By now you likely understand a data breach is a matter of “when” not “if” for your organization.

Hopefully, you are working to build a culture of cybersecurity within your business and tightening up your security measures themselves. But when something does eventually happen, how do you avoid complicating the situation, legally speaking?

This week on CYBER24, we sit down with Utah Deputy Attorney General David Sonnenreich, to get his perspective on how a business should respond to a cyber breach.

“I like to think all of my work is done on behalf of the consumer,” says Sonnenreich. “The data breach work we do, that’s about protecting the consumers - protecting them from the possibility of identity theft.”

And there is an important distinction between a data breach and a fraud. A data breach just means some of your information has been exposed to someone who shouldn’t have it, whereas fraud occurs when someone tries to utilize that information to create a false identity about you - like when they try to open a line of credit in your name.

Businesses should also keep in mind that when someone has stolen their data - it is that person, not the business, that has committed a crime. At least if the business has done a reasonable job of protecting that data. It’s how a business reacts to the incident that will determine whether or not they are helping solve the crime, or become entangled in the illegal behavior.

In Episode 10 of CYBER24, Sonnenreich walks us through how the Attorney General’s Office looks at how businesses respond to a cyber incident and gives some important insight any business leader will want to know.