Here we go again. A prominent company suffers a data breach. The company publicly alerts its customers. The company almost immediately finds itself the subject of inquiries from Congress and the target of investigations by regulators. Before long, class action lawyers will crank out complaints as if they’re Mad Libs, filling in the name of the company and then running to the courthouse. Throughout, the company — the victim of the breach — is treated as if it is guilty until proven innocent, or “negligent until proven reasonable.” The company faces massive costs and other financial burdens, as well as reputational damage that could last years.
Sound familiar? That’s because you’ve seen this movie before. But this time it’s not about Target, or Neiman Marcus, or Michael’s, or any of the other prominent companies that have experienced this “blame the victim” culture over the past year. This time it’s about eBay, which announced a breach last week affecting one of its databases and asked its 145 million users to change their passwords. eBay has already started getting letters from the Hill, is reportedly already under investigation by multiple state Attorneys General, and is already being attacked in the media. You can be sure that the FTC and the class action lawyers are next. It’s like a bad ripoff of the movie “Groundhog Day.”
We’ll probably see even more calls on the Hill for stronger enforcement powers for the already-emboldened FTC and harsher penalties against companies for failing to report breaches. We’ll see more calls for a national data breach notification standard which, despite being good for companies and consumers alike, can’t seem to get through Congress. We’ll see more public comments by lawmakers suggesting that the breach was somehow the result of a failing by eBay, instead of being the work of sophisticated hackers, even while an investigation of the incident is still ongoing. And we’ll probably see SEC and shareholder scrutiny of the company’s prior cybersecurity disclosures, as well as questions about what executives and the Board knew or should have known about the risks.
A company doesn’t have to be the size of Target or eBay to experience this “Groundhog Day”-like vicious cycle. Your company may have fewer customers, but that doesn’t make the cycle any less vicious for you.
What You Can Do
Companies do have a way to fight back — and that’s to be proactive. Doing a privacy and security assessment in advance of an incident — overseen by counsel, and protected by the privilege — will help in two ways.
First, it will help reduce your risk of a breach by addressing potentially unanticipated vulnerabilities (such as those arising from vendors and other third parties).
Second, because you can’t eliminate the risk entirely, it will put you in the best possible position to successfully defend yourself against the litigation and regulatory investigations that are sure to follow any breach that does occur. Doing this kind of assessment in advance — with the help of outside counsel and forensics experts — will make it a lot harder for anyone — Congress, regulators, or the courts — to find that you were anything but reasonable.
And the best news of all is that it’s inexpensive — especially when compared to the alternative. An ounce of prevention is a lot cheaper than a pound of cure.