Data Breach Laws: What Are You Liable For?

It’s no secret that a data breach is a big deal. But are you prepared for just how expensive it can be?

In July of 2019, Capital One suffered a breach that affected about over 106 million customers. It’s estimated that this incident cost the company more than $300 million to resolve!

Sure, your business might not be big enough to suffer losses of this magnitude, but it’s still important for you to understand data breach laws. Failure to do so can have catastrophic results for your business.

Recent studies show that a data breach is likely to cost a small business close to $200,000. Even worse, more than half of all small businesses suffered a data breach in the past year!

If these statistics don’t make you nervous, stop and read them again!

While you should be concerned, there’s no reason to panic. There are some things you can do to protect yourself and your business.

The first step is to learn about the most important laws regarding your company’s liability following a cybersecurity attack. Start by looking at these five critical facts.

1. There Are Currently No Federal Data Breach Laws

Although there is speculation that it will happen eventually, there are currently no federal laws regulating data breach protocol.

The Data Security and Breach Notification Act was proposed during the Obama administration. While it failed to pass, it’s highly likely that similar legislation will come up again.

In the meantime, data breaches are governed by state laws.

2. Every State Has Data Breach Laws

All 50 states and the District of Columbia, Guam, Puerto Rico and the Virgin Islands currently have data breach laws on the books. While each state law is slightly different, the basic standards are essentially the same.

Each state requires data owners to report a data breach to the victims and, sometimes, to regulatory agencies. In addition, many states passed enhancements to their laws last year, which went into effect in January of 2020.

3. Data Owners are Legally Responsible for a Breach

A “data breach” occurs when an unauthorized party gains access to a customer’s personally identifying information (PII). This occurs when a person’s name is accessed in addition to one or more of the following:

  • Social Security number
  • Driver’s license or state ID number
  • Debit, credit card, or financial account number with the password, security code, or access code required to access the account

It’s critical for business owners to understand that by law, it’s the “owner” of the data (the business) who is liable for a breach, not the “data holder” (the cloud provider.) This applies to all cases except when the data is covered under HIPAA regulations, which requires even more regulation.

4. Specific Actions Create Liability

Data breach liability laws don’t allow victims carte blanche to file civil lawsuits just because a cyber breach occurred. In general, liability exists if one or more of the following occurred:

  • There was a failure to implement required safeguards or reasonable security measures
  • Once the breach occurred, the entity failed to take measures to mitigate or remedy the damage
  • The affected individuals weren’t notified in a timely manner (per each state’s specific laws)

In most cases, negligence must be proven before liability is assumed. For this reason, having a solid data breach response plan in place is one of the best things a company can do to protect itself.

5. Potential Costs and Liabilities Vary

Depending on the nature of the breach, the costs and liabilities associated with the incident can vary. Some penalties data owners may face include:

  • Individual and class action lawsuits – this may include civil monetary compensation for the victim’s losses, reimbursement for the victim’s out-of-pocket expenses related to recovering from the breach, reimbursement of legal expenses and, in some cases, compensation for emotional distress. Note that these suits can be brought by individuals and shareholders.
  • Government investigations – this may result in the imposition of fines and penalties
  • Additional requirements – this may include audits, mandatory use of third-party response teams, implementation of new or enhanced identity protection policies and procedures and more
  • Increase in liability insurance costs – general liability includes accidents, injuries, property damage and slander.
  • Collateral damage – this may include damage to your business’ reputation, loss of customers and revenue and expenses related to replacement of management.

The nature of the breach can also impact how much liability a company faces. Some of the most important considerations include:

  • Extent of damage – how many people were affected, the type of data that was compromised, the length of time the breach occurred and how much damage the victims suffered.
  • Intention – whether the breach was because of negligence or it was unintentional
  • Mitigation – what the data owner did to mitigate the damage
  • Previous preventative measures – what (if anything) the company did previously to minimize the chances of a breach
  • Past infringements – if there was a pattern of previous negligence, this will negatively impact the company’s assumed liability

Other considerations include how cooperative the company is with authorities following the breach, how quickly victims were notified and whether the company had followed the policies and procedures they had in place.

Protect Your Business from Data Breach Liability

Now that you have a clear understanding of data breach laws, it should be clear that this is a threat you can’t afford to ignore. In addition to having rules, regulations, policies and procedures in place to avoid a potential breach, every business owner also needs a cyber liability insurance policy.

Failing to plan ahead for this potentially catastrophic threat can have serious consequences and could even put your company out of business.  Don’t let this happen to you. Contact us today to discuss your specific needs and request a quote.