It’s been several years since the problems of data breaches screamed their way into the headlines with the attacks on Target and Equifax. Since then, you might not have heard of any other large, recent breaches. However, if you thought the problem had subsided, you were being deceived.
A report from the beginning of 2022 noted that data breaches have only become more common since the first large attacks made their way into the public consciousness. In fact, as Forbes noted, risk analysts rank data breaches as the number one risk to businesses. That placed breaches ahead of business interruptions and natural catastrophes. There has never been a greater need to understand how you can protect your business from any potential liability.
Cybersecurity is for everyone
One of the more worrisome remarks in the Forbes report was that hackers had increasingly started to target small and medium-sized businesses. Additionally, the report showed how hackers launched attacks against businesses across all industries. While you might expect the attacks against the government, military, research and banking sectors, they weren’t the only industries at risk. Indeed, the finance and banking industry only ranked ninth.
Forbes ranked the frequency of cyber attacks against 16 different industries, and their frequency may surprise you:
Communications ranked 3rd
Healthcare ranked 5th
Leisure and hospitality ranked 11th
Consultants ranked 12th
Retail and wholesale only ranked 14th
Transportation ranked just below retail at 15th
Hardware vendors ranked 16th
Taken alongside the new internet privacy laws that affect anyone doing business in California, these statistics show that cybersecurity is becoming an increasingly complex and vital part of good business. Yet the truth is that few businesses are equipped to care for their own cybersecurity. Most need to work with third-party vendors to address their cybersecurity needs.
Liability in the wake of a breach
The first thing to do is to make sure you’re making good faith efforts to secure your data. Whether your business handles its cybersecurity internally or works with a vendor, you need to stay up to date.
Since Forbes claims the average cost of a data breach is somewhere around $8.2 million, it’s likely that someone’s going to want reparations. However, while you have a duty to protect your customers, it’s not always clear who might be liable in the event of a breach. After all, you may be the customer of a third-party security vendor. That vendor is supposed to protect your company from the damages associated with a breach. If the vendor’s work is the problem, should they bear the liability?
A professor from UNLV Boyd Law explored the issue of liability for cybersecurity breaches back in 2019. His report focused on shareholders’ claims for damages, but it illustrates some of the broader issues in determining liability. As he notes, shareholders have become more inclined to pursue litigation when data breaches hurt their bottom line. The good news for businesses is that these pursuits face a couple significant barriers:
Plaintiffs must overcome procedural hurdles such as first asking the board to take action and then showing that they have standing to file their claims.
Plaintiffs must then prove the business had a duty to maintain oversight. However, the Boyd Law report notes that this can be an exceedingly difficult claim to win. Plaintiffs must generally show that the board acted in bad faith, not just that they made a mistake. A Delaware court ruling clarified that the company must have “utterly failed” to implement any controls, or it must have “consciously failed” to respond to those controls. The law will vary from state to state, but breaches do not immediately trigger failures in oversight.
Even if your business won’t necessarily face oversight liability after an attack, you want to do far more than meet the lowest standards. As attacks become more common, it’s important to understand the risks you face.
Data breaches do not all look alike
In May 2020, the CTO of a software security firm shared an opinion piece with Forbes in which he outlined the difficulties of assigning liability for data breaches. He suggested that a company might do everything in its power to keep its data secure, but hackers could still exploit the hardware or software. They could evade the cybersecurity tools the company purchased.
Who would be the party at fault?
The business that did everything in its power to prevent a breach and safeguard its clients’ data?
The hardware vendor?
The software developer?
The third-party vendor that developed or managed the cybersecurity tools?
The CTO used a construction analogy to illustrate how different data breaches might happen. In one case, the builders do everything right. They hire competent professionals, buy quality goods and build according to code. In another case, the builders buy cheap materials, don’t vet their team correctly and ignore the code. When both buildings fall, do both builders share the same liability?
Protect yourself with good contracts and due diligence
As in construction law, your contracts can go a long way toward shaping your liability in the event of a breach. Anyone involved in the lifecycle of your clients’ data could prove to be the weak link. You want to make sure your contracts fully protect you and allocate risk appropriately. Your insurance company will also want to make sure you insulate it from problems caused by your vendors or security providers.
Even if you find yourself hacked before you can retool your contracts, you may be able to defend yourself from unwarranted liability. You can keep complete records of the actions you take to defend your data and use those records to show you’ve performed your due diligence. You have a duty to defend your clients, but the law generally doesn’t expect you to take unreasonably cumbersome actions.
The truth is that your presence online reaches out in many directions. That’s why we sometimes refer to the internet as the “interwebs.” Data breaches may shake your whole web, but it’s often a complicated matter to show who wove the weak thread. Often, the best you can do is prepare yourself ahead of time and work with a strong, knowledgeable team if you find yourself trapped by a new web of litigation.