Did you know that 83 class actions were filed in the United States in 2015 following a data breach?

Settling these lawsuits can involve millions of dollars and are certain to increase in the future. Sony PlayStation Network settled a class action lawsuit for $15 million after a data breach exposed 500 million customer names and addresses, login credentials and encrypted credit card numbers.

However, legal costs involve more than settlement amounts. The costs include attorney’s fees, fines, notification costs, credit card reissuing, identity theft repair and credit monitoring costs.

Organizations have to navigate through a complex web of legislation covering various approaches, such as system protection, data protection and proprietary information protection. In this context, the legal framework includes laws with extraterritorial application, privacy laws, information security laws, data breach notification laws, intelligence sharing laws and treaties in addition to contractual obligations.

Outside from consumer or employees class lawsuits, organizations are also exposed to shareholders’ derivative suits, securities fraud class actions and enforcement actions by governmental agencies. These may include the Department of Justice, the Securities and Exchange Commission, the Federal Trade Commission, the Office of the Privacy Commissioner and industry-based regulators such as the Federal Communications Commission and the U.S. Department of Health & Human Services that applies the HIPAA regulation.

Most regulations have in common the concept of reasonableness according to which cybersecurity has to be reasonable. This is both a legal requirement and a defense to lawsuits, but what does it mean? The answer to this question is often challenging for businesses, who question whether compliance itself is sufficient to avoid liability.

The evolving world of cyber litigation is also particularly concerning for small to mid-sized organizations that are the most vulnerable to the fallbacks of a lawsuit, and who, in most cases do not have cyber insurance. The recent inclination to name directors in lawsuits is creating new, overwhelming responsibilities on executives to be conscious of their decisions with regards to information security. Even when legal action is dropped and lawsuits dismissed, these smaller businesses and the executives incur substantial costs, brand damage and often personal blame for the breach.  Organizations must take the consequences seriously be aware of the legal context within which they must take their cybersecurity decisions.