How Law Firms Can Avoid the Pitfalls of Cyberinsurance Risk
In the face of 2017’s unprecedented, global ransomware attacks, the business community is approaching a new world of regulatory requirements, including…
September 21, 2017 at 01:10 PM
4 minute read
The original version of this story was published on Law.com
In the face of 2017's unprecedented, global ransomware attacks, the business community is approaching a new world of regulatory requirements, including the EU's GDPR. Now, more local initiatives are beginning to crop up.
For example, the states of Delaware and Maryland both recently passed new laws requiring businesses to alert state residents affected by a data breach within a certain timeframe, and to notify the state attorney general if more than 500 residents are affected.
Now, many firms will probably opt for a less burdensome course of action: ignoring new regulations and installing legal safeguards against possible lawsuits. At the same time, the growing industry of cyberinsurance offers the additional hope of backstop financial protection against cyberattacks. However, neither of these options amount to a comprehensive data security posture, leaving firms wide open to attack, so cyberinsurance providers are likely to factor compliance risk into their premiums, which could amount to a spike in coverage costs for insured firms.
Kurt Long, CEO of the Florida-based data protection firm FairWarning, shared with Inside Counsel why law firms need to avoid the temptation of short-term thinking and simplistic solutions to take back control of their data.
“Government data regulations are sweeping the world in wake of the 2017 global ransomware attacks. When consumer and citizen data is breached, trust erodes in our healthcare, finance, and government institutions,” he said. “Without trust, general consumer spending declines. Government regulations and the cyberinsurance industry are components to a multi-layer data protection strategy. When used properly, they can provide a final safety net for consumers impacted by a breached business or government institution, and hopefully, rebuild trust.”
The 2017 ransomware attacks are among the first wide scale security breaches that impacted critical services including healthcare and finance around the globe. Combined with the Equifax data breach of September 2017, compromised personal and financial information of consumers has occurred at a massive scale. Disruption of services and the compromise of citizen information demonstrate the need for privacy, security and regulatory enforcement in the United States and around the World.
Today, most regulations that are local tend to be at a state level. Per Long, state regulators feel the need to protect the trust in the institutions that employ their citizens. Security breaches of financial, banking, health, and lending information ultimately erodes trust in the institutions and result in reduced revenue and job loss. State regulators are able to move more quickly than federal regulators who have a much longer negotiation path, balancing myriad initiatives across our country and locally.
“Cybersecurity insurance is a last stop, it's not a replacement, it's one more layer to multi-faceted security strategy to secure your data,” he said.
Legal safeguards and cyberinsurance do not amount to a comprehensive data security posture, according to Long. For instance, with the Equifax breach, the attackers exploited an apache Struts web-application. Once breached, the consumer data is out the door with the attackers to commit fraud and other crimes, whether you have cyber insurance or not. Up to date patches, network security, and applications security are just a few examples of the other layers of security organizations need to implement in addition to cyberinsurance.
“Data security is now an executive and board level concern,” he explained. “We are seeing companies who have been breached cite major financial issues following a breach, from a drop in stock value to bankruptcy. Creating a data security strategy will provide a foundation to build upon for long term success. Short term thinking and short term solutions will not result in a durable organization.”
Long shared best practices for deploying a full-spectrum response to the emerging environment of constant cyberthreats that integrates technology, people, and processes into a single unified strategy, including: Have a written security policy; adhere to the applicable regulations specific to your industry state and country using their framework; put in place an incident response plan; rehearse your incident response plan; have named officer for privacy security and compliance and; treat privacy security and compliance issues with board level support.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllBeyond the Title: Developing a Personal Brand as General Counsel
Step 1 for Successful Negotiators: Believe in Yourself
Deluge of Trump-Leery Government Lawyers Join Job Market, Setting Up Free-for-All for Law Firm, In-House Openings
4 minute readTrending Stories
- 1Recent Decisions Regarding the Telephone Consumer Protection Act
- 2The Tech Built by Law Firms in 2024
- 3Distressed M&A: Mass Torts, Bankruptcy and Furthering the Search for Consensus: Another Purdue Decision
- 4For Safer Traffic Stops, Replace Paper Documents With ‘Contactless’ Tech
- 5As Second Trump Administration Approaches, Businesses Brace for Sweeping Changes to Immigration Policy
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250