What Are the Legal Costs from a Spear Phishing Attack?
Adrien Gendre
—December 23, 2015
—3 min read
Spear phishing carries the risk of legal liability. This increasingly dangerous and pervasive hacking technique penetrates your systems and data by using personalized, deceptive email messages. It’s estimated that 91% of hacking attacks start with phishing or spear phishing.
If the attack results in a data breach or other embarrassing disclosures, you are going to get sued. The question, of course, is how much will the legal fallout cost your business? This article tries to answer that subjective question by financially modeling a collection of lawsuits that come in response to a spear phishing attack. The figures shown here are estimates based on a number of assumptions. Actual costs will vary greatly based on individual circumstances, but the model shows how high the legal bills can be for a successful spear phishing attack.
The Attack
To illustrate the legal costs of spear phishing, we will use the case of a hypothetical company that suffers the loss of 100,000 customer credit card records as well as a leak of executive email. The attack began when an employee received an email from a “colleague” who was not, in fact, a colleague. It was a hacker, posing as a colleague, but successfully impersonating the colleague by knowing about mutual friends and projects – information gathered by researching the target on social media. After establishing rapport with the target, the hacker claimed to have forgotten some internal system log in credentials. The target shared the credentials, thinking that the he was helping out a coworker. The hacker used these log in credentials, and subsequent spear phishing attacks on others in the company, to access the credit card records and email systems.
Lawsuit #1: Class Action for “Invasion of Privacy”
The data breach suffered by Target Stores provides some benchmarks for costing out a class action lawsuit for invasion of privacy and related legal liability. Target got sued for many different “causes of action,” including financial losses from having personal information disclosed and unauthorized use of credit cards. The outcome of the case presents a sort of good news/bad news scenario for a company that suffers from a breach. The good news is that not everyone was entitled to sue. Plaintiffs had to document that they suffered actual financial loss by showing unauthorized charges, time spent dealing with the charges, higher interests rates, credit report fees and so forth. These requirements culled the potential number of suits.
The bad news, though, is that it was a costly outing for Target. Target allegedly settled the class action suit for $10 million, paying $10,000 to each plaintiff who successfully sued. One reason the settlements were this high was the threat of “statutory damages.” Many states mandate a fixed penalty by law for invading someone’s privacy. Though it may not be legally sound to make this argument in every state, the threat is very potent. In California, for example, the statutory damage for invasion of privacy is $5,000 per incident.
In our hypothetical case, we will assume that 10% of record holders sue, creating a class action suit with 10,000 plaintiffs. If the company’s outside counsel has to spend 30 minutes processing each claim, that will result in legal fees of $1.75 million to handle the matter. This is just one way to estimating the legal fees in such a case, but the reality is that class action suits are very complex and time-consuming to defend. If 0.5% of plaintiffs can successfully sue and settle, with a settlement figure of $7,500 per plaintiff, that will cost the company $3.75 million. The total cost for the class action lawsuit will be $5.5 million.
Lawsuits #2 and #3: Former Employees and Defamation Suits
When email gets leaked, people tend to sue. As occurred in the Sony hack, former employees and other business partners sued for defamation and other causes of action. It’s difficult to estimate what such litigation will cost, but for the sake of argument, assume that there are 10 suits with merit. Each requires 200 hours of attorney time to litigate and each results in a settlement of $100,000. As the table shows, that will cost the company $700,000 in legal fees and $1 million in settlements.
The Need for “Reasonable and Adequate” Security Measures
In the Sony case, plaintiffs accused the company of not maintaining “reasonable and adequate” security measures to protect employees’ personal information. According to Variety, the suit also accused the studio of failing to maintain such basic security measures as access controls and password encryption. Having these kinds of controls and technologies in place enable defendants’ counsel to argue that the company exercised its obligation of “due care” in handling sensitive data. Asserting that a defendant exercise due care can mitigate the impact of the countervailing claim of negligence. In a related turn of events, the Target settlement involved the company agreeing to appoint a chief information security officer and keeping a written information security program.
Proving “due care” is a subjective challenge for attorneys, but adding effective countermeasures for threats is always helpful. Any evidence that the defendant takes threats seriously and has tried to protect against them will help in court. In the case of spear phishing, protecting a business can be a difficult, given that many existing email spam filters and anti-malware tools don’t work with a spear phishing email. Vade offers a unique solution.
Spending $1 on prevention today may well save your organization $1,000 or more in lawsuits, brand damage, and endless crises control tomorrow.
Give us a call at 415-745-3630 or contact us, if you want to discuss how you can quickly add anti-phishing measures to your current email setup.