Skip to content ↓ | Skip to navigation ↓

Compared to 2018, reported data breaches in 2019 jumped by 33.3%, and record breaches jumped by 112%, according to a Risk Based Security research report. Unfortunately, there hasn’t been a commensurate rise in organizational preparedness to lower the risk of cyber-attacks. A Kaspersky study showed that over 57% of respondents don’t have a cyber-security policy in place, and in cases of medium-size businesses, the number jumps to 71%. This means smaller and medium-sized enterprises are at greater risk of legal consequences if they fail to follow relevant laws of the land.  

In the modern digital space, data is more valuable than oil or gold. If you’re in possession of customer data, you are legally bound to protect it from cyber-attacks. Since cyberspace is highly dynamic, cyber law is evolving accordingly to ensure optimum protection. A failure to ensure the safety of your company’s customer data against sophisticated cyberattacks could lead to hefty fines. All businesses, but especially small and medium businesses, must know about the legal consequences of a data breach and the available solutions that can protect themselves from cyber-attacks and their consequences.  

If you’re running an enterprise that collects and stores consumer data in a digital format, then you have to implement “reasonable” measures to ensure data safety. Despite the universality of cyber threats, the laws requiring data protection and data privacy vary from country to country. If your business is U.S.-based, you have to comply with state-specific laws, as no federal privacy law is in place. And if you’re operating from the EU, you must comply with the General Data Protection Regulation (GDPR).

The state of Nevada enacted the Consumer Protection Law on October 1, 2019, whereas the Privacy Act in New York and the CCPA in California came into force on January 1, 2020. Under these laws, you are expected to be honest and transparent regarding disclosures of cyber-attacks and show that you are prepared to mitigate risks and resolve data breaches lawfully. If you are new in digital space and want to make your system cyber-threat-proof, then you must be aware of the legal implications enshrined in data protection law across all major jurisdictions.   

Scope of Penalties

The likelihood and severity of fines can vary depending on the level of breach, number of individuals affected and regional jurisdiction. Country- and state-specific laws vary, so your legal team will be of great help in defining your firm’s liability in case of a data or privacy breach. The regulator will judge your case based on the level of threat, the nature of the compromised data and above all your pre-emptive and response measures. Another important factor, as mentioned, is your promptness in informing any affected individuals and authorities. 

If you demonstrate the highest level of compliance and have an effective response plan in place, you can reduce the number of fines and other costs. All big companies have a legal team to handle all the necessary legal formalities, but if you run a small or medium-sized enterprise, you have to be very attentive. It’s not just about fines but about the theft of precious intellectual property—the core of your business.  


You may be aware of the risks involved in cyber-attacks, but legal action may be still brought if you fail to first notify the concerned individuals and authorities about the data breach. Your lack of a quick response to mitigate damage and lax data security measures could be other reasons for litigation. Under some regional jurisdictions, customers and shareholders could initiate legal action. 

You know the nature of your business and the requirements of data capture and possession. You should discuss all the possible aspects of data security from both the technological and legal points of view at the board level. You should refer to the Securities and Exchange Commission (SEC) cybersecurity disclosure guidance document to discuss the nature and effectiveness of your firm’s cybersecurity system, policies and procedures. You should have a concrete data storage plan and cybersecurity insurance coverage. 

Cybersecurity is a specialized area, so you should have a well-trained data safety professional in place to ensure all possible safety. It’s all about being ready to face the most advanced cyberattacks and having a robust reporting process in place to fight the menace. 

What to do after a cyber attack

Timely Notification 

If your organization or system experiences a cyber-attack that leads to a data breach, you are legally bounded to notify the affected individuals as soon as possible. If you are EU-based, under the GDPR, you have to inform the Information Commissioner Office (ICO) within 72 hours of the data breach. 

In the United States, you must notify the attorney general of the concerned state within the prescribed time. Since it’s all about consumer data protection and privacy, you’re supposed to notify regulators like the SEC, the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau and the Federal Communications Commission (FCC) to ensure timely disclosure of the cyber-attack. 

The ICO imposed a hefty $124 million fine on a hotel chain for reporting a data breach of 30 million residents in 31 countries across the European Economic Area (EEA) two months after the incident. The data breach occurred in September 2018 but was reported in November 2018. Data breaches affect the reputation of the company, but no or late reporting could make things worse in the form of additional fines.  

Effective Response 

Cyber-criminals are well-equipped to break through even the best cybersecurity layers. It doesn’t mean you should trust in luck to protect your system. In the eyes of the regulator, your preparedness and response to cyber-threats and data breaches will define your credibility. You should have an effective response plan in place, as this could help you cut the chance of hefty fines. Any sign of negligence and carelessness could attract double or triple fines and lead to an erosion of your company’s market value. 

Your IT security department must be well equipped to investigate all possible aspects of a data breach, the extent of the breach and the origin of the threat. Your data protection officer must pass all relevant insights to the concerned regulator within the prescribed time. You should also hire data protection counsel to have a foolproof “security incident response plan,” which should include these measures:  

  • An operations team that informs affected persons without delay to avoid further damage. A dedicated team will inform any concerned individuals via emails or phone call. 
  • External legal counsel with experience in handling data and privacy protection cases to help you navigate legal challenges.  
  • A well-oiled public relations channel to manage public perception and make the data breach disclosure less painful. 
  • A pool of insurance brokers and personnel to help you notify insurance carriers and submit loss claim notices.
  • A system reset procedure and data recovery protocol that makes the system cyber-attack-proof without impacting normal business operations.

There is no magic bullet for preventing personal data breaches, so companies must make conscious efforts to increase awareness throughout the organization and at all levels about (i) security threats and (ii) cybersecurity prevention techniques.

Therefore, it’s essential to ensure that your employees are aware of the types of threats they might receive as well as the techniques to prevent this from happening.

Author Bio: Ryan Shaw is a writer and an avid explorer of Canada’s countryside. He’s a graduate of Simon Fraser University with a Bachelor’s Degree in criminology. He finds great interest in the areas of criminal litigation, dispute resolution, competition law and intellectual property rights. He’s just trying to leave the world a little kinder than he found it.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.