Disclosure of Breaches: The Legal and Business Ramifications of Explaining What You Did Wrong

Cybersecurity Lecture Series

We were delighted to have Mark Anderson, the Senior Director of Business Operations at Blackberry, speak in the Cybersecurity Speaker Series. Mark talked about the legal and business ramifications of disclosing data breaches.

Mark Anderson has been working in the Tech Sector in Austin, Texas since 1987. He has worked at Thomas-Conrad/Compaq, Dell, General Motors, and BlackBerry. He triple majored in Mass Communications Engineering, Economics, and Government at Western Kentucky University before receiving his JD from the University of Kentucky. Following law school, Anderson worked as an attorney in Kentucky before moving to Austin to work in the emerging tech sector. He has written books on networking and network design and holds two patents that he helped develop while working at Dell. He has extensive knowledge in management, security, software licensing and manufacturability, and network administration.

According to IBM and Ponemon Institute’s “Cost of a Data Breach Report for 2019,” the average cost was 3.9 million dollars and the average breach affected 25,575 records. The average time to identify and contain a breach was 279 days, but the costs and consequences of the breach can last for years.

Breaches can be associated with a variety of incident types beyond just software vulnerabilities, including fraud, intentional leaking, malware, phishing campaigns, and failure of third-party suppliers. Recent years have seen a steady growth in malicious and criminal activities, however, these only account for 51% of data breaches — system glitches and human errors almost equally split the remainder. Some of these breaches require HR and training fixes as much as cybersecurity ones.

Regardless of the type of breach, businesses face a myriad of international, state, and local notification laws and regulations they must navigate. Anderson made a clear distinction between breaches affecting Personally Identifiable Information (PII), where disclosure is mandated by law, and non-PII breaches where businesses need to weigh disclosure against a variety of costs. He briefly highlighted the differences between the EU’s General Data Protection Regulation (GDPR), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and the US’s sectoral approach which is governed by multiple agencies and state laws.

In determining how to respond to a data beach, the business must negotiate four key elements of that breach and the costs associated with them: detection (31.1% of cost), notification (5.4% of cost), post breach response (27.3% of cost), and lost business (36.2% of cost). Lost business is the major issue in deciding whether to disclose the breach to the public. Some companies make poor business decisions in responding to these breaches, as seen in recent ransomware attacks. In 2019, companies faced a 29.6% chance of experiencing any type of breach and Anderson recommended that companies remain cognizant of the risk and plan for breaches going forward.