Data breaches are one of three top cybercrime threats that businesses need to know about ”” the others being email-based thefts and ransomware.
Businesses that plan and prepare can prevent the crime. This means applying good management practices to cybersecurity and technology, and devoting reasonable resources to improve cyber defenses.
A data breach is essentially when an unauthorized attacker gains access to data or information that should remain confidential. It is like a trespass and burglary in the virtual world. They are in a place without permission, gaining improper access to information.
The data they unlawfully access might be confidential, sensitive or proprietary. It could be personal information of others such as names, email addresses, birthdates, social security numbers and the like. The systems they access unlawfully could include email accounts, networks or stored data wherever it resides.
There are a variety of methods cybercriminals use to commit a data breach and often a thorough investigation is needed to determine the facts and figure out what happened. As facts are gathered, legal and regulatory requirements need to be considered. Depending upon the events and what data the attacker accessed or stole, the victim organization may have a legal duty to report the data breach to customers, clients and government entities.
This means organizations should evaluate civil laws and regulations that apply to them. Every state ”” including New York and Connecticut ”” has its own data breach reporting statute, and many states, ours too, have cybersecurity requirements. Regulated sectors such as financial and health have additional rules that are stricter.
Breach reporting laws indicate that organizations need to conduct a reasonable investigation to determine accurate facts. The “head-in-the-sand” approach is disfavored by government and their enforcement actions are proof. A proper investigation also helps organizations improve their cybersecurity for the future. I have discussed legal requirements more broadly in a prior article.
Data breaches are acts that violate state and federal criminal laws. Some of these laws are specific to cybercrime, such as the federal Computer Fraud and Abuse Act or analogous state laws. Looking to the bigger picture, cybercriminals commit the breach and steal data because it has value, and use this data to commit follow-on crimes.
Cybercrime conduct is mostly about greed and theft, and thus involves commission of many traditional criminal offenses such as larceny, identity theft and money laundering. Unfortunately, effective criminal investigation, apprehension, and prosecution is too rare, and we need to improve our cybercrime investigation capabilities at all levels of government (that”™s why I wrote a book on the topic).
By now you realize that suffering a data breach would be expensive and not much fun. After a data breach, organizations can expect that their cybersecurity program will be subject to greater scrutiny by government, customers, potential plaintiffs and insurers.
A sound cybersecurity program protects the organization and improves efficiency with information assets. Businesses can protect themselves and their customers with good cybersecurity and prevent a data breach from ever occurring in the first place. Sometimes, even well-prepared organizations suffer a data breach, but they will be able to rebut allegations that their cybersecurity violated laws and regulations or was negligent. Organizations should consider my framework, Bandler”™s Four Pillars of Cybersecurity, as an excellent starting point that is understandable to all ”” no matter the level of technical knowledge.
Businesses should continually improve their cybersecurity plan to protect the organization, safeguard customer and employee data and comply with legal standards. Preventing a serious cybercrime is the greatest reward, but organizations will also see the results of their improved compliance and efficiency.
John Bandler is an adjunct professor at Elisabeth Haub School of Law at Pace University who teaches about law as it intersects with cybercrime, cybersecurity and privacy. He is ”‹the principal and founder of Bandler Law Firm PLLC, a law practice that helps organizations navigate these areas.
