3 Areas of Legal Exposure After a Security Breach

October 21, 2020
legal exposure

Here are the 3 biggest areas of legal exposure following a cybersecurity breach.

legal exposure

The risk of liability and reputational damage associated with cybersecurity incidents has only grown over the last few years; every sized company is a potential target. Even more troubling is the legal exposure that comes from a data security incident involving the personal information of customers or employees. These breaches may lead to enforcement actions from federal or state regulators that levy fines and can even result in consumer class action lawsuits. It is not surprising, then, that data security is now a top concern for both general counsel and corporate directors. In this tumultuous environment, it’s important to know what your legal exposure is so you can take steps to limit risks.

Here are the 3 biggest areas of legal exposure after a breach:

1. Fines
On the regulatory side, the State Attorneys General have significant ability to impose fines. The numbers do not sound bad when you first hear them and range from between $1000 to $10,000 per violation; however, the State Attorneys General treat each record as a separate violation in one of these cases. So when you have a breach with a million records at $1,000 per record, your fine is a billion dollars; that’s real money and real exposure. 

2. Damages (Class Action Litigation)
The damages claims that are presented in security breach cases are big just because of the number of people involved. These Class Actions are only getting bigger. A great example of this comes from California’s CCPA statute that contains a provision that awards damages to victims of data security breaches. So, when an individual's information is attacked in a data security breach, there is now a legal damages remedy where they can recover the greater of their actual damages or $750.

3. Injunctive Relief
A third component of the legal exposure is where the regulators seek ongoing injunctive relief, which will impose a set of requirements that will stay in place for years. Your company will be monitored over those years to see if it is actually complying with the measures contained in the injunctive relief. The challenge with injunctive relief is that it is a bit of a trap where you must continuously prove your compliance. Now your professional security team will spend too much of its time proving compliance and not enough time doing actual information security.

To read more about protecting your company from legal exposure:


Preventing Business Email Compromise (BEC) from Happening to Your Organization

Business Email Compromise is a form of cybercrime in which an attacker gets control of a victim’s business email account and imitates the owner’s identity to defraud the company and its employees. It is usually a spear phishing attempt where the top executive of an organization is targeted, and the organization’s data is exploited. Victims of Business Email Compromise scams reported $1.78 billion in losses to the FBI’s Internet Crime Complaint Center in 2019. Tune in to an interactive session with Derek Johnson Director, Security from OnSolve and Hanno Ekdahl CEO, Idenhaus to learn how to protect your organization. Reserve your spot today.


To receive the top IAM and Cybersecurity articles in your inbox every two weeks (Tuesdays 8 PM EST), subscribe to our Identity Management biweekly and/or our Healthcare Cybersecurity and IAM Digest.


Follow @Idenhaus on Twitter and subscribe to our YouTube channel


Idenhaus was named one of the 10 Most Promising Identity Governance and Administration Consulting/Service Companies 2019 by CIO Review!

forbes technology council

By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us

More News