With the emergency of new technologies, the business landscape is rapidly changing. Executives are excited about technology and innovation. Unfortunately, progress has given rise to similarly emergent risks, including cyberattacks and data breaches.
Miriam Webster defines “cyberattack” as “an attempt to gain illegal access to a computer or computer system for the purpose of causing damage or harm.” Data breaches may arise from cyberattacks or from inadequate data security. Companies and their management teams should have a plan, both defensively to guard against cybercriminals and data breaches, as well as offensively with a contingency plan for response in the event of an incident.
Cyberattacks and data breaches are costly. A global study by IBM examining data breaches occurring in over 500 organizations between March 2023 and February 2024 concluded that the cost of a data breach in this sample set was an average of $179 per customer record or $4.88 million total. This includes costs associated with detection, investigation, containment and remediation, as well as post-breach consequences to those affected organizations.
Not only is preemptive planning good business, it’s often a requirement. Many statutes such as the Health Insurance Portability and Accountability Act (HIPAA), require that businesses adopt formal incident response plans. Individual states have increasingly passed data security laws setting standards that effectively mandate cybersecurity and cyber incident response planning.
While Michigan does not currently have a comprehensive state-wide privacy law, in August 2025 the Michigan Senate approved Senate Bills 360-364, which would make changes to Michigan’s Identity Theft Protection Act (PA 452 of 2004). These bills would require companies that store, collect or access personal information to implement stronger security measures and require greater investigation and notification obligations than those under current law. The bills will now move to the Michigan House of Representatives for consideration.
Organizations should start now to mitigate their cyber risk by implementing a Written Information Security Program (WISP). A WISP should specify elements of the entity’s overall data security plan, which should include identifying, tracking and managing potential risks; implementing detailed policies and procedures for information security; maintaining a cyber incident response plan; and specifying internal controls, as well as administrative security measures. Your WISP should also include a comprehensive cyber incident response plan.
Organizations should tailor such plans to meet their unique needs. An effective plan should include a designated response team comprised of qualified individuals from within the organization or outside advisors. Appointing a standing response team avoids having to figure out duties and responsibilities during a high-stakes emergency and gives the team an opportunity to plan for incidents in advance. While the team may be comprised of managers from the organization, it is beneficial to include legal counsel to ensure that any incident investigation is subject to the attorney-client privilege.
As soon as a business discovers a possible data breach or cyber incident, it should immediately convene the incident response team. The team should work to identify the cause of the incident, investigate and contain the issue. During the process, the team must collect data and preserve forensic evidence that may be relevant to the event. It may be necessary to shut down certain systems or even limit operations to mitigate the effects of the incident.
With effective plans and policies in place, businesses will find themselves better prepared for potential cyber incidents, should they arise. A comprehensive WISP and qualified response team will allow businesses to navigate any potential data protection and cybersecurity landmines.
Website
plunkettcooney.com
Author
Glenn C. Ross, Partner
38505 Woodward Ave., Suite 100
Bloomfield Hills, MI 48304
T: (248) 433-2312
F: (248) 901-4040
gross@plunkettcooney.com
