Data Breach Liability: Is Your Company to Blame?

Data breaches are everywhere.

Go to your favorite news site, tune in to the national news on TV, or simply Google it – you’ll find thousands of results breaking down breaches from phishing attacks, employee negligence, or a host of other brute-force methods. Attacks are happening with more frequency and increased complexity, raising more questions than can be answered.

One of the main questions that business owners should ask is this: “Am I liable for a data breach that happens within my business, even if it’s not directly the fault of my business?”

The short and simple answer is probably, though regulations vary from state-to-state.

Your clients, customers, and users expect your business to protect the data they have entrusted to you, be that as basic as names and addresses or as personal as Social Security numbers and banking information. Even if a vendor you hire to work for you is at fault, your name is the overarching company of record. Remember, the Target breach of 2013 came about due to a hacker stealing credentials from a third-party vendor. Nobody remembers the name of the vendor and the fines were levied against Target for the breach. Even more recently, Capital One fell victim to a breach by a former employee of a third-party vendor.

How can I protect my business before a breach happens?

As a business, failing to test your systems for security flaws through security assessments or having a security professional hack your network to find vulnerabilities leaves your ‘Open’ sign on all day and night for cyber criminals who are after your most precious resource – your data. Something as simple as using the same password for multiple accounts can lead to the loss of a wealth of data and an embarrassing and expensive recovery process.

While there may not be an automatic liability for your business if a breach occurs, there are some steps that can be taken against your company if you are the subject of a data breach lawsuit.

First and foremost is negligence. Simply, what would a reasonable person or company do to lessen the chance of a data breach? Did your business take steps to shore up holes or vulnerabilities? Is your company aligned with best practices in the industry? If your company is found to be grossly under-prepared for a breach, some financial responsibility will be pinned to you.

Another avenue of finding fault for your company is in your breach response. Did your company do enough to stop the breach once it was found; did you quickly notify affected parties of the breach; did you immediately begin an investigation to find and incorporate remediation steps?

Businesses can face backlash from government agencies, heavy fines, and legal action following a breach.

For businesses that collect and store data, living with the expectation that someone is always trying to hack your systems will help maintain an edge against cyber attacks. There is no way to be totally immune from a cyber attack, but having a solid cyber security plan and incident response guidelines in place can help to reduce the impact on your business.

The role of third-party vendors

Many businesses employ third-party vendors to perform services, which increases breach risk due to the unknown element of the outsiders’ security policies and practices. It is often a business norm for a third-party vendor to support core business functions and to have access to your data and internal systems. While it may be the norm, it is still inherently unsafe as 63% of all data breaches can be linked to third-party access. Using a third-party vendor may be critical to your business operations, but doing so without vetting their security posture can lead your business down a troubled path.

What steps can you take to protect your business?

A security assessment can help give you peace of mind about your business’ own security posture and making an assessment a frequently required piece of each vendor contract you have in place will help to secure your operations from the ground up. In many instances, a security assessment should be part of your vetting process when selecting a vendor to work with your business. When it comes to cyber security, there is no such thing as being too cautious.

Archetype SC’s SRVA is a great starting point to determine your current security posture, find vulnerabilities, and create a remediation plan to protect your business. Additional steps, including employee training and security process updates, can help lessen the likelihood of an attack by educating your resources on what to look out for and the proper steps to take if they recognize a cyber attack.

© Copyright 2019 Archetype SC, Inc.