Have You Ever Considered the Consequences of a Potential Data Breach

Cyber security imageThe global average cost of a data breach in 2023 was $4.45 million, a 15% increase over 3 years.[1] Instances of data breaches have continued to increase over the years since the COVID-19 pandemic. The U.S. was the target of 46% of cyberattacks in 2020, more than double any other country.[2] In 2021, the number of reported data breaches increased by 68%.[3] The manufacturing and utilities sectors reported the highest increase in data breaches, where the number of breaches more than doubled.[4]

With cybercrime progressively on the rise on both the global and domestic levels, it is important to secure your business and take steps to limit liability in the event of a data breach. Bad actors could very well release information obtained in a cyber-attack to those who would do harm to you, your business, or your clients. If clients or third parties suffer financial loss due to negligent cybersecurity protocols, your business could be liable.

For liability to attach under a negligence theory, the defending party must be found to have breached the applicable standard of care. Typically, this means that the defending party failed to act as a reasonably prudent person under the same or similar circumstances. This may lead one to ask: What steps would a reasonably prudent person take to prevent a potential data breach? Fortunately, one likely answer is codified in Nevada’s statutory scheme.

NRS 603A.210 requires that “A data collector that maintains records which contain personal information of a resident of this State shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure.” The statute further provides that, unless a higher level of security is mandated by state or federal law, “[i]f a data collector is a governmental agency and maintains records which contain personal information of a resident of this State, the data collector shall, to the extent practicable, with respect to the collection, dissemination and maintenance of those records, comply with the current version of the CIS Controls as published by the Center for Internet Security, Inc. or its successor organization, or corresponding standards adopted by the National Institute of Standards and Technology of the United States Department of Commerce.”

Accordingly, assuming no higher level of security is required by state or federal law, best practice dictates that the standard for governmental agencies be treated as the minimum standard for data security, in addition to encryption of records where possible. In the event of a data breach, it would be difficult to argue that a business that had complied with the CIS Controls and has encrypted its records had somehow failed to take reasonable security measures.

The current version of the CIS Controls is Version 8. It is available for free from the CIS website: cisecurity.org. The Controls have been defined by CIS as a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. The controls provide a convenient breakdown of different levels of protection from Basic, to Foundational, to Organizational and are further broken down by “Implementation Group” which is assessed based on size and resources of the organization.

With the ever-growing threat of a cyberattack and resulting data breach, it is important for businesses to familiarize themselves with the Controls or alternative standards, consult qualified cybersecurity professionals, and comply with the prescribed protocols. These preventive measures not only help organizations identify best practices to protect against a potential data breach, but may also provide a liability shield in the event a data breach occurs.

If you are interested in learning more about strategies to protect your business from liability associated with cyberattacks, or would like additional resources to assist in preventing such attacks, the attorneys at Lemons, Grundy & Eisenberg may be able to help.

[1] https://www.ibm.com/reports/data-breach