September 21, 2021

Volume XI, Number 264

Advertisement

September 20, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

Not "If" but "When" —The Ever Increasing Threat of a Data Breach in 2021

FOURTH OF JULY DATA BREACH

The latest in a recent string of high profile and wide-reaching cyber-attacks occurred over the fourth of July weekend. A criminal hacking enterprise known as REvil targeted information technology (IT) management companies through a ransomware attack on a Florida-based software vendor, Kaseya. Kaseya is as a “managed service provider,” which means it provides IT software to companies that do not have their own tech departments. Kaseya provides regular system updates to its customers to ensure the security of its systems. In this case, however, the attackers subverted the safety features and pushed malicious software that infected the customer’s systems.1 According to CNN, the attackers requested a ransom of US$70 million in exchange for the decryption key.2 The attack reportedly compromised the data of between 800 and 1,500 companies around the world, though it will likely take several more days to understand the full extent of the attack’s ramifications, given that many businesses were closed over the holiday weekend. 

DATA BREACH STATISTICS IN 2021

Data breaches such as the one experienced by Kaseya have increased significantly in recent years. According to the FBI’s 2020 Internet Crime Report, the Internet Crime Complaint Center received 791,790 cybercrime complaints in 2020, with reported losses exceeding US$4.1 billion.3 This record number of complaints represents a 69 percent increase in total complaints over 2019 alone. What is even more alarming is that experts say that the sophistication of the threats from these cyberattacks has also significantly increased, thanks to the application of emerging technologies such as machine learning, artificial intelligence, and 5G.4 The 2020 “SolarWinds” attack highlighted the reality of this increasing sophistication—for more than nine months, Russian military hackers had access to digital files of the U.S. Departments of Justice, State, Energy, Commerce, and the U.S. Treasury, after sabotaging a piece of computer code buried in a software called SolarWinds.5 The increasing “tactical cooperation” between hacker groups and state actors evidenced by the SolarWinds attack is another example of cybercrime’s increasing threat.6

NOT “IF” BUT “WHEN”

If the statistics are correct, the question for most companies is not if they will be a victim of cybercrime, but when. When a company experiences a data breach, the immediate aftermath can be hectic—companies often find that they are scrambling to answer key questions like what information was accessed, who gained access, whether individuals are at risk, and to act quickly to mitigate the damage. 

Companies must also be prepared to comply with the legal obligations to individuals, state attorneys general, and other regulatory bodies in the aftermath of a breach—a task that is often daunting in the midst of an already stressful situation. Every state, the District of Columbia, Puerto Rico, and the Virgin Islands has enacted legislation requiring notification of security breaches that involve personal information, and, depending on the types of information involved in the breach, other laws or regulations may impose additional obligations. Global requirements to protect information proactively further complicate this issue. In many circumstances, companies are under strict timelines to notify impacted individuals and report the breach to the authorities, credit-reporting agencies, and more. 

RESPONDING TO A BREACH

While preventing all manner of data breach outright is nearly impossible, companies that work closely with legal counsel to prepare data breach response plans, including how notification will flow internally and with outside counsel and other vendors in the immediate aftermath of an incident, are better positioned to respond to a breach swiftly and in a streamlined fashion. Tabletop exercises to practice what is set forth in the plan are also key to ensuring a well-managed response.

Even where clients have not put a plan in place, a data security incident or breach can be navigated smoothly and with minimal damage to the company. With the support of legal counsel, a well-orchestrated data breach response includes notifying key stakeholders in a timely fashion, liaising with insurance to maximize coverage, and engaging experienced and capable vendors to perform a forensic analysis without delay. Experienced legal counsel will also assess regulatory obligations and guide clients through the initial notification process and any follow up correspondence with data subjects, regulators, and more. In all instances, it is critical to work alongside counsel to comprehend the magnitude of the incident and navigate the incident with direction, decisiveness, and clarity.


1 https://www.theguardian.com/technology/2021/jul/06/kaseya-ransomware-attack-explained-russia-hackers.

2 https://www.cnn.com/2021/07/06/tech/kaseya-ransomware-what-we-know/index.html.

3 https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf.

4 https://www.forbes.com/sites/chuckbrooks/2021/03/02/alarming-cybersecurity-stats-------what-you-need-to-know-for-2021/?sh=52febf0958d3.

5 https://www.cbsnews.com/news/solarwinds-hack-russia-cyberattack-60-minutes-2021-07-04/.

6 https://www.forbes.com/sites/chuckbrooks/2021/03/02/alarming-cybersecurity-stats-------what-you-need-to-know-for-2021/?sh=52febf0958d3.

Copyright 2021 K & L GatesNational Law Review, Volume XI, Number 199
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Desiree F. Moore, KL Gates, intellectual property liability lawyer, entertainment litigation attorney
Partner

Desiree F. Moore concentrates her practice in a wide variety of complex commercial disputes, including intellectual property, entertainment, product liability, labor and employment, art law, and class action defense. Ms. Moore also has significant experience with law and technology, including emerging issues surrounding social media and the law. She has counseled individuals and corporations on best ways to maximize social media for business, implement regulations for social media in the workplace, and curtail harmful social media practices. Ms. Moore also has...

974-4424-6133
Victoria Oguntoye Lawyer Dallas Office K and L Gates LLP Law Firm
Associate

Victoria Oguntoye focuses her practice on defending business entities in complex commercial disputes in state and federal trial and appellate courts. She has represented financial institutions, technology companies, international fast food companies, land developers, departmental stores, and governmental boards. She was recognized as a Super Lawyers Rising Star from 2017 through 2020 - a recognition that only 2.5% of her peers receive.

Victoria has defended and prosecuted a wide variety of commercial, class action, bankruptcy, land use, consumer protection, eminent domain, false...

214-939-5716
Advertisement
Advertisement
Advertisement