We've seen a number of cybersecurity-related lawsuits filed here in Arkansas lately. We can judge these however we wish - opportunistic law firms or genuine damage to an individual. No matter how you judge it, the lawsuits are there and negatively affecting the businesses.

I'm sure Chase Bank isn't being truly hurt by the lawsuit, but Arkansas Heart Hospital doesn't have near as deep of pockets.

The complaint against Chase Bank looks the most interesting, though, as it calls out the bank for not doing enough to prevent a semi-targeted scam against a customer.

The Heart Hospital complaints appear to stem from a vendor breach, although they do not state the specific vendor in their announcement. The breach occurred this year, so victims and law firms are wasting no time in bringing suits. Numerous class action research webpages also turned up after a quick web search. It also appears to be a bit more of an opportunistic tort.

No matter the merit of the cases, all of these lawsuits are just more "insult to injury" type consequences of a data breach. As with HIPAA compliance, you typically don't hear of any enforcement actions until after a breach. Once that breach occurs, though, everyone seems to line up for their piece of the recompense pie.

So what's the moral of this story? Focus on risk management. You can have all the compliance check marks in the world and still miss key things that could have prevented that breach. Also, focus on the full spectrum of cybersecurity, not just protective controls. If you also have robust detective controls, you may be able to prevent an incident from becoming a breach. Response and recovery controls can help there as well.

We are always here to help if you need help getting past the compliance plateau and moving on to greener risk management pastures.