How ISO 27001 Reduces the Risk of Data Breach Litigation

Litigation following a data breach is like adding insult to injury. The incident damages your reputation and slows your business as you try to correct the issues. Then you have to pay for litigation expenses and perhaps a destructive award.

It doesn’t have to be this way. Although it’s impossible to eradicate the risk of data breaches, organizations with effective information security practices can mitigate the damage and reduce the likelihood of litigation.

For most organizations, that means adopting an ISO 27001-compliant ISMS (information security management system).

Types of litigation and how ISO 27001 can help

We’ve previously discussed three types of litigation that can harm organizations following a breach: the rights of private action, product liability, and negligence.

Consider a right of private action. Unlike many EU laws, U.S. laws are drafted to impact a small number of organizations. This is true of laws like the CCPA (California Consumer Privacy Act).

While all organizations can and will suffer a breach, a company certified to the ISO 27001 standard can usually avoid most of the consequences.

CCPA §1798.150 states that organizations can only be liable if a consumer’s non-encrypted data is subject to “an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”

An ISO 27001-certified organization has to consider the risks to certain types of data, which will likely consider the possibility of encrypting that data. In addition, it will have adopted an international standard recognized around the world as the gold standard of information security.

This would certainly qualify as reasonable for all but the most critical of information. By taking the correct action, an organization can take itself outside of the law’s jurisdiction and avoid a lawsuit.

The Illinois BIPA (Biometric Information Privacy Act) is drafted with similar limitations.

To run afoul of BIPA §15, an organization must fail to develop a written policy that requires the owner of the biometric information to be informed that their biometric information is being collected and requires them to provide a written release. An ISO 27001-certified organization must understand the needs of interested parties, including the requirements of various laws.

Free PDF download: Cybersecurity and ISO 27001 – Reducing your cyber risk

You can find out more about the benefits of ISO 27001 by downloading our free green paper: Cybersecurity and ISO 27001 – Reducing your cyber risk.

This guide explains the information security threats that your organizations faces and demonstrates how the Standard can be used to bolster your defenses.

ISO 27001-certified organizations must also list the laws that are part of its context. It has the duty to protect personally identifiable information, including biometric information, to comply with the relevant legislation, in this case the BIPA.

If the organization complies with §15, as required by its ISO 27001 certification, it cannot be subject to the right of private action.

Besides private actions, if an organization is subject to a cybersecurity breach, it might also be subject to litigation for negligence. There are four elements to negligence.

The second element is the failure to meet your duty. In the U.S., as stated in the CCPA section above, this usually means “to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”

Part of the ISO 27001 certification process is to inventory the risks to data and take appropriate action. If appropriate action is taken, a negligence action cannot proceed because one of the elements is missing.

The idea that ISO 27001 is a bar to actions based on negligence is supported by three laws. These “safe harbor” laws bar lawsuits if the breached organization has adopted one of the cybersecurity frameworks.

These laws exist in Ohio and Utah. The approved frameworks include NIST Cybersecurity Framework, the FedRAMP Security Assessment Framework, and ISO/IEC 27001. To avoid a lawsuit and get a court to approve a motion to dismiss, the defendant organization must prove that it has adopted one of the approved frameworks.

For the NIST Cybersecurity Framework, this proof could be difficult and could result in extensive and expensive discovery. These problems do not exist with ISO 27001. An organization is either certified or it is not.

The irrefutable evidence would be a certificate. Once the certificate is accepted as genuine, the motion to dismiss must be entered because the organization has complied with the safe harbor, or the second element of negligence cannot be proved.

Finally, ISO 27001 certification avoids issues associated with breach notification. As pointed out earlier, these issues usually arise when organizations either are unaware of relevant laws or ignore them. The ISO 27001 certification process requires evidence of an incident response plan and a list of laws.

The plan should include a process to notify all interested parties. This could include not only the relevant attorney general but also the SEC (Securities and Exchange Commission), the Office for Civil Rights (OCR – HIPAA), and supervisory authorities for different countries, including the EU. Failure to notify the appropriate parties could potentially move the violation from negligence to intent, which would increase the fines.

There are no cases that I am aware of using ISO 27001 certification as a bar to lawsuits, so, as a lawyer, I cannot ground my argument on a judicial opinion.

However, using the Standard and the policies it requires should be sufficient to navigate around the potential of liability through litigation – a massive saving in a world where a breach is all but guaranteed.

Achieving ISO 27001 compliance

We understand that starting your ISO 27001 compliance journey from scratch can be daunting. It’s why IT Governance USA offers a range of solutions to help organizations.

Those seeking a quick, reliable way to certify to the Standard should take a look at our ISO 27001 FastTrack™ 500 service.

This consultancy package is designed to help organizations with 20–500 employees reach ISO 27001 certification readiness in just three months.

IT Governance USA also offers the service for organizations with 20 or fewer employees.

Both packages include all the consultancy support you need to help you implement an ISMS quickly and cost-effectively.

An experienced consultant will design, develop, and establish your ISMS, working with you to undertake all the key activities of setting up an ISMS.