NetworkTigers discusses the legal consequences if your business is hacked.
With companies and organizations amassing so much customer, patient and partner data, keeping it under lock and key following the law has become critically important. No brand wants to face public backlash resulting from lackluster cybersecurity. Still, billion-dollar corporations can usually weather the storm, as maintaining armies of lawyers and PR representatives is simply the cost of doing business at that scale.
Combined with the general population’s apparent lack of concern about cybersecurity, many large companies can sustain an attack and assume that most of their customer base will be unconcerned.
However, small businesses are a different matter. When every paying client counts and your business stays afloat by covering costs every week, a security breach or hack can spell doom. 60% of small businesses never recover from a cyberattack and close their doors permanently within six months of the incident.
This leads many business owners to wonder, where does the law stand when it comes to my business being hacked? To what degree is my company liable for damages experienced by people whose information was accessed through an intrusion?
The answer to Is the law on your side if your business is hacked is complicated.
Can your business be sued if it’s hacked?
The short answer is yes; your business can be found liable after a hack, as companies must safeguard customer information. Lapses in that duty open them up to hundreds of thousands of dollars in expenses, enough to kill many small enterprises.
In spite of their size and resources, even giant companies are feeling the pinch of lax security. Major class action lawsuits are becoming more common and more costly. T-Mobile’s recent payout to victims of a breach was $350 million, which is still only half of the $700 million that Equifax had to pay for damages resulting from an incident in 2019.
Generalizations concerning the law can’t be made responsibly, as data protection regulations vary widely between states and industries. However, the following instances of negligence are commonly on the books:
- Failure to properly monitor for existing data intrusions
- Failure to ensure that third-party vendors adhere to reasonable security measures
- Failure to properly train employees in safely handling and managing personally identifiable information (PII) and personal health information (PHI)
- Improperly maintained email security
- Failure to ensure that PHI can only be accessed by those authorized
- Failure to maintain records of security activity for tracking and reporting
In the event of a breach, some states require that affected customers be notified within a specific time. The details regarding breach notices are also subject to each state’s requirements, making compliance incredibly challenging for companies that do business on a national scale.
The government has realized that some hacks and breaches have national security ramifications. At a federal level, public companies must also report cybersecurity events to the Securities and Exchange Commission (SEC). Previously, voluntary changes in this law have been made to keep pace with the recent uptick in ransomware attacks.
Whether or not the law is on your business’s “side” is wholly dependent on your compliance with regulations and whether or not your company has maintained good faith efforts limiting its risk of a successful attack.
The real costs of a cyberattack
When it comes to the aftermath of a cyberattack, most people think of immediate reputational damage as a catastrophic blow. While it can be severe, today’s fast-paced world means that people are quick to forget past transgressions as news media bombards audiences with fresh catastrophes daily, many of which are perceived as more urgent than a cybersecurity event.
After a hack, it’s in a company’s best interest to investigate it to the fullest extent to determine what data was accessed, who is responsible for the intrusion and how it happened. Much of this must follow regulations to avoid fines and legal liability. This is followed by costs incurred by system recovery efforts and any downtime in which business operations were slowed or stopped. In the event of a ransomware attack, any money paid to the criminals can be counted as an additional expense.
These costs can already add up to a significant sum before the risk of lawsuits is considered.
How to comply with cybersecurity laws
From a legal standpoint, protecting your business requires complete compliance with all state and federal laws. Practicing due diligence in keeping up to speed on changing rules or mandates is integral to maintaining a track record of responsible accountability.
Cybersecurity insurance is a must for any business that stores or manages payment information, PII or customer contact data. This protection can help cover customer notification costs, incident investigation and lost revenue.
Depending on the type of cybersecurity insurance purchased, it can also lessen the impact of legal and court fees, settlements, and fines in response to non-compliance.
Prevent an attack
- Mandate that all employees adhere to good password hygiene.
- Train workers to recognize and properly report suspicious correspondences that may harbor malware or phishing scams.
- Keep your software and firmware automatically updated to ensure that you are operating with the latest protections.
- Update old, unsupported hardware. You can do so economically by purchasing refurbished equipment from a trusted dealer.
- Use a VPN.
- Use multi-factor authentication.
- Protect all network endpoints and institute zero-trust security.