What happens after a data breach? Legal ramifications and beyond

Despite advances in security and technology, data breach threats loom large over today’s organizations. In some of the biggest tech disaster stories of the past year, the ancestry company 23andMe saw hackers breach more than 6 million customer accounts while the file transfer company MOVEit had what Security Intelligence calls, “the most devastating exploitation of a zero-day vulnerability ever.”

Data breaches impact organizations of all sizes and across all industries, from small businesses to global enterprises, from local governments to large-scale non-profits. The consequences of a data breach are particularly serious for organizations in the healthcare, finance, and public sectors.

Beyond the immediate fallout, numerous legal and business issues arise in the aftermath of a data breach, ranging from lawsuits to regulatory fines. These legal ramifications can be far-reaching and severe, often leading to significant financial damages and even jail time for some executives. Likewise, the business impacts of a data breach can be devastating, affecting everything from customer trust to operational continuity. Understanding these consequences is paramount for organizations striving to make a strong business case for increased data and IT security.

What defines a data breach?

Global variations on the exact definition of a data breach can cause some confusion as to what determines a breach, but it is widely accepted that a data breach happens when unauthorized parties gain access to sensitive information and data confidentiality is compromised. Personal and corporate data can both be affected by breaches.

Encryption is considered a safe harbor for organizations. Across the globe, laws differentiate encrypted data from unencrypted data and indicate that encrypted data can’t be breached.

A note about cyberattacks: Not all cyberattacks are data breaches, according to the IBM Cost of a Data Breach 2023 report. Though the two terms have been used interchangeably in the past, a data breach refers only to cyberattacks where data confidentiality has been compromised.

Legal ramifications of a data breach in the US: State and federal notification laws

Most US states have notification breach laws requiring organizations to notify individuals affected by a data breach immediately and accurately. A well-known example is the pioneering California data breach notification law that requires businesses that own or license digital Personal Identifiable Information (PII) to give notice to its residents of any data breach that results in (or even has the potential to result in) the unauthorized acquisition of unencrypted personal information. The law says that notification must be made expediently and “without unreasonable delay.” Organizations that violate this law in the wake of a data breach face significant financial penalties.

In many states, fines can be assessed for each record breached, and many states specify that organizations outside the state holding the citizens’ data are also subject to these breach notification laws.

In 2022, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was signed into US law, requiring organizations in certain sectors to report substantial cybersecurity incidents to the Department of Homeland Security within 72 hours. These organizations are also required to report ransom payments they have made within 24 hours of payment.

These strict notification laws mean organizations operating and/or serving customers in the US must act quickly and thoroughly in the wake of a data breach or else face even more serious and long-lasting consequences.

Related | Avoid a data breach - government ITAD must-dos

More legal consequences of a data breach

Legal regulation acts like GLBA and HIPAA target financial institutions, healthcare institutions, providers, insurers, individual healthcare practices, and similar entities that handle patient information. Legal fines, penalties, and in extreme circumstances, jail time, are some of the consequences of not protecting PII adequately.

Litigation presents a significant cost to an organization associated with a breach. Many associated lawsuits can end up as class-action lawsuits, potentially multiplying the total cost of the breach exponentially. Settlements can also be harsh: For large-scale breaches, settlements in the hundreds of millions of dollars are not out of the question.

The business impacts of a data breach

In 2023, the average global cost of a data breach was US$4.45 million, a 15% increase over three years. Recovery and remediation costs include expenses related to investigating the breach, implementing security improvements to prevent future incidents, and restoring systems and data integrity. An organization may have to hire cybersecurity experts, forensic investigators, and consultants.

Other unforeseen data breach costs can include offering credit monitoring or identity theft protection services to affected individuals to mitigate potential harm and reestablish trust. Organizations may see an increase in insurance premiums following a data breach, or they may need to invest in additional cybersecurity insurance coverage to mitigate future risks.

Beyond the potential for financial harm, data breaches tarnish an organization’s reputation and disrupt operations. Customers may hesitate to engage with a breached company, fearing their sensitive information is compromised. This leads to diminished loyalty and the potential loss of business. The operational disruptions that stem from a breach can paralyze an organization’s daily functions for an extended period, further aggravating financial losses and impeding the organization’s ability to recover swiftly.

Related | What are the consequences of a small business data breach?

Protecting your organization’s sensitive data

While organizations must prioritize the protection of sensitive data through robust cybersecurity, it’s equally important to acknowledge the reality that no system is entirely immune to data breaches. Being proactive in defending against cyberattacks is as important as being prepared in the event of one. There are a few common-sense practices that will greatly reduce the possibility of a breach.

• Always encrypt sensitive PII.
• Never let sensitive data be downloaded to portable devices, thumb drives, etc.
• Employ strict and clear access controls for employees and vendors that may have access to the data.
• Do not allow employees to use their non-work-issued smartphones or tablets to conduct business.
• Incorporate robust asset lifecycle management practices, and always securely dispose of retired or unused IT assets.

Your organization’s culture of data and IT security serves as the first line of defense against potential breaches. By combining proactive and preparedness strategies, organizations can better safeguard themselves against the legal, financial, and reputational damage wrought by data breaches.

Related | Information transformation: Your best defense against a data breach

Data and IT security at Iron Mountain

Iron Mountain provides sustainably designed solutions designed to mitigate your risk of cyberattacks by enabling continuity of service, securely destroying all media and IT assets, and providing expert advice related to compliant lifecycle management for data, records, and physical assets.

To learn more about securely and compliantly managing and protecting your records and data, as well as the IT assets and devices used to create, receive, and store information from deployment and active use to retirement and disposition, visit www.ironmountain.com/resources/landing-pages/d/data-and-it-security.