Pub. 12 2022-2023 Issue 1

Engage in a data mapping exercise to have a full understanding of where all of your consumer personal information is stored and who has access to it. company that suffered the data breach would have had to have been reduced if the relevant market consumers were aware of the company’s failure to protect consumer data. In other words, if the market knew this company was subject to the ongoing data breach, it would have had to lower its prices in order to attract customers. Thus, the theory is that the members of the class should be able to recover these theoretical overcharges for payments they made to the defendant company during the ongoing data breach. This theory of damages allows for recovery without any evidence of the actual misuse of a consumer’s PII as a result of the data breach. The case in which this theory of damages has been accepted involves the price charged for hotel rooms; however, one can easily imagine how this might apply to other industries, e.g., airline ticket prices. With the high level of security involved in air travel today, a great deal of information most people consider very confidential is required to purchase a ticket on an airplane. If one airline made no promise to protect the PII collected from their customers, it would probably have to charge much less per ticket than a competitor using state-of-the-art data breach protections. Who would knowingly provide their confidential information to the clutches of the dark web? A similar analogy can be made in the banking industry. If it was known that a bank was subject to a data breach or a ransomware attack, arguably, even a complete waiver of fees charged for banking services would not keep customers at the bank while their confidential financial information – and maybe their money – is siphoned off. Could this theory of damages subject a bank that suffers a data breach to a complete disgorgement of fees collected from all of the customers impacted by the breach? As this theory of damages continues to play out in court, companies can take steps to minimize its viability. Experts in the cybersecurity field often start their presentations with the phrase “It is not if but when a cybersecurity incident will occur.” There is certainly some truth to that statement. Threat actors increasingly deploy sophisticated attacks that focus on weaknesses in both people and in systems. Making your bank 100% protected is nearly impossible; however, engaging in proactive measures consistent with best practices in the banking industry can go a long way to establish that data protection efforts are a significant part of the cost of doing business. With threat actors using more sophisticated phishing attacks and payment fraud schemes, it is important to provide ongoing cybersecurity awareness training to employees to counter new attacks. Employers should keep thorough records of your training and the amount of time and expense involved. Access controls, encryption, intrusion detection and vendor diligence should make up a significant part of the time and expense your bank contributes to its information security program. Access can be a difficult issue with employees working remotely and wanting the flexibility to use mobile devices. Each device presents an additional point of vulnerability, emphasizing the need for mobile device management, multi-factor authentication, technical measures preventing local storage and other controls. Encrypted data is usually an exception under data breach notification laws. Failing to encrypt data in transit and in storage makes for an easy argument by class action plaintiffs. While many banks have an internal information security team or use an information security vendor to monitor intrusions, sophisticated threat actors develop new attacks every day. Consider engaging a firm that also does cyber forensic investigations, as they will often have recommendations for the latest threat detection technology. Both regulators and plaintiffs' attorneys almost always make an issue of the amount of time it takes between the first indication of a security incident and notifications to consumers and regulators. Usually, there is a good reason for some of this delay: It takes time to investigate and determine whether a breach actually occurred and the scope of the incident. Samples of data from ransomware attackers and other threat actors are unreliable, resulting in significant time spent to determine what may have been exposed. However, there are many parts of this process Continued from page 15 www.coloradobankers.org 16

RkJQdWJsaXNoZXIy MTU2Mjk4Mw==