If your company becomes the victim of a ransomware attack, you might assume the attack itself is the worst of your organizational and financial problems. But have you considered the possibility that your enterprise could additionally face a class action lawsuit after experiencing a ransomware attack?
These days, that risk is increasing—and it is definitely on the radar of legal professionals. But enterprises that prepare in advance for such a worst-case scenario can protect themselves from this extra layer of financial hardship. The fact is that it will be difficult for the plaintiff in a class-action lawsuit to win a settlement if the company that was targeted was careful, attentive, and conscientious – taking every precaution it could reasonably take to prevent and recover from an attack. An organization’s risk increases, however, if the enterprise in question was negligent with personal data that was compromised, and it can be proven in court.
The Cybersecurity & Infrastructure Security Agency (part of the U.S. Department of Homeland Security) reported that around 85 percent of ransomware attacks are completely preventable when companies follow basic cybersecurity measures. In the current hack-happy environment where ransomware attacks are part of the daily news feed, these steps should be no-brainers—yet many enterprises are leaving these vulnerabilities wide open by failing to do them:
Keeping operating systems regularly updated
Patching known software, OS, and application vulnerabilities
Conducting regular data backups
Training employees on red flags to look for in emails and links
Restricting administrative privileges to OS and applications
Blocking unauthorized programs from running (known as application “whitelisting”)
Regularly implementing these measures is the best way for a ransomware-struck enterprise to protect itself against the possibility of a class action suit. In addition to ensuring that your company invests in preventive measures like network security and recovery solutions, IT should also document and audit the company’s data protection strategy on a regular basis. It might also be worth investing in a cyber insurance policy.
Research provides some indication of the number of companies that are neglecting these types of cybersecurity best practices. For example, when it comes to training employees to recognize suspicious emails and links, one study found that only about one-third of companies offer internal training on threats due to ransomware. The study, which was from the Ponemon Institute, also revealed some other disturbing findings:
Less than one-third (29 percent) of companies surveyed were confident that their employees would notice ransomware threats.
Less than half of employers surveyed (46 percent) said ransomware prevention was a company priority—although more than half actually had already been the victim of a ransomware attack.
Defend customer PII
Be cognizant of the reality that the most likely people to unite and file a class action suit are your customers who have reason to believe (or evidence of the fact) that your organization failed to protect their personal identifiable information (PII). For example, if a hacker stole social security numbers and driver’s license details, and enough folks were compromised, it would not be uncommon for a class action suit to be filed if the enterprise in question failed to take the types of proper precautions listed above. Just as in a class action lawsuit of a public company, if the management team does not create shareholder value, the company will be a prime target for class action lawsuits.
What’s the likelihood of a ransomware-related lawsuit succeeding? Clearly, if the plaintiff can prove gross negligence on the part of the company, there will be a greater chance of the company needing to compensate for customer PII being compromised. But if your company has taken proper cybersecurity precautions, documented and audited your strategy, and has invested in cyber insurance, you’ll be in a much more attractive legal position.
Also keep in mind that there is more at stake than the immediate financial impact of losing a class action lawsuit; there are also the potential long-term ramifications of such a suit.
Specifically, you may end up with a customer perception issue that could impact company revenues, reputation, and customer loyalty for years to come.
Navigating and developing a strong cyber security strategy is key to protecting your enterprise against the layers of fallout that can be left in the wake of a ransomware-related class action lawsuit. Take the time to understand the different products and solutions that can help you secure, maintain, and recover your data and your customers’ personal information in the event of a data breach. By doing so, you’ll have a much better chance of proving that your company did its due diligence in protecting PII to the best of its ability.