Every in-house counsel dreads the telephone call on a Friday evening that starts with the words “I’m glad I found you.” That’s especially true if that telephone call informs the in-house counsel about the newly terminated IT department employee who was able to access the company’s confidential data systems 30 minutes before his access was deactivated. At that point, in-house counsel knows she is in for a long weekend and weeks or months of investigation, mitigation and possibly recriminations. Of course, there are two more questions that may be forgotten in this moment of crisis but will be asked soon enough: “How much will the investigation and remediation cost?” and “Who pays?”
Add to our example an additional twist: Our in-house counsel breathes a sigh of relief when she is told that the company’s security team has determined that the ex-employee introduced a virus that was intended to damage the company’s systems but that it failed to do any damage. Problem solved, correct? Unfortunately, even if there is no damage, the company could still incur significant costs as a result of the breach. In most circumstances, IT security departments will require a review of all of the major systems to confirm that the virus did not in fact infiltrate any systems and cause latent damage or a cybersecurity breach. Such an investigation can be extremely costly. At least one study has determined that the average cost to resolve an actual or potential cyber-attack is approximately $600,000. These costs can include forensic and investigative activities, assessment and audit services, crisis team management, and communications internally to executive management and board of directors and possibly externally to shareholders or the public.