Earlier this year we pondered whether impending litigation might start to focus the attention of c-suite executives on their organisations’ cybersecurity stance. In the intervening months we’ve started to see movement on some high-profile cases.

The story of the Darwich family has effectively put a human face on the Colonial Pipeline incident from earlier this year. Eddie Darwich is representative of hundreds of small garage owners whose pumps ran dry after the hack was discovered in May 2021. Small business owners from across the US suffered a significant loss in revenues. Now Eddie is suing Colonial for that loss of earnings. It’s just one of several class-action lawsuits being brought against Colonial, citing a lack of cybersecurity preparedness.

The Colonial case is just the latest in a series that are beginning to make headlines and turn heads. Starting with the Target and Home Depot settlements, businesses are being hit with increasingly stiff penalties. Not before time. Too many organisations have been able to get away with a cavalier approach to data security that has seen their customers suffer the lion’s share of damage.

 

The price of failure is on the rise

For organisations with a global reach, effective cybersecurity requires a significant investment. For many, it’s an investment they have not yet made. Until the penalties for a poor cybersecurity stance exceed the costs of getting their house in order, this is a situation that seems unlikely to change.

The GDPR is widely recognised as having the toughest penalties for regulatory breaches. Whilst the majority of its biggest fines have been for privacy breaches rather than poor cybersecurity, the potential for significant penalties remains. The GDPR recently came out with a major show of force as it hit Amazon with an eye-watering US$877 million fine.

In Australia, the Australian Securities and Investments Commission (ASIC) is about to bring its first lawsuit against an Australian Financial Services License (AFSL) holder, citing a lack of cybersecurity preparedness. Over a period of four years, RI Advice Group suffered a series of cybersecurity incidents, ranging from brute force and ransomware attacks to unauthorised systems access.

In its defence, RI’s parent company IOOF Group Holdings claims the attacks were “of a nature not uncommonly faced by Australian businesses”. What makes this case interesting is that ASIC has decided this is not a sufficient excuse. In fact, if these are the sorts of attacks a business could expect to suffer, it makes even more sense that they should take effective steps to prevent them.

The insurance industry is more than just an interested observer at this stage. Mandatory breach notification laws, combined with plans to make it easier for victims of data breaches to seek financial compensation, could see cybersecurity premiums skyrocket. As a part of the executive action in the US, the Biden administration has been engaging with representatives of the insurance industry to make minimum standards of cybersecurity a prerequisite to obtain insurance cover.

 

If not perfect, at least prepared

Nobody expects organisations to be completely impenetrable, but the tide of popular opinion has definitely turned towards elevating the minimum expected standard of cybersecurity preparedness. A suitable cybersecurity stance should include the effective use of prevention and protection technologies. Prevention technologies like firewalls and proactive anti-malware should be used to mitigate the risk of malicious content making its way onto corporate networks. Protection technologies such as high-assurance encryption should be used to protect the integrity and confidentiality of data as it moves across public and private infrastructure. Finally, file-sharing applications should be fit for purpose and permit secure collaboration for remote workers and third-party organisations up and down the supply chain.

It is no longer acceptable for organisations to shrug their shoulders and say data breaches are just a part of business as usual. If the threat is known but ignored, the organisation is not fulfilling its duty of care. And where there’s blame, there’s a claim.