As enterprises resign themselves to the sobering fact that security compromises are unavoidable, another resulting inevitability is coming into play: ensuing lawsuits and class actions spurred by data breaches and customer data loss. Last week, the Republican presidential nominee's hotel chain and the U.S.' third largest search engine came to terms with this reality. What does the future hold for organizations facing inexorable data breaches coupled with the spectre of resulting litigation?
It turns out that the Yahoo data breach—first discovered back in 2014—resulted in the theft of over half a billion user names, email accounts, hashed passwords, telephone numbers, and street addresses. This untimely revelation coupled with mounting class action lawsuits against the Sunnyvale-based search giant could throw a wrench in its agreement with Verizon to be acquired for nearly $5 billion.
Plaintiffs are citing breach negligence—in one case, for "intentionally, willfully, recklessly, or negligently" failing to bolster its systems and inform users that their data "was not kept in accordance with applicable, required, and appropriate cyber-security protocols, policies, and procedures." Another suit claims that violations of Federal Trade Commission Act provisions and California law transpired through its failure "to employ reasonable and appropriate security measures to protect subscribers’ personal information." The U.S. Senate and SEC are now reportedly getting in on the action as well, since Yahoo apparently feigned ignorance of the data breach in its dealings with potential acquirer Verizon.
In another less expansive but—given the brand's namesake—equally newsworthy data breach item last week, Trump Hotels agreed to settle with the New York Attorney General over a series of data breaches that ended up exposing 70,000 credit card numbers and customer records. The compromises were traced to malware at several of Donald J. Trump’s hotel chain establishments; despite being aware of the data breaches, Trump Hotels failed to alert customers for four months, violating New York state laws stipulating timely consumer notifications regarding compromised data. To make matters worse, delays in bolstering security measures after the fact are likely to have resulted in another data breach discovered in March 2016.
The hotel chain agreed to a revamping of its security measures to include employee security training, comprehensive risk assessments, and regularly scheduled testing of systems—on top of a $50,000 settlement for its failure to notify customers.
Cyber Resilience vs. Cybersecurity
The gross negligence exhibited by both firms in failing to quickly notify their respective users/customers is certainly litigation-worthy in its own right; that said, failing cybersecurity measures are more of a sign of the times than anything else. Again, when it comes to data breaches, it's a matter of when, not if. Any attempts to combat digital threats with ever-advancing technologies alone are futile—even enterprises with the best security controls are bound to experience data compromises.
The deciding factor that determines whether organizations sink or swim in an age of inevitable data breaches/lawsuits becomes a matter of effective risk management, rather than optimal cybersecurity measures. Cyber risk insurance policies are critical to ensuring cyber resilience, or the management—not the elimination—of cyber risk. To this end, UpGuard's cyber resilience platform and Cyber Security Rating (CSR) give enterprises quantitative metrics for understanding their cyber risk profiles. Insurance providers also depend on UpGuard and CSR to ascertain an organization's insurability against data breaches. Try out our risk grader now to determine your firm's CSR rating—you might be surprised at what you find.