February 19, 2010 

Written by Attorneys John F. Mullen, Sr and Mark C. Stephenson

This article is an interpretation of current law and is offered for informational purposes only. This material is not legal advice and should not be construed or used as a substitute for the advice of an attorney. 

Sophisticated Global Cyber Attacks Are Putting U.S. Business Data Security At Increased Risk

Until now, most data security breaches were caused by an employee's negligent loss of a laptop or human error. Typically data losses involved thousands of records lost or taken. Misuse of credit cards, wasted time, credit monitoring or repair were common results. Recent developments suggest that U.S. businesses, and their insurers, are facing rapidly growing exposure to data security breaches launched from overseas. Global data attacks are tilting the playing field, threatening a constant stream of breaches and vast losses of data. This escalation is not merely about more attacks or bigger ones. The scale of the data exposed to loss is a game-changer, begging the question whether highly proprietary trade secrets, patents, corporate finances or deeply personal information has been compromised. Insurers and policyholders are likely to be left wondering what unanticipated damages may occur, and whether such losses are covered. Lawsuits are sure to follow.

The media recently reported a series of high-profile, coordinated and sophisticated assaults on the security of protected data. Unknown hackers were able to invade climate data held in a British university through servers located in Russia. Google recently admitted that it, along with 20 other major companies, suffered a sophisticated data assault launched from China. According to the Wall Street Journal, over the last 18 months, hackers based overseas successfully broke into computers at nearly 2,500 companies and government agencies in a coordinated global attack. An enormous amount of government, corporate and personal data was reportedly exposed. The inevitable conclusion appears to be that corporate and personal digitized information is at high risk, and that efforts to protect it may fail.

Costs associated with a data breach typically involve notification to affected companies and persons whose data may have been lost, investigative and forensic analysis, public relations and legal guidance, credit monitoring/repair, and lost time. Companies that hold sensitive digital data can protect themselves against these exposures by securing insurance coverage for when a data breach occurs, and by adopting internal procedures to limit access and distribution of confidential data. Even so, the costs to a business of losing digitized personal data are high and growing. Recent events may have made them even more unpredictable.

Until now, it was commonly assumed that stolen or lost personally identifiable information was sold and used as a tool to advance acts of theft or fraud. The increasingly vast number of records lost or taken raises the serious question of whether businesses have adequately insured themselves and whether insurers fully understand what losses may be covered or expenses incurred after a data security breach.

NLdH is a leader in aiding the business community in responding to cyber breaches and data loss events. It is able to deliver timely legal advice and expert forensic investigative support, together with necessary regulatory and media information management, so that potential adverse consequences are effectively managed. If you are interested in learning more about NLdH's Privacy & Data Security practice, please contact John F. Mullen at 215-358-5154 or jmullen@nldhlaw.com.