Why a Cyber Breach At a Small Service Firms is an Extinction-Level Event, Part II

 
   I previously argued that a cyber breach is an “extinction-level event” for small and medium-sized professional service firms.  That post contained a sequence of events concluding with litigation that, due to its potential size, would lead to bankruptcy.  This post starts an in-depth look at that sequence, beginning with an analysis of the stolen data and why its theft leads to a lawsuit. 

   Professional service firms utilize expertise gained from a four-year college education and in some cases post-graduate work.  Most of these professions require an initial licensing test; some mandate continuing education.  The core business of these firms is to utilize intellectual capital to manipulate and interpret client-provided data.

   The ISO cyber polity defines this data “personal information:”

… any information not available to the general public for any reason through which an individual may be identified including, but not limited to…

1. Social Security number, driver’s license number, or state identification number
   
2. Protected health information
   
3. Financial account numbers
   
4. Security codes, passwords, PINs associated with credit, debit, or charge card numbers which would permit access to financial accounts
   
5. Any other nonpublic information as defined in “privacy regulations.” 
   

While points a, b, and d mostly apply to individuals, the definition is “not limited to” these items.  Non-specifically enumerated items are “not available to the public” – in other words, “confidential.”  This immediately brings to mind the legal and medical duty of confidentiality; financial information disclosed to accountants is not far behind.  Engineering, architects and actuarial firms also utilize proprietary data for their respective job functions.  These examples illustrate that it is almost impossible for any service company to argue it doesn’t utilize “personal information” as defined by the cyber policy.

   This explains why litigation is likely to result from a data breach; aggrieved clients will argue the unauthorized release has harmed their company, perhaps fatally.  They will allege that their data was protected by statute, provides their competitors with an edge in the marketplace, or is simply information that a reasonable person wouldn’t want in the public domain.  Clients will seek large damages and will be aggressive in litigation.  This is what will lead cause the firm’s “extinction” or, in the language of business, its bankruptcy.