Data Breach Liability – Who is Responsible?
Data breaches are a growing concern for businesses of all sizes. More and more data breaches occur every year. From the start of 2021 until September 30, the number of data breaches had already surpassed the total for 2020 by 17%. While hackers commonly target financial services, healthcare, government, and professional services, businesses of all sizes can fall prey to these attacks.
And the fallout from data breaches can be widespread but generally include the following legal considerations at a bare minimum:
- Notification: A company that has been the subject of a data breach is required to notify all impacted individuals as soon as possible. The State’s Attorney Genearl, the Federal Trade Commission, the Securities and Exchange Commission, the Federal Communications Commission, and the Consumer Financial Protection Bureau must all be notified in the US. For countries subject to GDPR, the Information Commissioner’s Office (ICO) must be notified within 72 hours of discovery.
- Response: There are many aspects to a data breach response. But from a legal perspective, your company will want to contact experienced legal counsel as soon as possible. An investigation should also commence as soon as possible.
- Penalties: Data security negligence can result in fines or penalties for each regional jurisdiction.
- Litigation: If the company has failed to provide timely notice, implement reasonable security, or respond to the breach adequately, it may be subject to a number of lawsuits.
The legal ramifications of a data breach can be daunting, leading many companies to question where responsibility lies when a breach occurs. In the past, this was an easy question to answer. It was the company’s responsibility to protect the data. But in the age of cloud computing, the lines of responsibility are questioned. And depending upon where you do business, the answer may vary.
US Data Breach Responsibilities
Under US laws, the data owner would be liable for any losses resulting in a data breach, even if the security failures are attributable to the data holder or cloud provider. This is because many vendor contracts exclude consequential damages and cap direct damages. Further, they are generally barred by a standard provision disclaiming all liability for consequential damages.
The only exception to this is with medical information. HIPAA puts direct liability on the data holder. If data subject to HIPAA protections is breached, the data owner is required to disclose the breach and send notice to the victims. However, the data holder would still have liability in this setting.
And while this seems straightforward, the level of liability may change. State and federal privacy laws often only impose liability under the following conditions:
- The company failed to implement reasonable security measures or safeguards required by statute.
- The company failed to mitigate and provide recourse once the breach had occurred.
- The company failed to notify individuals in a timely manner consistent with the state’s data breach requirements.
However, if those conditions exist, the scope of liability can be overwhelming may include:
- Lawsuits, including individual, class action, customer, and shareholder lawsuits.
- Government penalties and fines.
- Disaster recovery and response efforts and audit expenses.
- Digital investigation.
- Identity theft protection for impacted individuals.
Since the initial response and disaster recovery efforts are a large part of legal liability when a breach occurs, it is crucial that everything is handled properly once the breach is detected.
Strategies to Mitigate a Data Breach
Making mistakes during your disaster recovery response is one way to ensure that legal ramifications follow. However, there are strategies to protect your company and decrease the chances of liability being present. These strategies include:
- A disaster recovery plan ensures employees know what to do after a breach is detected.
- Write a press release draft and have it ready to notify customers in the event of a breach.
- Consider purchasing cyber liability insurance.
- Retain a lawyer that can review contracts and address legal technicalities.
- Accept responsibility when a breach has occurred.
- Ensure coordination of all disaster recovery efforts.
It goes without saying that the best way to address a breach is to prevent it, if possible. Working with a managed IT service provider can help you identify vulnerabilities in your digital security measures and enhance your current security strategies. These knowledgeable professionals can also help you develop and implement a disaster recovery plan that can minimize the impact after a breach has occurred. To learn more about legal liability and data breach disaster recovery, contact Sagacent Technologies today.
Sagacent Technologies offers technology management and support, including proactive/preventative maintenance, onsite and offsite data back-ups, network and security audits, mobility solutions, disaster planning, and emergency business resumption services. The company serves clients of 10 to 150 employees within the Silicon Valley region.