When Faced With Data Breach Responses, the Cloud Can Become an Enemy
The cloud can quickly lose its luster when a cyberattack occurs and a company hopes to quickly determine what data was impacted, as looming regulatory fines and bad press potentially awaits.
March 10, 2020 at 11:30 AM
3 minute read
Praised for its innovative and security benefits, the cloud can quickly become a burden when a company is hit with a cyberattack and must understand the scope of the data held on public and privately owned servers.
In late February, Experian released its "Is Your Company Ready for a Big Data Breach?" study conducted by the Ponemon Institute, which collected the responses of over 1,000 information technology security, compliance and privacy professionals in the U.S., Europe, Middle East and Africa. Along with finding most companies lack data breach readiness, respondents also said the proliferation of cloud services was one of the top barriers to improving IT's ability to respond to a data breach.
Waiting for confirmation of what data was impacted and knowing where all the company's data resides are the pitfalls that commonly delay breach responses, cybersecurity observers said.
While the Experian study highlighted answers provided by IT, Morgan, Lewis & Bockius partner Mark Krotoski said corporate legal departments share similar fears that determining what data is on the cloud can be too time-consuming. "We have seen there can be delays in determining the scope of the breach and accessing if there's notification [required]," he explained.
Krotoski described a frequent occurrence where a company is notified by its cloud-based service provider that an incident occurred. When the client's in-house legal and IT team asks for more details about the scope of the impact, a response may take weeks or months.
Unless contractually obligated, the third party can take as long as needed to provide its client with details, Krotoski noted. But as the client waits, the General Data Protection Regulation's 72-hour reporting requirement or any state's data breach notification deadline could be ticking.
Likewise, Brian Lapidus, Kroll's identity theft and breach notification global practice leader, described the "frenetic energy" when companies don't know what data is on the cloud after an incident.
"We've seen it with our clients. They don't know what data they have on the cloud, they don't have that expertise in-house, and it affects their timing," he said.
Kroll cyber risk associate managing director Keith Novak recommended implementing detection and monitoring tools and appropriately limiting and deactivating access to data.
"Traditional on-premise monitoring and detection tools do not operate well in cloud environments and organizations are blind in many cases to the amount of data being stored on the cloud," Novak said.
He cited "shadow IT," applications that are used without notifying the organization, as one of the leading causes for confusion as to what data is on the cloud.
"What happens is the organization as a whole hasn't adopted a cloud policy, and that hasn't happened because I don't think they realize the extent of their adoption already," he said.
To mitigate the risk when placing personal information on cloud-based programs or storage, many legal departments are adding detailed breach notification and liability requirements into their vendor contracts.
"By itself the cloud has a lot of good security features, but because you are creating another link in the chain, companies want to do their due diligence to ensure there is sufficient security on the cloud and they can be timely notified if there's an incident," Krotoski said.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLaw Firms Mentioned
Trending Stories
- 1Greenberg Traurig, Holland & Knight Leaders Expect AI Investments to Jump in 2025
- 2NY Lawmaker Eager to Advance 'Weinstein Bill' in 2025 to Open Door to Evidence of Prior Sexual Offenses
- 3AI's Place in Big Law Broadens, As Firms Embrace Fresh Uses of the Technology
- 4Critical Mass With Law.com’s Amanda Bronstad: First Lawsuits Over Los Angeles Wildfires Name Edison, J&J Talc Trial in Los Angeles Delayed As Fires Rage
- 5Five Key Predictions on How AI Will Reshape Law Firms in 2025
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
