Reputation, Business Damage Possibilities Keep Many Companies Mum Over Cybercrimes
Forget regulators and civil litigation, what companies likely fear most from a cyber incident is the possibility of losing business from concerned consumers.
July 09, 2019 at 11:30 AM
3 minute read
Concerned about reputational damage and lost business, many companies are underreporting cybercrimes.
Half of cybersecurity respondents to ISACA’s “State of Cybersecurity 2019,” a survey of 1,500 cybersecurity professionals from each continent, said they believe most enterprises underreport cyber incidents they are required to disclose. What’s more, a quarter believed enterprises underreport incidents they’re not legally required to make public as well.
To Womble Bond Dickinson privacy and cybersecurity team co-chair and partner Theodore Claypoole, the statistics don’t represent a new trend. He said businesses are resistant to report cybercrimes because it’s publicizing mistakes, embarrassments and possible incompetence.
“Even if the attack is brilliant and no one could have stopped it, those details are lost on the general public and especially regulators, who tend to blame the victim in these cases for not protecting consumer or employee data,” Claypoole wrote in an email.
Although not all cyber incidents lead to regulatory penalties, the negative media attention may be costly in the long run.
“In this day, where a company shows competence dealing with a successful attack, the company can minimize reputational damage and come back strong. But it is hard to believe that negative news will not hurt the company in a significant way,” Claypoole noted.
To be sure, Target faced a nearly 50% drop in profits after its massive 2013 data breach, while American Medical Collection Agency lost LabCorp as a client after its servers were hacked.
Frost Brown Todd partner Victoria Beckman also noted that companies may not report a cyber incident if they are acquired by another organization. She said some companies may believe they don’t have to reveal that information to their acquirer. However, a Forescout Technologies Inc. survey found more mergers and acquisition deals are prying into a company’s cybersecurity history.
Companies may also worry about the expenses associated with reporting a cyber incident, including IT upgrades, counsel fees and providing credit monitoring and notices to those breached, Beckman said. Indeed, American Medical Collection Agency spent $3.8 million for notifying just seven million of the 20 million customers whose data was breached, according to a bankruptcy notice it filed last month.
Nonetheless, Beckman said regulatory requirements make reporting a cyber incident the best policy, in light of varying statutes’ definition of a breach and documentation and notification requirements.
“I would never recommend not to report an incident,” Beckman said. ”It would expose the organization to serious legal and economic consequences. If after a risk assessment, the organization concludes there was no reportable breach but only a minor incident, that thought process must also be documented.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Elon Musk Names Microsoft, Calif. AG to Amended OpenAI Suit
- 2Trump’s Plan to Purge Democracy
- 3Baltimore City Govt., After Winning Opioid Jury Trial, Preparing to Demand an Additional $11B for Abatement Costs
- 4X Joins Legal Attack on California's New Deepfakes Law
- 5Monsanto Wins Latest Philadelphia Roundup Trial
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
