How to Prepare for Cybersecurity Incidents and Enforcement Actions

October 05, 2020

As financial damages caused by cyberattacks continue to rise, many companies are looking for ways to both prepare for potential risk and respond to an actual incident. Proactive companies aim to understand the cyber landscape and risks and key elements in incident response, as well as anticipate and mitigate potential litigation and regulatory investigations and review.

Here we provide a key overview of the current state of cyberincidents, best practices for incident response, and insight into the expectations of regulatory bodies.

  • The average total cost of a data breach in the United States has grown from $3.54 million in 2006 to $8.19 million in 2019, a 130% increase over 14 years. For the healthcare industry alone, the average cost of a data breach is 65% higher than the average. And smaller organizations had higher costs relative to their size than larger organizations.
  • Malicious attacks were the costliest, with a per-record cost that was 25% higher than breaches caused by human error or system glitches. Malicious attacks have increased as a share of breaches, up 21% between 2014 and 2019 studies.
  • Detection and escalation costs include forensic and investigative activities, assessment and audit services, crisis team management, and communications to executive manage and board of directors. An internal framework for satisfying governance requirements, evaluating risk across the enterprise, and tracking compliance with governance requirements can help improve an organization’s ability to detect and escalate a breach.
  • To help mitigate the costs of a potential data breach, form an incident response team and test the incident response plan. Organizations can help strengthen their ability to respond quickly to contain the fallout from a breach by establishing a detailed cyberincident playbook and routinely testing that plan through tabletop exercises or by running through a breach scenario in a simulated environment such as a cyberrange. This can also include creating an effective public relations plan to address any reputational damage and effectively communicate with customers. This can also help address regulatory enforcement issues.
  • From the outset, the Federal Trade Commission (FTC) has recognized that there is no such thing as perfect security, and that security is a continuing process of detecting risks and adjusting one’s security program and defenses. For that reason, the touchstone of the FTC’s approach to data security has been reasonableness—that is, a company’s data security measures must be reasonable in light of the volume and sensitivity of information the company holds, the size and complexity of the company’s operations, the cost of the tools that are available to address vulnerabilities, and other factors. Moreover, the FTC’s cases focus on whether the company has undertaken a reasonable process to secure data. 

If you're in Data Privacy and Protection Boot Camp, we invite you to subscribe to Morgan Lewis publications to receive updates on trends, legal developments, and other relevant areas that may be of interest to you.