Is Your Business Liable for a Data Security Breach?

Data security breaches are more common than ever in the business world. As we continue moving into a digital world, companies are becoming increasingly vulnerable to breaches that compromise confidential company and personal data.

In 2016, Yahoo disclosed a cyber attack that compromised 32 million accounts. The company has disclosed two other breaches since its initial announcement.

If a major telecom company is at risk – and has been impacted by – a serious data breach, no company is immune to an attack. For every hack that targets a major corporation, there’s another hack that targets a small business.

Symantec’s 2016 Internet Security Threat Report indicates that 43% of data breach attacks in 2015 affected small businesses.

As a result of the breach, Yahoo now faces public scrutiny and class action lawsuits for gross negligence. News of the breeches came as the company was still reeling from reports that intelligence law permitted Yahoo’s email scan by the government.

But what would happen if your business experienced a data security breach? Would you be held liable for damages?

The answer isn’t as black and white as businesses may have hoped. While there are federal laws that govern this issue, these laws are overseen by various agencies with conflicting authority.

FTC Enforcement

The FTC has used Section 5 of the Federal Trade Commission (FTC) Act to hold companies liable for data breaches. Section 5 indicates that businesses have a duty to take reasonable measures to protect the consumer information they hold.

In 2015, LifeLock received a $100,000,000 penalty for failing to properly protect its consumers’ personal data.

The FTC recently assessed penalties on LabMD Inc. for failing to implement basic security measures, such as: management of vulnerability, intrusion detection, password adequacy policy, and monitoring of file integrity.

Liability under the FTC Act has now reached $40,000 per offense, up from $16,000 per offense in recent years.

SEC Enforcement

Along with the FTC, the Securities and Exchange Commission (SEC) has the authority to enforce actions in certain situations. In 2016, the SEC agreed to a $1 million settlement from Morgan Stanley. The SEC had determined that the company neglected to adopt reasonable procedures and policies to protect consumer information.

In the Morgan Stanley case, the employee responsible for the breach was ordered to pay $600,000 in restitution.

Negligence Claims

Depending on the circumstances, data breaches may fall under negligence claims. If a consumer can prove the company was negligent in protecting personal data, the company may be held liable for damages.

In order to prove negligence, the plaintiff must prove: there was a duty to protect personal information, that duty was breached, the plaintiff was harmed, and the breach was the cause of the harm.

If your business is the focus of an attack and sensitive customer data is compromised, consumers may file a negligence claim to recover damages. The massive Target data breach in 2013 led to consumers filing negligence claims.

No matter how big or small your operations are, it’s important to take every possible step to protect your company from data breaches. A serious attack may tarnish your reputation and hold your company responsible for damages.