Imagine the worst-case scenario happens and your business experiences a serious data breach. Let’s say after upgrading your company’s computers, you failed to destroy some obsolete hard drives properly, and a malicious outsider targeted those drives to use the data to steal sensitive information. Not only would your own financial data be exposed, but private or financial data belonging to your employees and clients could be involved too.
In the aftermath of a data breach, your business would have to answer some tough questions—including “What’s our liability here?” That answer could help determine how expensive the ordeal could end up being for your business.
Data Breach Liability: Who’s Responsible for What?
Legal liability can become critically important after a data breach. In addition to paying penalties and paying for credit monitoring services for affected individuals, your business could be on the hook for damages.
There’s precedent for both customers and employees to sue businesses for exposing their data. There have been high-profile lawsuits involving major corporations like T-Mobile and Home Depot being required to compensate customers for breaches, but smaller businesses aren’t immune. Here in Massachusetts, a small law firm and a business that does background checks are just two of the companies that have been sued over data breaches in the last year or so alone. So, small businesses in all industries need to be aware of liability risks around data security.
(Caveat: I’m not a lawyer. Your attorney is the best source of advice about specific questions related to your liability for a hypothetical or real data breach. These kinds of cases can get very complicated, and the facts of each case are unique. The question of who’s financially liable for a breach may even be something that has to be decided in court.)
Factors that may affect your liability after a data breach include:
- Whether the breach happens “in the cloud” or not. Again, the specifics of every data breach lawsuit are unique, but one key indicator that determines liability is where the data exposure happened. If a cybercriminal accesses your data from some cloud-based software that your business uses through no fault of yours, the software company could be liable. But if an employee falls for a phishing email and shares their login information with someone who uses it to access the cloud-based service, the liability will likely be yours. You’ll also be liable if data is accessed from your hard drives, paper files, internal network or any other source within your business’s control.
- Whether your business is covered by any federally mandated data privacy laws. Entities that handle patient data are subject to stringent HIPAA regulations, while entities that have access to certain kinds of financial data are subject to FACTA and the Gramm-Leach-Bliley Act. These regulations have their own standards for determining liability around data protection.
Factors that may not affect your liability include:
- Data breach notification laws. The data breach laws that exist in most states primarily address notification requirements in the aftermath of a breach rather than legal liability.
- The kind of insurance coverage you have. Some businesses elect to protect themselves with data breach insurance and/or cyber liability insurance. Policies vary, but data breach insurance typically covers your costs related to a breach (customer notifications, investigation fees, legal fees, etc.), while cyber liability insurance may cover lawsuits and other payments to affected individuals. Though these kinds of insurance policies can mitigate the financial burden of a breach, they don’t negate the policyholder’s liability.
- Intent. Going back to the opening example, let’s say your data is stolen from physical materials like an obsolete hard drive or box of files. That could happen because an employee accidentally left a door unlocked that allowed someone to come into your business after hours or because you chose not to pay for shredding services and disposed of your materials in a public dumpster. Whether business leaders made a conscious decision that exposed data or it happened because of human error is unlikely to affect liability. Ultimately the buck stops with you. Understanding how a breach happened is important in terms of strengthening your data security protocols and preventing future occurrences, but those details aren’t necessarily relevant to the question of whether you’re liable for damages.
Liability and Your Shredding Service
What if your business does everything right to safeguard its data, including passing its hard drives and files to a shredding company for secure destruction, but there’s a security breach at the shredding company that exposes the business’s data? There’s no clear-cut answer as to which way a court would rule on liability in that instance; the specific facts of the case would be important.
Data destruction services may carry their own insurance policies with liability coverage, and customers should feel comfortable asking questions about what those policies would cover in the event of a breach. But the safest strategy is to assume that your business will be liable for whatever happens to its data even after your hard drives and other materials leave your possession. Keep those high stakes in mind when choosing a data destruction service. Don’t trust your sensitive materials to a shredding service that maintains anything less than the strictest security standards.
Northeast Data Destruction is a NAID AAA-certified data destruction provider, and we help our customers protect themselves from the expensive, reputation-threatening consequences of data breaches. Ask your legal advisors for guidance about your business’s specific liability risks. Then ask me your questions about how data destruction services can help you keep your data safe so your business can avoid legal liability issues in the first place. Contact me today!