Lawsuits: A New Reason to Invest in Cyber Security

Lawsuits relating to cyber security incidents are on the rise, according to the 9th Annual Data Security Incident Response Report published by law firm BakerHostetler. For 2022, there were 42 lawsuits filed from 494 incidents that led to individual notifications, including 4 lawsuits filed in cases where fewer than 1,000 people were impacted by a data breach.

SecurityWeek noted that this represented a significant trend, as 2018 data from BakerHostetler showed just 4 lawsuits filed from 394 incidents reported to impacted users.

Why Are Cyber Security Lawsuits Increasing?

Individuals and businesses are fed up with data breaches and the time and expense needed to address them. As a result, the days of providing free credit monitoring for a year or two are over.

Stronger state data protection laws also play a role in the rise of lawsuits, as they offer a framework for individuals to seek compensation for business and personal expenses incurred by a data breach. The California Consumer Privacy Act has become the model for a growing number of state-level regulations that hold businesses accountable for data breaches.

Insurance companies have also begun to push back against claims for business disruptions caused by cyber security incidents. Taking advantage of stronger state and Federal regulations, insurers who offer cyber security liability and recovery policies may require business owners to certify data protection measures for vendors and third parties. If those organizations experience a cyber attack, insurers may sue to recover their costs.

Invest in Cyber Security Employee Training to Keep Lawsuits at Bay

In the event of a lawsuit, businesses must disclose all aspects of their cyber security, including methods used to protect data, attack response and recovery plans and employee training and protocols. Businesses that have strong cyber security measures will be less likely to face lawsuits, while businesses?with weak security measures could be liable for significant damages and legal expenses.

Business owners should expect their cyber security to be scrutinized, and significant gaps will become a greater liability. In BakerHostetler’s report, 39% of cyber attacks were due to human factors, including phishing, social engineering or employee abuse of access. Collectively, this made up the greatest percentage of attack causes; while the root cause was unknown in 26% of attacks, phishing ranked second overall at 25% of attacks.

Sending employees a training video twice a year is not effective employee training. Real employee training teaches workers to recognize obvious attacks, to flag suspicious activity and to report anything that concerns them.