Cyber Attacks: Prepare, Prepare, Prepare

A cyber attack is any incident in which sensitive, confidential information is stolen or used by unauthorized individuals.  Cyber breaches may involve the theft or unauthorized use of personal health information, financial information, trade secrets, or intellectual property.  The consequences of a successful attack may include embarrassment, bad press, loss of business, loss of huge amounts of money – whether by theft or through the payment of ransoms (“ransomware attacks”), civil penalties, and even criminal prosecution.

When a breach occurs, companies spend enormous amounts of money hiring forensic investigators to figure out what was breached, who did it, the type of information accessed, and the extent of the damage.  They spend even more money determining how the breach happened, and what steps are needed to defend against future attacks.  Finally, they are forced to pay monitoring firms for years to come in order to protect customers from any future damage, protect the company brand, and reestablish trust with current and potential clients.

It is essential that corporate executives and owners make cyber security a priority in both planning and budgeting. While responding to a breach is expensive, the true cost to the company cannot be measured in dollars and cents. Tech-savvy customers want to know that their personal and/or financial information is safe from the rest of the world.

To instill confidence in potential customers (and avoid paying the costs associated with cleaning up a cyber spill), companies need to have a gameplan in place before a breach ever occurs.  The establishment of incident response teams is a vital first step.  The team should be made up of individuals that are team-oriented, detail-focused, and capable of sticking to the gameplan when stress levels rise.  These carefully-selected individuals must understand the importance of their roles and devote themselves to constant learning as cyber security issues evolve. Companies might also consider employing full-time services from outside providers.  In the end, it will be much more expensive to respond to a successful breach than to avoid one in the first place.

Welcome to the Blog!

Welcome to the blog for the Data Privacy and Breach practice group of Copeland, Stair, Kingma & Lovell!  Our experienced attorneys handle data breach responses, coverage issues, and risk management consulting for companies of all sizes.

In our first installment of the blog, we are reporting on legal developments arising out of a massive data breach involving health insurer Anthem. Multiple lawsuits were filed alleging putative class action claims against Anthem.  The multi-district litigation was consolidated and transferred to the Northern District of California. On Sunday evening, Judge Lucy Koh entered an order dismissing several claims brought under various state and federal laws, including common-law negligence claims.  Notably, Judge Koh ruled that Indiana does not recognize a private right of action for negligence arising in a data breach situation.  In addition, Judge Koh conditionally dismissed a claim based on Georgia’s Insurance Information and Privacy Protection Act (O.C.G.A. §33-39-14) with leave to replead the claim.

The order is significant because it continues the trend of rejecting attempts to turn data breaches into damages claims. While data privacy and protection is a heavily regulated part of doing business, most claimants have not been able to develop theories of liability that enable them to collect tort damages in breach cases.

The case is In Re Anthem Inc. Data Breach Litigation, U.S. District Court, Northern District of  California, No. 5:15-MD-02617.