Understanding Legal Risks of Data Breaches

Over 1,000 customers of retailer M&S are now suing the company following the massive data breach in April 2025. This situation significantly raises the stakes for all companies handling personal data — not just those storing financial information. Here’s how I think it changes things: 1. Legal Burden of Proof Now Falls on Companies: Lawyers now argue that M&S is legally responsible unless they can prove their cybersecurity met industry standards. That flips the dynamic — companies are guilty until proven secure when data is lost. “Unless M&S can show they had absolutely nothing to do with the loss… they are liable.” 2. “No Financial Data Stolen” Is No Longer a Defence: Even though no payment details or passwords were taken, M&S still faces a potential £300 million fallout. Why? Because personal data — names, emails, addresses, birth dates — is valuable to criminals and legally protected. Phishing, identity theft, and impersonation risks are real — and courts now recognise that. 3. “Human Error” Is Not a Legal Excuse: M&S admitted the breach came from human error. But under current data protection laws (like the GDPR), that’s still the company’s responsibility. It highlights the need for better security training, access controls, and incident response planning. 4. Cybersecurity Is Now a Legal Shield — Not Just a Technical Concern: Adequate security means more than antivirus software. It includes: • Strong encryption • Routine audits • Staff awareness programs • 24/7 threat monitoring Companies without these layers face serious legal exposure — even if no money is stolen. 5. This Sets a New Legal Precedent: If successful, the M&S class action could inspire more collective legal actions and regulatory crackdowns. Companies will need to view data protection as a core business risk, not just a back-office function. The bottom line? This case signals a shift — companies must now prove they did everything reasonably possible to prevent a breach. Anything less could mean massive compensation claims and lasting brand damage.

Tracking the Risk of Lawsuits from Privacy Breaches: A Clear Example of Consequences Introduction Companies and their boards should prioritize privacy management in the current regulatory climate. The growing risk of lawsuits from privacy breaches represents a significant area of concern. The case of Insurance Corporation of British Columbia v. Ari serves as a clear example of the consequences of failing to adequately manage this risk. High-Level Summary of the Case In this case, the British Columbia Court of Appeal held that an employer, ICBC, was vicariously liable when the province's Privacy Act was violated by an employee. The employee improperly accessed and sold the personal information of 78 ICBC customers, leading to criminal acts. The court's conclusion emphasized the duty of organizations like ICBC to protect privacy according to the Act. Vicarious Liability: A Universal Concept Vicarious liability is a principle assigning responsibility to a superior entity for actions of a subordinate during employment. This principle emphasizes the need for companies to exercise thorough supervision and training to prevent unauthorized employee actions. This principle exists not only in Canadian law but also in the legal systems of other countries, including the United States. Privacy Act [RSBC 1996] CHAPTER 373 This Act in British Columbia commits to protecting personal privacy. Section 1 of the Act creates a tort for willful privacy violations, emphasizing organizational duty to uphold individual privacy. Compliance with this Act is a vital legal obligation within British Columbia. Implications for Employers - Understanding Legal Obligations: Alignment with the Privacy Act and other relevant privacy laws is essential. - Implementing Effective Controls: Development and consistent reinforcement of proper controls through regular audits, monitoring, and training. - Risk Management Strategies: Proactive management of privacy infringement risks, including implementing retention or disposition schedules for personal information. Conclusion: Proactive Management of Privacy Risks In a world where privacy breaches are increasingly common, companies must actively manage these and other risks. Linking controls to risks, automatically collecting effectiveness data, and adjusting controls as risk tolerance changes are vital strategies. The Insurance Corporation of British Columbia v. Ari case illustrates the severe consequences of failing to manage privacy risks. It encourages companies to invest in comprehensive privacy management, monitor effectiveness continuously, and adapt to constantly evolving privacy challenges. By adopting a forward-thinking approach, companies not only protect individual privacy but also avoid legal liabilities and uphold organizational integrity. Managing privacy risks is not merely a legal obligation; it's a strategic imperative in today's interconnected world. #privacy #regulation #law

During cybersecurity incidents, I have found that my best ally in almost every case hasn't been the CISO. It's been the company's legal department. That's not to say the CISO hasn't been *an* ally, but I've come to find that the attorneys I work with have a better grip on the legal risks that incidents and subsequent response action(s) pose. Just because we have the technological capability to do certain things across employee endpoints, doesn't mean we should, and it could be potentially illegal depending on the circumstances. 📜 BYOD + State Privacy Laws If an employee uses a personal device under a BYOD policy, and your IR team accesses personal photos, texts, or banking apps in the process, you may have just violated California's CCPA, Illinois BIPA, etc. 📜 The Electronic Communications Privacy Act (ECPA) Intercepting or accessing stored electronic communications (even on a company-issued device!) without proper authorization triggers ECPA exposure. You need legal sign off on the scope of endpoint monitoring first. 📜 The Computer Fraud and Abuse Act (CFAA) If incident responders access systems or endpoints beyond what's explicitly authorized in policy or by the device owner, the company could face civil liability under the same law usually invoked against a threat actor. Not every attorney is up to speed on where incident response and insider risk management intersects with these laws. Cybersecurity practitioners and leaders should still pursue their own continuing education on cyberlaw and ask questions of counsel. But CISOs and cybersecurity leaders also need to make sure they understand their lane relative to their function within the business. In most cases we advise, not decide. Deferring to the company's legal team can help protect you. Make friends with them. Make use of it.

India’s new data law doesn’t care if you were “figuring it out.” Under the DPDPA, if your company suffers a breach and doesn’t report it fast enough, the liability can fall directly on your Data Fiduciary, not the third party vendor, not your SOC partner, you. And yet, most companies I’ve spoken to recently still think: “Our SIEM will catch it.” “Our DLP blocks exfil.” “We’ll figure breach disclosure when it happens.” Here’s what 80% are missing in their incident plans: (1) Who actually files the report? I’ve seen breach plans where legal, IT, and CXO teams all assume someone else will inform the DPBI. That confusion alone can cost you crores. (2) There’s a legal clock now. You can't “internally assess” for weeks anymore. DPDPA expects timely reporting, without full blame games. (3) Your DLP is blind without context. Blocking file transfers is easy. Detecting why that file mattered, what category it fell under (sensitive vs critical), and if it triggered breach materiality, that’s where 90% of tools fall short. (4) Your “Data Principal” rights is front-line panic. If a customer asks for deletion, correction, or breach disclosure, can your team actually respond without a fire drill? Most can’t. (5) Your vendors don’t carry your liability. You do. You can outsource infra. You can’t outsource responsibility. I’ve spent over 3 decades watching Indian businesses mature in cybersecurity. But this is the first time I’m seeing compliance risk with real personal exposure. Not just for CISOs, but for Founders, CXOs, and Board Members. You don’t need a new tool. You need a clear breach plan. And real muscle memory on who does what when things go wrong. Have you pressure tested your breach plan under DPDPA rules? Seqrite Quick Heal #DPDPA #DataProtection #CyberSecurity #BreachResponse #Compliance #Leadership

Recently, a federal court addressed the question of whether a company can be found negligent for its law firm's data breach. See https://lnkd.in/eeBxyzKR. The short answer is YES. The federal court declined to dismiss the case, finding that a company might be negligent based on its law firm's breach.   Here is the background: The Company in this case makes snack food products for retail sale. It retained a respected and well-known law firm to provide legal services. In the course of the representation, the Company provided certain of its employees’ personally identifiable information (PII) to the law firm, including names, dates of birth, social security numbers, and addresses. In 2023, the law firm detected unauthorized access to its information  systems, and a forensic investigation revealed that the hackers obtained the PII of 51,100 current and former employees of the Company. Each of the named plaintiffs received a letter from the Company to notify employees of the data breach and that their PII had been exposed. Plaintiffs alleged that they are at an increased risk of identity theft, and they have taken prudent actions to mitigate the risk of identity theft, such as “signing up for credit monitoring and identity theft insurance, closing and opening new credit cards, and securing their financial accounts.” They filed a number of lawsuits against the Company and its law firm. The Company moved to dismiss the lawsuits, arguing, among other things, that simply turning over employee information to its law firm cannot be negligent. In response, plaintiffs pointed out that they alleged that the Company should have ensured that its counsel followed proper data security practices, and it should have deleted certain personal information that it no longer needed to maintain, rather than share it unnecessarily with counsel.  The Court declined to dismiss the negligence claim against the Company, finding that the plaintiffs should have the opportunity to further "develop the facts." This means that the Company will likely spend thousands in legal fees during discovery, and is statistically likely to settle the case, rather than risking an adverse ruling at trial (or on summary judgment). Further, if the law firm and its insurers end up having insufficient funds to satisfy any judgment (a very unlikely scenario here), it is possible that the Company may have exposure with respect to any judgment, regardless of its negligence or lack thereof. BOTTOM LINE: It is very important to conduct adequate third-party risk management (TPRM) on your law firm. Recommendations for such TPRM can be found in my prior posts linked below: - https://lnkd.in/e32RcSWY (Reducing Legal Exposure from Vendor Data Breaches) - https://lnkd.in/ePiUDJ-i (Law Firm TPRM) - https://lnkd.in/e-eVNvQz (Backup Vendors) - https://lnkd.in/eu9hPGpu (How Come Organizations Aren't Prepared for This?) Good luck!

But, we’ve already reported the breach to CERT-In. Why do we need to report it again to the Data Protection Board? . . . One of the most common questions that client asks us and it’s understandable. On the surface, it feels like duplication but in reality, it reflects a misunderstanding of how India’s cyber and data protection framework is designed to work. CERT-In and the Data Protection Board of India (DBPI) look at the same incident through two very different lenses. CERT-In’s role is highly technical wherein they want to know what went wrong, how the attack happened, how fast it was contained, and what needs to be done to prevent further damage. Its more like assess, learn, and adapt mitigation on national level. It focuses on malware, intrusions, ransomware, logs, timelines, and immediate remediation. That’s why reporting to CERT-In is required within six hours, the priority is containment, not accountability. DPBI, on the other hand, is not concerned with who attached, which generation of malware was that or associated firewall logs. It’s focus is going to be legal and compliance drive wherein they are bothered around knowing why incident happened in the first place, whether reasonable data security safeguards were in place, whether personal data was exposed, and whether the organization fulfilled its obligations under the DPDP Act. That is primary focus! This is where collection, data minimization, handling and accountability come into play. And unlike CERT-In, the DPB has the power to impose financial penalties. Therefore, reporting to the DPB is not optional just because CERT-In has already been informed. A cyber incident and a personal data breach may arise from the same event, but they trigger different legal responsibilities. In fact, the DPBI can/will coordinate with CERT-In or rely on its technical findings to assess the severity of the breach and the organisation’s compliance posture. They want to protect your personal data and key point many organizations miss is this: a data breach is not just a cybersecurity issue. It is a legal and governance issue. CERT-In helps you respond to the attack while Data Protection Board evaluates whether you were responsible in preventing it. For founders, CISOs, legal teams, and compliance leaders, this distinction is critical. Incident response is no longer just about IT firefighting. It’s about accountability, documentation, and demonstrating that reasonable safeguards were in place before something went wrong. #DPBI #DBP #DPDPA #DataProtection #DataPrivacy #Concur #ConsentManager

𝐈𝐧𝐝𝐢𝐚'𝐬 𝐃𝐢𝐠𝐢𝐭𝐚𝐥 𝐏𝐞𝐫𝐬𝐨𝐧𝐚𝐥 𝐃𝐚𝐭𝐚 𝐏𝐫𝐨𝐭𝐞𝐜𝐭𝐢𝐨𝐧 𝐑𝐮𝐥𝐞𝐬 𝐰𝐞𝐫𝐞 𝐣𝐮𝐬𝐭 𝐧𝐨𝐭𝐢𝐟𝐢𝐞𝐝 𝐨𝐧 𝐍𝐨𝐯𝐞𝐦𝐛𝐞𝐫 𝟏𝟒, 𝟐𝟎𝟐𝟓. This isn't just a compliance issue. It's a strategic governance imperative that Boards can no longer afford to defer. From my experience advising boards, here are five critical implications for directors and corporates: 1. The 18-month runway has conditions. The Rules provide an 18-month phased rollout for full compliance. But breach notification requirements and certain obligations took effect immediately on November 14. Boards that assume they have 18 months to act are mistaken. Incident response plans must be operational now. 2. Data breach penalties reach ₹250 crores. Failure to maintain reasonable security safeguards can attract penalties up to ₹250 crore. Not notifying the Data Protection Board or affected individuals of a breach carries penalties up to ₹200 crore. This isn't operational risk. This is existential risk for many companies. 3. The 72-hour breach notification mandate is live. Data Fiduciaries must provide initial intimation immediately and submit a detailed report to the Data Protection Board within 72 hours of breach detection. Most companies don't have systems to detect breaches in 72 hours, let alone report them. This creates immediate board-level exposure. 4. Significant Data Fiduciaries face annual audits. SDFs must conduct annual Data Protection Impact Assessments and independent audits, with reports submitted to the Data Protection Board. For companies processing large volumes of sensitive data, this elevates data governance to mandatory board oversight, not optional compliance. 5. Consent Managers create a new regulatory layer. Consent Managers must be incorporated in India with minimum net worth of ₹2 crore and operate interoperable platforms compliant with Data Protection Board standards. This fundamentally changes how companies manage user consent, especially for fintech, consumer -tech ,edtech, and digital platforms. Boards must understand these implications for customer experience and operational costs. 𝐓𝐡𝐞 𝐛𝐨𝐚𝐫𝐝 𝐢𝐦𝐩𝐞𝐫𝐚𝐭𝐢𝐯𝐞: India now has operational data protection laws. The Rules were issued after 6,915 public inputs through nationwide consultations. Boards that treat this as an IT problem will face penalties and reputational damage. Those that embed data governance into strategic oversight will build customer trust and competitive advantage. The question for board directors: In your experience, is data privacy integrated into enterprise risk management, or siloed in technology committees? #DPDP #DataPrivacy #BoardGovernance #CorporateGovernance #RiskManagement #DigitalIndia #DataProtection #Compliance Data Sources: Ministry of Electronics and Information Technology (MeitY) DPDP Rules 2025 notification (November 14, 2025), Press Information Bureau, India Briefing DPDP Analysis (November 2025).

#SoniaCisséSays: Free & Free Mobile have just been hit with a combined €42 million GDPR fine by the CNIL for a 2024 data breach. Why is this decision so significant? I had the pleasure of sharing a few thoughts in Nadine Daher’s excellent piece for Lexology PRO. For the "too-busy-to-read" among you, here are the key points: 👇 🛠️ Breach notifications: “generic” is no longer good enough The CNIL is setting a very demanding standard for notifications to individuals. A short, high‑level email will not do. Controllers are now expected to be very specific, which is extremely challenging in the middle of an ongoing cyber crisis. That balance needs to be prepared in advance, not improvised during an incident. 🛠️ Security standards: soft law becoming “hard law” For those who still doubted it, the CNIL relies on its own guidance and ANSSI’s recommendations to sanction. In practice, what many organisations still treat as “best practice” or “nice‑to‑have” now operates as a real benchmark for compliance. 🛠️ Data retention: an aggravating factor in cyber incidents The CNIL also sanctioned Free Mobile for retaining subscriber data for more than ten years “without justification”. The authority now explicitly links excessive retention to the scale and severity of cyber incidents. In simple terms: the more unnecessary data you keep, the worse the damage (and the fine) is likely to be when a breach occurs. 💡 The takeaways? More + more +less This decision is not just about one telecom group. It sends a broader signal to all sectors: -     Review your playbook: Incident response, crisis communications and notification templates must be updated to reflect this more granular standard. -     Reassess your security baseline: Treat CNIL and ANSSI guidance as the default position. If you diverge, document why and how you mitigate the risk. -     Clean up your data: Legacy databases and “just in case” retention create real regulatory and cyber exposure. Data hygiene is now a core element of cyber resilience. -     Align legal, security and communications early: The “tightrope” can only be walked if legal, DPO, CISO and communications teams are aligned on how much can and must be shared, and when. Beyond the fines, the real takeaway is the standard the CNIL is now articulating: more transparency, more rigour, and far less tolerance for “business as usual” on security and retention. If you are updating your cyber readiness, breach notification strategy or data retention framework in light of this decision, I would be very interested to hear how your organisation is approaching these challenges. In the meantime, see you at work... 😊

🍇 British retailer Marks & Spencer got hit in April 2025 with a cyber-attack that crippled its online operations, froze logistics and wiped out nearly half its profits. 7 weeks offline. £184 million gone. Attackers gained access through a contracted IT support provider, reportedly using social-engineering tactics (impersonating internal staff via a help desk). By May 2025, M&S received insurance proceeds of £100 million. It also booked £101.6 million of cyberattack related costs, with a further £34 million slated for the second half of this year. Its profits now are down to a meagre nothing compared to its last year's numbers. This is a gruesome lesson in governance for the world of business. Legal risk vectors we can learn from this: 🔺 Third-party contracts: Review access rights, breach notifications, data handling, indemnities, caps and cyber insurance requirements. Treat every vendor, consultant and cloud provider as a potential entry point. Make it mandatory for anybody providing you tech solutions/services to have cyber insurance. 🔺 Insurance coverage: Most cyber policies exclude vendor-origin breaches; align your coverage with your contract language and review this policy with your legal teams and tech teams. Ensure your insurance covers third party and supply chain attacks, business interruption losses, regulatory fines and notification costs under UAE laws. Get a good insurance advisor! 🔺 Data governance: Govern your data like its a valuable asset. Map where data enters, flows and exits across your ecosystem, especially if its freezone vs mainland jurisdictions. Implement Data Processing Registers and Breach Response Protocols under PDPL, ADGM, or DIFC frameworks. This defines your legal exposure perimeter. Remember under UAE data laws, as the data controller, you remain accountable even if the breach starts with your vendor. 🔺 Board accountability: Ensure cyber risk sits within your board’s risk register and is tied to measurable oversight. Require quarterly reporting on cyber incidents, vendor audits, and regulatory compliance. Appoint a Data Protection Officer (DPO) where required. If your contracts, insurance and data policies are not aligned, you have already created your weakest link. Good luck; because you will need it.

If your SaaS contracts still utilize a single liability cap for all data breaches, you may be carrying significant uninsured risk. The Fourth Circuit's October 2025 decision in Holmes v. Elephant Insurance has transformed how we assess breach liability. The court determined that the publication of data on the dark web constitutes a concrete injury, granting victims immediate standing to sue in federal court. In conjunction with state laws such as CCPA and financial regulations under GLBA and NYDFS Part 500, we now face three distinct tiers of breach exposure: → Tier 1: General performance claims (traditional cap) → Tier 2: Contained breaches triggering state statutory damages and regulatory fines → Tier 3: Publication events enabling federal class actions A breach involving 500,000 records could lead to over $150M in combined exposure. If your contractual cap is set at 12-24 months of fees, you may encounter a gap exceeding $100M between your cap and your actual risk. An analysis of the implications of Holmes for SaaS liability modeling, guidance on constructing a three-tier contractual structure, and insights on operational controls that can mitigate your exposure is available below. For those negotiating SaaS agreements or managing cyber risk within financial services, this framework can assist in aligning your contracts with the evolving legal landscape. #CyberSecurity #DataPrivacy #SaaS #RiskManagement #Compliance #CCPA #GLBA #NYDFS #DataBreach #TechnologyLaw #FinancialServices #CyberLiability #ContractNegotiation #InfoSec #FinTech #MortgageTech