As corporate cybersecurity breaches become increasingly common, businesses are coming around to the realization that they need to take proactive measures to prepare for the inevitable.

All this has resulted in a turf war among different factions trying to be the first in line to help companies get their digital houses in order, and several L.A. firms – including legal powerhouses Latham & Watkins and Munger Tolles & Olson – are at the center of the battle.

Getting out in front of the problem can be costly, but companies are learning it costs more – both in fines and reputational damage – when increased regulatory scrutiny in the wake of a breach exposes lax security controls. Those expenditures come in addition to the cost of defending class actions and other lawsuits filed by affected customers, employees, and business partners.

High-profile attacks against Sony Pictures Entertainment and Target Corp. in the past several years have garnered national headlines, but scores of smaller breaches have also occurred and are increasing in regularity.

A report issued by state Attorney General Kamala Harris in February found there had been 657 data breaches affecting the personal records of 49 million Californians between 2012 and last year.

While formal federal legislation languishes, enforcement bodies including the Federal Trade Commission have issued guidance and 47 states have passed laws concerning data security. In California, consumer protection laws are particularly strong, and combined penalties and fines can approach seven figures – not including legal fees if they are fought, according to Sharon Klein, a partner in the Irvine office of law firm Pepper Hamilton.

“Where I see companies get hit with a host of fines and penalties is when a business just completely ignores (possible data breaches),” Klein said. “You really need to think about privacy and data security. It’s not an afterthought.”

Guidance issued by Harris in her February report reiterated state law requirements that businesses must use “reasonable security procedures and practices … to protect personal information from unauthorized access, destruction, use, modification, or disclosure.”

This environment has galvanized companies to set up more robust actions plans for data security. That means more work for people such as James Aquilina, the Century City-based head of digital forensics for Stroz Friedberg, an international cybersecurity firm headquartered in New York.

Expenditures vary widely by industry and business size. Some working in the industry said initial consulting costs for a midsize business can tally around $100,000 with $50,000 in yearly upkeep.


For reprint and licensing requests for this article, CLICK HERE.