Under Attack: Managing Disputes Arising from Digital Incidents

This article is based on a recent panel discussion from Womble Bond Dickinson’s virtual summit, The Algorithm Economy: How to Win in a Digital World. In this session, Tyler Bridegan, Womble Bond Dickinson Partner and former Director of Privacy and Technology Enforcement in the Texas Attorney General’s Office, joined Jon Olson, Chief Legal Officer of Blackbaud, and Womble Bond Dickinson Privacy and Cybersecurity Partner Scott Hyman for a conversation on managing litigation stemming from cyberattacks.

As the patchwork of federal and state cybersecurity and privacy laws and regulations continues to increase, companies are facing increasing legal risks from a variety of regulatory bodies. The Department of Justice, Federal Trade Commission, Consumer Financial Protection Bureau, the Securities and Exchange Commission, and Department of Health and Human Services all take an active role in compliance at the federal level. On top of federal activity, state attorneys general and various state agencies, like the New York Department of Financial Services, are actively investigating cybersecurity and privacy issues.

“Cybersecurity and privacy are not just regulated from an enforcement standpoint any longer,” Hyman said. This is particularly true on the state level, where state agencies have hired staffers experienced in privacy and cybersecurity and are utilizing robust license examinations in privacy and cybersecurity to examine their licensees. 

“Industry frameworks may be inadequate to or rejected by the standards and procedures imposed by state regulators,” he said. “Advance preparation is the key to surviving a privacy and cybersecurity examination.” 

Current Trends in Regulatory Enforcement

Federal regulators currently are focused on cybersecurity areas involving children’s online privacy and national security.

“We’re seeing a lot of cooperation among the regulators, from state to state and from the states to the feds,” Hyman said.

That coordination is reshaping how regulators assess companies in the wake of an incident. Drawing on his prior enforcement experience, Bridegan noted that regulators are not focused on perfection, but rather on how companies prepared for and responded to an incident.

“From an enforcement perspective, regulators aren’t looking for perfection - they’re evaluating judgment: how quickly a company understands what happened, how transparently it communicates, and whether its decisions match the risks created,” Bridegan said. 

Olson, who helped lead Blackbaud through a ransomware incident and subsequent litigation, said this increased coordination can work to a company’s advantage. “Each state has its own enforcement priorities, of course, but when combined into a single multistate action at least this allowed us to deal with this investigation with a single entity, rather than each state separately,” he said. Such cases are still complex, but the coordination provides a greater degree of procedural predictability. 

In the financial services sector, Hyman pointed to the CSBS Nonbank Cybersecurity Exam Program, while noting that New York maintains a particularly robust cybersecurity regulatory framework.

“There’s a lot of overlap between privacy and cybersecurity, but they’re not necessarily the same thing,” Hyman added. California, for example, is one of several states with comprehensive privacy and privately enforced data breach laws, while many states rely on their UDAAP authority to enforce cybersecurity expectations. 

The Cybersecurity Landscape 

It’s been said that “There are two types of companies: Those that have been hacked, and those that will be hacked.” The numbers certainly bear that out.

Cybercrime victim counts have surged disproportionately to the number of data breach incidents, with companies in the financial services, healthcare, and professional services sectors most affected. This means that data subjects routinely have their data exposed multiple times through multiple breaches, making annual sets of exposed personal identifiable information routinely exceed the adult U.S. population. Over 61 percent of U.S. adults have received breach notices; 44 percent report multiple compromises — repeated exposure is now the norm.

Such stolen data is a dark-web currency, traded for profit in resilient criminal markets — a marketplace economy affected by the fact of multiple-compromised data sets.

Case Study: Blackbaud Security Data Incident

“In my previous 12 years with Blackbaud, prior to our 2020 incident, we were relatively quiet on the litigation front,” Olson said. 

A May 2020 ransomware attack changed that. Despite the company’s diligent preparation, including detailed table-top exercises, and a staunch cybersecurity defense, the hackers were able to steal data.

“It’s both enlightening and chilling at the same time to learn how business-like these threat actors are,” Olson said. “For most of these hackers, it is a business.”

Blackbaud notified its customers of the breach and regulatory investigations, and litigation followed. Olson found himself facing 16-hour days at the same time as he and the Blackbaud team were working remotely during the pandemic.

“There were so many matters and inquiries coming in, and so many levels of communication to manage,” he said.

Bridegan said, “Every state has its own breach reporting thresholds.” Olson said that even if a breach doesn’t trigger a statutory notification requirement, companies may wish to notify state Attorneys General anyway before sending out a breach notice to customers. Such a proactive, voluntary disclosure approach may be looked upon favorably by government investigators.

Also, Hyman said a data security plan should be housed in a secure, physical binder and/or off-line laptop—not online where hackers could get to it. Backups and redundancies are essential as well.  A company’s data breach response plan should specifically identify relevant contractors who will be necessary in the event of a data breach, including outside counsel, outside local counsel, outside regulatory counsel, forensic team, publicity response team, insurance claim contact, among others. If your first contact isn’t available, make sure you have a list of backup contacts lined up in advance.

Olson said Blackbaud’s experience showed him the importance of preparation and advance planning. Blackbaud felt it was prepared for such a data incident, and while it was still hit with a data breach, it could have been much worse had Blackbaud not made cybersecurity planning a priority.

He also noted that no matter how much planning a company does, a cyberattack will be emotionally challenging for executives and in-house attorneys. Tempers may get frayed, and people may express strong opinions about aspects of the incident. 

Olson counseled companies to talk about critical questions such as, “Would the company pay a ransom?” and “What should we say in a press release?” in advance of the heat of the moment during a real data security incident.

“It’s important to understand that there will be emotions involved,” Olson said. “It’s like the legendary boxer Mike Tyson said, ‘Everyone has a plan, until they get hit the first time.’”

Before a Breach: Top 10 Cybersecurity Preparation Priorities

1. Security Baseline
   Conduct a comprehensive assessment of your current cybersecurity posture by mapping what data you have, where it resides, how it flows across the organization, and whether existing security controls are sufficient to protect it.
2. Clear Objectives
   Define clear cybersecurity goals supported by written policies and procedures, and establish measurable benchmarks so leadership can track progress, accountability, and improvement over time.
3. Risk Management
   Identify your critical information assets—including data, financial records, and software—and evaluate risks across internal operations, external threats, vendors, contracts, and insurance coverage to inform prioritized mitigation strategies.
4. Access Controls
   Limit exposure by minimizing the data you collect and retain and enforce strong role-based controls governing who can access, use, or modify systems and information.
5. System Hygiene
   Maintain a disciplined approach to patch management and system updates, including monitoring vendor security advisories and proactively upgrading or retiring legacy systems that introduce unnecessary risk.
6. Workforce Training
   Invest in regular, role-appropriate cybersecurity training for executives, managers, and employees to reinforce expectations and build a sustained culture of security and privacy awareness.
7. Threat Monitoring
   Deploy appropriate monitoring tools, establish a baseline of normal network activity, and conduct regular log analysis to detect anomalies early—especially subtle or recurring issues that are easy to dismiss.
8. Incident Readiness
   Establish a formal incident response plan that identifies decision-makers, response teams, and escalation paths, supported by a tested playbook that is regularly reviewed and practiced.
9. Ongoing Audits
   Use both internal and external security audits, combined with continuous monitoring, to validate controls, identify gaps, and ensure cybersecurity practices evolve alongside business operations.
10. Situational Awareness
    Designate a cybersecurity champion to stay informed on emerging threats and trends and to maintain open, ongoing communication with management about risk, readiness, and priorities.

Discovering an Incident or Potential Violation—What to Do Next?

A breach happens on your watch. It may not be your fault, but what should you do next?

An organization responding to an incident should first follow its established incident response plan by engaging key stakeholders, including insurance carriers, outside counsel, and other critical vendors such as forensic investigators. Consider whether contacting law enforcement is appropriate or required by law.

“You want to build those relationships in advance,” Olson said.

Early decisions are especially critical, because they often shape how an incident is viewed long after the immediate response is underway. “In many cases, the decisions made in the first hours of a cyber incident matter more in later litigation than the incident itself,” Bridegan said. “Companies that plan for that moment - legally, operationally, and reputationally - are better positioned when scrutiny inevitably follows.”

As the response progresses, organizations should work to restore affected systems and, if required, notify affected individuals or entities. It is important to proceed methodically and to document decisions and actions taken throughout the process.

At the same time, organizations should anticipate regulatory scrutiny. Regulators are likely to focus on whether the incident has implications for national security, critical infrastructure, or supply chains. They will also examine whether sensitive personal information of consumers or employees was compromised, whether any ransomware payments were made to sanctioned countries or parties, and whether there was consumer deception or inappropriate use of data.

Regulators also will assess whether timely and adequate notice was provided to affected persons. 

After the Fact: Cybersecurity Lessons Learned 

After the immediate response to a data breach has concluded, a company should shift its focus to strengthening its defenses and confirming that the threat has been fully contained. 

“Learn from what happened. Determine where your policies and procedures fell, and how the attackers got in,” Hyman said.  “But watch for the secondary breach.” 

This includes examining vendor relationships to ensure third‑party access is appropriate and secure. Companies should closely monitor network traffic for signs of data exfiltration, such as unusually large data transfers, traffic spikes at atypical times, suspicious destinations, or tunneled communications. In addition, organizations should scrutinize inbound email controls and assess whether there has been an increase in spear‑phishing or other targeted attack attempts as the malicious actor or copy-cats try for a secondary breach.

Dedicate time for a thorough review of all IT and security logs.  In this review, focus on known tactics, techniques, procedures and indicators of compromise, and closely monitor all high‑privilege accounts. Establishing clear internal and external information‑sharing channels can help ensure timely coordination and awareness as remediation continues. 

Finally, organizations should evaluate whether effective data governance frameworks are in place, including control audits that confirm the integrity and confidentiality of sensitive data are adequately protected.

Be sure to document everything and stay prepared for additional legal and regulatory challenges.

Using the Dark Web

Courts are receptive to the self-evident proposition that data breaches are a part of modern digital life, and most data subjects have been the subject of multiple data breaches. “We’ve all received the notice cards” is a common refrain.

But what hasn’t been well-developed is the impact of multiple prior data breaches on specific data breach class action litigation. Dark web evidence is central to challenging standing, causation, and damages, especially when plaintiffs have multiple prior breaches. Courts are increasingly accepting expert dark-web scrubs and timeline analyses showing that alleged misuse is not linked to the breach at issue.

“All this goes to traceability, which goes to standing,” Hyman said. “You can go on the dark web and build a profile for an individual independent of the data breach at issue. That’s powerful evidence to fend off standing, certifiability, and injunctive relief.”

Also, if data has been sold multiple times on the dark web, it diminishes in value. 

“Engage with experts early. You want to preserve this evidence,” Hyman said.

No one in company management wants to deal with a cyberattack or data breach, but chances are you will be faced with this challenge at some point. Preparation is key—both responding to the immediate aftermath of a breach and in dealing with the litigation that likely will result. 

No plan is perfect, but a well-prepared plan can help mitigate the damage and lead a company through the dark clouds of a data breach.

About WBD’s Digital Solutions Team - The pace of digital transformation continues to accelerate, influencing every area of today’s business environment. Our Digital Solutions Team helps organizations navigate this landscape, offering integrated support across compliance, transactional, litigation, and intellectual property matters.