When Faced With Data Breach Responses, the Cloud Can Become an Enemy
The cloud can quickly lose its luster when a cyberattack occurs and a company hopes to quickly determine what data was impacted, as looming regulatory fines and bad press potentially awaits.
March 10, 2020 at 11:30 AM
3 minute read
Praised for its innovative and security benefits, the cloud can quickly become a burden when a company is hit with a cyberattack and must understand the scope of the data held on public and privately owned servers.
In late February, Experian released its "Is Your Company Ready for a Big Data Breach?" study conducted by the Ponemon Institute, which collected the responses of over 1,000 information technology security, compliance and privacy professionals in the U.S., Europe, Middle East and Africa. Along with finding most companies lack data breach readiness, respondents also said the proliferation of cloud services was one of the top barriers to improving IT's ability to respond to a data breach.
Waiting for confirmation of what data was impacted and knowing where all the company's data resides are the pitfalls that commonly delay breach responses, cybersecurity observers said.
While the Experian study highlighted answers provided by IT, Morgan, Lewis & Bockius partner Mark Krotoski said corporate legal departments share similar fears that determining what data is on the cloud can be too time-consuming. "We have seen there can be delays in determining the scope of the breach and accessing if there's notification [required]," he explained.
Krotoski described a frequent occurrence where a company is notified by its cloud-based service provider that an incident occurred. When the client's in-house legal and IT team asks for more details about the scope of the impact, a response may take weeks or months.
Unless contractually obligated, the third party can take as long as needed to provide its client with details, Krotoski noted. But as the client waits, the General Data Protection Regulation's 72-hour reporting requirement or any state's data breach notification deadline could be ticking.
Likewise, Brian Lapidus, Kroll's identity theft and breach notification global practice leader, described the "frenetic energy" when companies don't know what data is on the cloud after an incident.
"We've seen it with our clients. They don't know what data they have on the cloud, they don't have that expertise in-house, and it affects their timing," he said.
Kroll cyber risk associate managing director Keith Novak recommended implementing detection and monitoring tools and appropriately limiting and deactivating access to data.
"Traditional on-premise monitoring and detection tools do not operate well in cloud environments and organizations are blind in many cases to the amount of data being stored on the cloud," Novak said.
He cited "shadow IT," applications that are used without notifying the organization, as one of the leading causes for confusion as to what data is on the cloud.
"What happens is the organization as a whole hasn't adopted a cloud policy, and that hasn't happened because I don't think they realize the extent of their adoption already," he said.
To mitigate the risk when placing personal information on cloud-based programs or storage, many legal departments are adding detailed breach notification and liability requirements into their vendor contracts.
"By itself the cloud has a lot of good security features, but because you are creating another link in the chain, companies want to do their due diligence to ensure there is sufficient security on the cloud and they can be timely notified if there's an incident," Krotoski said.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLaw Firms Mentioned
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
