Our first two articles discussed how to prevent and prepare for a network intrusion and what steps to take immediately upon discovering an intrusion to mitigate harm and re-secure your network. This article provides a framework for identifying and assessing the risks and obligations your company may face as a result of a network intrusion.
Companies may face three types of risks arising out of a network intrusion: legal risks, commercial risks and reputational risks. When your company discovers a network intrusion or other security breach, you should systematically identify, assess and address these risks and obligations so that you can minimize litigation, mitigate damage and protect your company's bottom line.
Federal laws also impose data security and, in some cases, breach notification requirements on certain regulated industries including the nuclear energy industry; the maritime, aeronautical, and rail transportation industry; the chemical manufacturing industry; the telecommunications industry and any industry that may bring companies into contact with national defense information. Violations of these provisions can result in regulatory investigation, civil penalty, loss of government contracts and, in certain cases, criminal prosecution.
Nearly all 50 states have adopted breach notification laws requiring companies to notify individuals whose personal identifying information may have been exposed as the result of a network intrusion. State consumer protection laws also often offer a cause of action for litigants who allege harm resulting from a network intrusion.