cost that was 25% higher than breaches caused by human error or system glitches. Malicious attacks have increased as a share of breaches, up 21% between 2014 and 2019 studies.
  • Detection and escalation costs include forensic and investigative activities, assessment and audit services, crisis team management, and communications to executive manage and board of directors. An internal framework for satisfying governance requirements, evaluating risk across the enterprise, and tracking compliance with governance requirements can help improve an organization’s ability to detect and escalate a breach.
  • To help mitigate the costs of a potential data breach, form an incident response team and test the incident response plan. Organizations can help strengthen their ability to respond quickly to contain the fallout from a breach by establishing a detailed cyberincident playbook and routinely testing that plan through tabletop exercises or by running through a breach scenario in a simulated environment such as a cyberrange. This can also include creating an effective public relations plan to address any reputational damage and effectively communicate with customers. This can also help address regulatory enforcement issues.
  • From the outset, the Federal Trade Commission (FTC) has recognized that there is no such thing as perfect security, and that security is a continuing process of detecting risks and adjusting one’s security program and defenses. For that reason, the touchstone of the FTC’s approach to data security has been reasonableness—that is, a company’s data security measures must be reasonable in light of the volume and sensitivity of information the company holds, the size and complexity of the company’s operations, the cost of the tools that are available to address vulnerabilities, and other factors. Moreover, the FTC’s cases focus on whether the company has undertaken a reasonable process to secure data.

This presentation was originally part of the Data Privacy and Protection Boot Camp. 

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morgan Lewis | Attorney Advertising

Written by:

Morgan Lewis

Morgan Lewis on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.