Skip to main content
people around computer
folded paper icon

Key Takeaways:

 
  • The risk of data compromise incidents continues to plague companies of all sizes.

  • Larger companies are adjusting their tactics to address cyber events.

  • Small businesses face new legal risks following a data breach.

  • Given the current trends, there are mission-critical capabilities needed responding to a cyber incident.

The number of data breaches in the US continues to climb, increasing 6% during the first three quarters of 2024 compared with the same period last year. While a single-digit increase may seem relatively small, it only tells part of the story because the severity of data breaches, particularly third-party breaches, has doubled during the past three years. 

When bouncing back from such events, having an established incident response (IR) plan and access to a team of experienced professionals can make all the difference. 

The right IR team can not only help an organization prepare for potential cyber incidents, it can also conduct the forensic analyses needed to understand how a compromise happened, what specific data was exposed, and individuals affected — whether customers, employees or both. As well, the team can perform the notification and mitigation needed to reduce impacts for the organization and affected individuals. 

Effective response strategies require organizations to constantly adapt to the latest threats and advances in security. TransUnion’s incident response leaders have studied emerging trends and identified three factors that will help drive IR strategies in the coming year.

Larger companies will rely on more blanket breach notifications — not analysis

Typically, responding to a cyber event would include examining the company’s data to identify precisely the data exposed and individuals at risk. But such data mining can potentially cost tens of thousands of dollars, and the process could determine millions of documents need further review — significantly increasing the final cost.

Rather than incur those additional costs, larger companies are now skipping the data mining step. Instead, they’re sending blanket notifications to any individuals who could have potentially been impacted by the incident. While some observers might be critical of this approach, it’s a more cautious tactic since it alerts as many potential victims as possible.

By skipping the data mining step, however, the files provided for notification efforts aren’t scrubbed. As a result, they may not be formatted correctly or details might not be accurate. In such cases, the notification process will likely generate more duplicate or undeliverable notifications — which regulators do not appreciate.

Among those advising companies in the wake of an event, we expect incident response providers to increase their demands for solutions to scrub this data. Ensuring data used for outreach and notifications is organized and useful will help streamline the mitigation process while keeping the breached company in the good graces of regulators. 

It’s no secret the potential for class action lawsuits increases when notifying individuals exposed in a cyber incident. Larger companies may view that risk as the cost of doing business, which is why they have in-house legal teams. Meanwhile, small- and medium-sized businesses (SMBs) typically don’t have those same resources. 

Unfortunately, smaller companies will likely face greater legal exposure following future cyber incidents. During the past decade, courts in several states have certified class action lawsuits involve far fewer potential victims. Many now allow class actions that involve as few as a hundred potential victims. 

By lowering the bar, courts have exposed SMBs to legal costs and considerations they’ve never had to address previously. Our incident response team must now caution small businesses of the potential legal fallout when notifying as few as 200–300 individuals — even for third-party breaches they have no control over. 

The increased legal exposure means SMBs need to have cyber insurance policies with limits that cover related legal expenses. They’ll also need a cyber protection service with access to lawyers with extensive experience dealing in cyber incident cases. 

Evolving state laws will continue to create breach response challenges

The efforts to protect personal data are constantly adjusting to counter the tactics used by cybercriminals. That doesn’t just involve developing new cybersecurity solutions. The rules and regulations governing data privacy and breach notifications are constantly evolving as well. For companies and their advisors and legal representatives, staying ahead of these changing laws presents other challenges.

While compliance with relevant federal regulations can be daunting, each state maintains its own privacy and notification laws. The differences from one jurisdiction to the other can create serious confusion. Massachusetts state law, for example, prohibits breach notification letters to include the number of individuals affected or type of information exposed, while Utah requires disclosure of those exact details.

With so many companies having operations and customer bases that extend beyond state lines, knowing how to satisfy the responsibilities in each jurisdiction can be a complicated burden. Those advising breached companies should demand any potential incident response partner be able to provide access to legal counselors who are knowledgeable about ever-changing state requirements. 

Successful incident response services require technology and expertise 

Given the modern reliance on data and persistence of cybercriminals, it’s clear threats to personal data are here to stay. In fact, the demand for personal information is only expected to increase as criminals use that data to fuel more advanced, AI-powered scams. 

For those advising business in the wake of a cyber event, it’s critical to work with a cyber protection partner who can clean up data, ensure notifications comply with regulatory requirements, and provide access to knowledgeable professionals who can guide the organization through difficult days. 

Want insights into coming challeges?

Get our Cyber Protection Challenges and Opportunities eBook to see how the threat landscape is shaping up.