In NYLJ, Partner Matthew Richardson and Associate Morgan Jones Offer Guidance on Responding to Data Breaches

Partner Matthew Richardson and associate Morgan Jones co-authored an article for the New York Law Journal about the business challenges and costs associated with responding to a global data breach.

In the March 5 article, entitled “When Global Reach Can Mean Global Breach,” the authors noted that, in order for the incident response process to work as seamlessly as a company expects, all of the moving pieces must fit together just the right way.

“Any company scaling its abilities to operate globally will appreciate that ‘growing pains’ usually evolve into new issues, which may best be described as ‘maintaining pains,’” they wrote. “One of the most high-profile ‘maintaining’ pains is the threat of a data breach, particularly for technology companies that are rich in personal data, such as companies developing artificial intelligence algorithms, due to the large amount of data necessary to train the model.”

While the liability of the board members depends on the discretion of the regulators that have jurisdiction over the breach, the cost of a breach will depend, based off of ransoms, fines, lawsuits and notification costs, they wrote. The notification costs, however, are the most immediate factor in these breaches because they are complex and involve multiple elements.

Among the drivers of incident response costs relates to the obligations, liabilities and notifications required by third parties, they explained. Companies with cyber insurance are also typically required to notify their carrier of a breach.

“Notifications from vendors are one of the most important elements of addressing a data breach impacting a company’s supply chain, so it is important to get this right in a compressed time frame,” they wrote. “Once the obligations are met, the company can approach the vendor to be made whole as to its costs and expenses, whether by indemnity, or a breach of contract claim, and hopefully the contact with the vendor contract addresses these topics. That being said, there are avenues to pursue in absence of suitable protections in the contract with the vendor.”

Additional notices to regulators may also be required, which will further add to the costs associated with a data breach. With notification deadlines as short as 72 hours from the discovery of the breach, it’s unlikely that all the material facts have been ascertained during that time, particularly since the required information in a breach notification can vary by jurisdiction.

“Whether the breach is caused by internal or external factors, costs and obligations associated with a breach will arise,” they wrote. “The degree to which a company plans and prepares for a breach in advance will greatly control the amount of uncontrolled costs and stress when a breach occurs.”

Read the full article here.