Data Breach Does Not Necessarily Imply Breach of Duty, Daily Journal, by Mark Mao and Sheila Pham

Hsiao (Mark) C. Mao and Sheila Pham

Much of the current analyses surrounding cyber breaches are lacking in how they discuss incidents, as if an organization that has suffered a breach necessarily breached a duty of care. From the perspective of cyber professionals, such an argument is oversimplification.

Large organizations are subjected to hundreds of thousands of cyberattacks every day, and it is often difficult to completely keep out determined and sophisticated intruders. Between evolving technology and human error, even the best prepared networks may still get breached.

As recent cases suggest, it is often not a question of whether an organization will be breached, but rather whether an organization is properly prepared to respond to cyber incidents. As breach cases move past Article III standing issues and proceed to questions regarding whether organizations were negligent in incidents such as those arising from “insider jobs,” organizations with concrete response plans already in place will fare much better.