Capital One Decision Puts Hacked Companies In Awkward Position
After Capital One recently lost a court bid to keep the details of a data breach secret, industry leaders would be wise to harden their cybersecurity defenses promptly.
The ruling allows parties to comb through the fine details of an organization’s relationship with its managed IT cybersecurity expert following a breach. Hindsight will now be far more than 20-20. That’s because inadequate cybersecurity, failure to meet regulatory compliance or subpar cyber-attack responses could be the foundation for civil lawsuits. Based on the outcome of the Capital One litigation, if a hacker compromises data that impacts third parties, your organization could be on the hook.
Understanding the Capital One Data Breach
U.S. financial giant Capital One suffered a stinging data breach in 2018 that was orchestrated by a single hacker. According to reports, the personally identifiable information (PII) of approximately 100 million Americans and 6 million Canadians were compromised. The PII was related to credit card applications dating back to 2015. Among the hacked information were names, email addresses, incomes, credit scores, dates of birth, and other PII ripe for sale on the dark web.
When companies suffer a data breach, the forensic details of that shortcoming typically remain in-house. In what appears to be an attempt at limited transparency, Capital One reportedly shared the post-mortem report conducted by a third party with approximately 50 employees, four industry regulators, and a multinational professional services firm. Because Capital One allowed outside entities to see the forensic report, U.S. Magistrate Judge John Anderson of the Eastern District of Virginia ruled that it no longer enjoyed attorney-client privileges over the information. The judge’s decision forces Capital One to release the report to impacted parties in 60 civil lawsuits that have reportedly been consolidated into a class action case.
Capital One generates $28 billion in annual revenue. The notion a single hacker could penetrate its network and pilfer off more than 100 million pieces of information stings its reputation. But releasing the forensic report that speaks directly to its inadequacies will likely bring humiliation.
How Capital One Ruling Impacts Other Organizations
According to the National Law Review, the judge in the case explained that companies that suffer a data breach bear the burden of proving the “work product doctrine” applies. This means that if your organization suffers a breach, the documents associated with restoration, recovery, and cybersecurity deficiencies are fair game unless you can prove otherwise.
The court, in this case, asserted that non-disclosure would “shield evidence from the truth-seeking process.” Industry leaders would be wise to hear that message loud and clear. If your organization suffers a data breach, even the slightest security missteps could prove costly, should third parties bring a civil lawsuit. The payouts to lawyers, civil judgments, and having your business reputation dragged through the mud could be devastating.
How Industry Leaders Can Avoid Capital One’s Fate
An article published by CIO Dive indicates that Capital One suffered a similar type of breach as Equifax. A fatal “web application misconfiguration” may have allowed cybercriminals to penetrate both financial outfits’ networks. The infamous Equifax breach was reportedly associated with a failure to patch software, and cybersecurity experts are concerned about vulnerabilities regarding “web application firewalls.”
It’s essential to understand that no cure-all exists to stop hackers. But ongoing cybersecurity due diligence offers the best defense against getting hacked and avoiding civil lawsuits. These are strategies that can harden your defenses and minimize lawsuit exposure.
- Multi-Factor Authentication
- Enterprise-Level Antivirus Software & Firewalls
- Virtual Private Networks
- Patch Management
- Ongoing Employee Training & Awareness
- Encrypted Data Transmissions
- Dark Web Monitoring
If you are a business leader concerned about your organization’s cybersecurity defenses, it may be prudent to consult with a third-party expert and conduct a thorough review of your systems. Seemingly minor oversights such as Capital One and Equifax suffered had unimaginable consequences. Unless you provide secure defenses against data breaches, the fate of your business and reputation is in the hands of hackers.
At Network Security Associates, our team of cybersecurity experts delivers determined protections to keep your data safe and company out of harm’s way. Schedule a complimentary file and document collaboration assessment.