data breach

Making It Right After a Data Breach and ID Theft, Part I

Yet another cybersecurity attack; this time some 57 million riders and 600,000 drivers were impacted by a data breach at Uber as explained here on the company’s blog on November 21, 2017—more than a year after the incident took place. Smaller than the Target and Equifax breaches, but still significant.

Within the legal industry, the attacks on DLA Piper, Cravath Swaine & Moore, and the Panamanian firm just to name a few, have all made the news. These hacks were not limited to BigLaw. Of the 200 law firms surveyed for the Logicforce Cyber Security Scorecard, 66% reported a breach and those firms range in size from solo to 450 lawyers. I recently had the chance to interview Jennifer Stueckler, LegalShield’s senior product manager for IDShield, on cybersecurity issues and the impact on clients, as part of this two-part series.

Dave Coffey (DC): What are the costs and implications of a data breach?

Jennifer Stueckler (JS): First, data breaches cost on average $3.5 million and, in general, the breakdown of the spend is as follows:

  • Repairing brand reputation: 29%
  • Loss of productivity: 21%
  • Lost revenue: 19%
  • Digital forensics: 12%
  • Technical support: 10%
  • Compliance regulatory needs: 8%

However, the bigger impact is that data breaches change victims’ spending habits. According to an article in TRUE, 67% of victims have reduced the amount spent with companies that have been hacked. 19% stopped buying from or working with the company completely.

DC: Are these figures for actual data breaches only?

JS: Yes, but the results for potential breaches are just as bad. According to the same article, only 17% of consumer would continue without any changes to their behavior if they knew of a potential breach, regardless of whether they were notified that the own data was compromised. Again, the other 83% of potential victims are changing their spending habits, without an actual breach, as follows:

  • 39% said that they wouldn’t shop or do business until after the situation was resolved.
  • 34% reported that they would still shop there but only pay cash.
  • 10% would never shop there again.

DC: That is a significant impact on the future of the company that would be difficult to measure, because it’s not only the $3.5 million that you spoke about above. Are there any more losses or future costs?

JS: When the personal information of individuals is unexpectedly exposed by an organization, many eyes are watching.  From legislators to shareholders, consumers and shoppers, to patients and students, people expect the wrong to be made right. The compliance or regulatory requirements are increasing but the companies also face significant legal risks.

These risks include government investigations and enforcement actions; tort or contract litigation; legal action against perpetrators and related parties, and finally, securities litigation.

DC: How do law firms or companies protect their clients or customers?

JS: To keep your clients (or customers) happy, protected, and on the books, first ensure their personal information is kept secure. Next, ensure your clients have a comprehensive identity theft protection service, because if they already have a consumer facing product, then they are already protected when a data breach happens.

Like other companies, law firms will need to put their clients first in the event of a data breach. According the same Logicforce Cyber Security Scorecard report, cybersecurity ranks as the third priority for law firms because there is no “quantifiable financial return” from the necessary investment in technology, policy, and practices. As Jennifer has outlined, the risk of reputational and financial loss, both immediate and future, dictates cybersecurity planning for the inevitable breach. Next time we will explore responding to a breach. As always, reach out to me on Twitter @Gundog8 to discuss this and other issues.

Read Part II of this two-part series here!

Check Also


Virginia’s New Data Protection Law

The new law signals an increased need for adaptability in privacy compliance.