Constangy Cyber Advisor 

Even if an organization manages significantly less data than an enterprise-level company, recent cases involving small- to mid-sized businesses show that no breach is too minor for major legal risks. Fortunately, there are practical steps that organizations of all sizes can take to strengthen their cybersecurity posture and reduce their legal exposure.

Small incidents can have “mega” consequences

A few years ago, smaller cyber attacks might have gone without legal action. That is no longer the case. Today, even small incidents can result in lawsuits and regulatory inquiries.

One example is MedStar Health. In 2023, a breach affecting 183,000 individuals -- small by industry standards -- led to six class action lawsuits that were consolidated in a single settlement. The breach stemmed from unauthorized access to employee email accounts. In other words, it was not a sophisticated hack. More recently, plaintiffs’ attorney websites have been found to be soliciting class participants in matters publicly disclosing that fewer than 1,000 individuals were affected.

In addition to victims (or plaintiffs’ lawyers) who are more likely to be aware of breaches and to sue, regulatory enforcement agencies are more active, and breach-notification laws are expanding. At the same time, organizations manage and transmit data across complex systems and borders, where a single incident can trigger overlapping and sometimes conflicting legal obligations. Many state laws also require in-depth public disclosure when direct notification isn’t possible, which can lead to regulatory scrutiny in addition to litigation.

Smaller and mid-sized organizations face the steepest climb. With fewer resources, limited legal support, and lean security teams, they often struggle to stay ahead of compliance demands. They also have more difficulty absorbing the costs that come of litigation.

Minimize your risk

No matter the size or industry, every organization can take steps to strengthen its defenses and demonstrate compliance. A strong cybersecurity program starts with regular risk assessments, clear policies, an incident response plan, and a robust vendor management process. Teams should be trained and tested through tabletop exercises and breach simulations to identify gaps before an incident occurs.\

Once a security framework is in place, organizations should focus on the following:

• Understand your data. Know where information resides and how it moves across systems to ensure compliance with notification requirements in different jurisdictions.
• Be prepared. Establish clear procedures to meet notification obligations, document security measures, and coordinate forensic investigations promptly after a breach.
• Engage counsel early. Involving legal counsel at the outset helps to preserve attorney-client privilege and minimize both regulatory and litigation risks.
• Strengthen safeguards. Implement cost-effective controls such as multi-factor authentication, network segmentation, and limits on exposure of personally identifiable information.

Looking ahead

“Smaller” doesn’t necessarily mean “safer.” Legal and regulatory risks are have increased even for small to mid-sized companies and incidents.

Organizations should continue to monitor lawsuits tied to minor breaches as well as the latest developments in regulatory enforcement across multiple jurisdictions. Particular attention should be given to supply-chain and vendor-related incidents involving downstream partners, as well as heightened scrutiny of sectors that handle sensitive or highly interconnected data.

The Constangy Cybersecurity & Data Privacy Team regularly counsels businesses of all sizes and industries on how to comply with the growing number of data privacy laws and regulations. If you would like additional information on how to prepare your organization, please contact us at cyber@constangy.com.