Listen to this article

Ransomware and other data-breach attacks are on the upswing, more than doubling from the first quarter of 2023 to the second quarter alone, according to published reports. Related legal expenses are also rising; with the volume of data breach class action filings jumping twofold.

These entanglements can take months or years to resolve, but much of the mess may be avoided if businesses are proactive about two issues: partnering with an experienced cybersecurity solutions provider at the start and working with attorneys to review vendor contracts and customer agreements to begin with, instead of waiting until a disaster strikes.

An experienced cybersecurity provider will typically deploy advanced search-and-secure monitoring software, client training and other actions to help organizations secure their intellectual property, personally identifiable and other sensitive information; along with updating them about best cybersecurity practices. But if something does go wrong – like an “inside job” where employees stage a data heist – that is the wrong time for a business to start finger-pointing over liability.

To get a better handle on how organizations can plug their legal vulnerabilities in case of a successful cyberattack, I spoke with Serge Jorgensen, president and a founding partner of the Sylint Group, an eMazzanti Technologies partner that is internationally recognized as a leading cybersecurity and digital data forensics firm. Sylint Group has extensive experience discretely addressing some of today’s biggest breaches, incidents and precedent-setting court cases.

More Tech Intelligence

• As retail operations move online, theft also takes an omnichannel approach
• Should Siri design your cyber defenses?
• There’s a better way to get shoppers to your retail site
• Digital barricades can help defend against global cyber threats

“Cybersecurity providers and IT vendors typically offer service-level agreements, or SLAs, that define specific security benchmarks and response times,” Jorgensen told me. “These agreements can provide a structured framework for collaboration, ensuring that cybersecurity providers and other technology vendors are held accountable for maintaining a certain standard of protection. In the event of a cyber incident, having a well-defined SLA helps companies streamline the resolution process, minimizing downtime and reducing the potential financial and reputational impact.”

But the terms and conditions of cybersecurity and other IT-related contracts and agreements “can be very detailed,” he added. “So, it is not unusual for organizations to sign off on the documents without scrutinizing them. That can be a recipe for disaster in the case of a breach or other incident.”

Jorgensen told me that organizations and their legal counsel should ensure that indemnification clauses are embedded within their service agreements. “When the lawyers speak, companies listen,” he said. “Properly structured, these kinds of clauses can provide clients with an added layer of protection, by transferring some of the financial liability associated with a cybersecurity incident to the provider. The specifics of indemnification agreements should be carefully negotiated and outlined in legal contracts, since they can serve as a valuable tool in managing the financial risks that may arise from legal actions stemming from a data breach or cyber attack.”

Ideally, the contracts will be crafted to clearly define the scope of responsibility, indemnification terms, and any limitations on liability. “Client organizations and their legal counsel should engage in open communication with their cybersecurity and other IT providers to ensure a collaborative approach that allocates responsibilities and indemnification in a reasonable manner, while also addressing legal compliance and risk mitigation issues,” advised Jorgensen.

Cybersecurity providers work closely with legal advisers and clients to address these kinds of details, leveraging their expertise and delivering highly targeted, tailored solutions on behalf of client companies. And indemnification mechanisms can enhance the legal postures of both parties, reduce compliance-related risks, and foster a more-resilient legal posture. The legal landscape surrounding cybersecurity continues to evolve, so embracing innovative strategies like liability shifting is imperative for companies seeking to protect their interests, maintain regulatory compliance, and uphold their reputation in an increasingly digital and interconnected world.

Carl Mazzanti is president of eMazzanti Technologies in Hoboken, providing IT consulting services for businesses ranging from home offices to multinational corporations.