Can My Business Be Held Liable for a Data Breach?
Scarcely a day goes by without a story of a data breach in the headlines. If your business handles sensitive customer information, you may wonder if your company can be held liable for a data breach.
The short answer is yes, your company can.
This is easy to understand if the data breach was directly caused by the actions of someone in your company, such as an email sent out with sensitive information, confidential files that were thrown out instead of shredded, or an employee who misused data. But there are other, less obvious, scenarios in which you could be open to liability. Here are two of them.
Data Breach of a Third-Party Vendor
In carrying out your business operations, you likely contract with a number of third-party service providers (“vendors”) who have access to or even store your customer data. These services may include software, cloud-based storage and file sharing, payment processing, accounting, and document storage. Delivery, cleaning, and maintenance personnel may have access to customer information that is not secured.
Depending on the regulatory requirements and privacy laws that apply to your company, you may be required to ensure that the vendors you work with are able to properly secure your customer data. Even if not specifically mandated by law, you can still be held responsible if you work with a vendor that is not data security compliant, and/or fails to maintain the confidentiality of your customer information.
That is why it is increasingly vital to perform due diligence on vendors. Your company should establish a vendor management program to ensure that all vendors who handle sensitive customer information have a data security policy and data breach response plan in place. Further steps may include requiring vendors to carry cyber liability insurance, and signing a data security contract that stipulates the confidentiality of customer data and company indemnification for unauthorized data disclosures.
Your Customer Data Is Hacked
In the event your customer data is stolen, your company may be held liable even though you are also a victim of criminal hacking.
Consumers are increasingly asking that companies be held responsible for securing the large amounts of personal data they collect and maintain. When they hand over personal information to your company, there is the expectation that you will take the appropriate steps to safeguard it.
Arguments for liability may include:
- Failure to adequately protect customer information
- Failure to notify affected individuals in a timely manner
- Failure to take appropriate action to correct the situation once it was discovered
- Failure to follow privacy and security policies
The U.S Federal Trade Commission (FTC) can get involved if organizations don’t follow their own stated privacy and security policies, with a possible charge of fair trade violations.
WILL your company be held liable? That’s much more complicated.
Even though your company CAN be held liable for a data breach, whether or not you WILL is far less clear-cut. It depends on any number of factors, including the laws that regulate your industry and the data involved, your policies and efforts to protect data, your actions in notifying customers and mitigating the breach, and whether or not the exposed data was actually used for identity theft, resulting in damages. The court may have to decide if you were negligent in protecting data, or if your measures were reasonable but the hack occurred despite your best efforts.
Regulation of legal recourse for identify theft victims is currently left up to the powers and interests of the states. Attempts at the federal level to codify liability and penalties, most recently in the Personal Data Protection and Breach Accountability Act of 2014, have not yet been enacted.
Potential Consequences of a Data Breach
- Governmental auditing and penalties
- Legal action by customers (single plaintiff or class action lawsuits)
- Legal actions from financial institutions (for example, for the expense of replacing bank cards)
- Cost of providing affected customers with credit monitoring services
- Legal fees
- Costly customer notification and disclosure efforts
- Lost time and productivity dealing with the situation
- Loss of customer trust and goodwill
The Bottom Line
It may seem unfair that your company could be on the hook for a vendor’s mistake or a hacker’s theft. Ultimately, though, if customers give their information to you, they will look to you should something go wrong.
Records management should be part of your data protection toolkit. Contact Stacks Secure Records today to find out how we can help.