On behalf of Sayer Regan & Thayer of Sayer Regan & Thayer, LLP posted on Thursday, October 21, 2020.
In our connected world cyberattacks are inevitable. Cybersecurity Ventures estimates cybercrime’s global cost will reach $6 trillion by 2021. Now more than ever, businesses of all sizes must be vigilant about protecting data and responding to threats. If your business is hacked, what’s your cybersecurity liability?
While there are no uniform federal laws on business cybersecurity, there are some varying state rules for how to handle breach notifications and for the remediation measures that must be taken. Federal circuit courts remain split as to what would constitute sufficient standing to sue someone in a cyber breach case. Some courts say companies are liable for damages if client or employee data has been stolen, even if the theft doesn’t cause harm; rather, it’s enough to simply allege the information was compromised. This broad interpretation only serves to further boost the risk of cyber liability claims.
Taking Preventive Action
If someone sues your business due to a data breach, your case would be made stronger if you could show you took reasonable measures to prevent an attack or theft. Setting up systems now to help in prevention is a key part of managing your cybersecurity risk. Here are some tips to get you started.
- Do an assessment: What are your cybercrime defenses, if any? Are there gaps in your data security procedures? Are there controls in place? How do you document incidents when they occur? What is your response plan when that happens?
- Implement best practices: Use encryption where appropriate to protect your sensitive data, including mobile devices, laptops and desktops. Failure to do so will threaten your data and reputation. Train your employees to recognize threats and take steps to safe-guard equipment. Create and practice your response plan for a variety of situations that may arise, such as a hack, ransomware attack, or ID theft. Back up all data so you can still access it in the event it is lost or stolen.
- Get an outsider’s perspective: Learn your business’ vulnerabilities by hiring an expert for penetration testing. They can educate you about solutions to put in place about protecting your business, implementing regular drills that test your response to attack scenarios.
- Retain legal counsel specializing in cybersecurity: Hire an attorney or retain a law firm that offers expertise in cybersecurity. They can create an incident-response plan that encompasses all data-security issues that could happen as well as details on how to respond to them.
A WISP is Essential
Cybersecurity expert Konrad Martin, CEO of Tech Advisors, Inc., encourages all businesses to invest in a WISP. “A written Information Security Program, or WISP, is the document in which an organization spells out the administrative, technical and physical safeguards by which it protects the privacy of the personally identifiable information it stores.”
“For the business whose security is breached, when regulators or prosecutors come to investigate, the worst possible posture is to not have a WISP in place. No matter how large or small your company is, you need to have a plan to ensure the security of your information assets,” says Martin.
A WISP provides the framework for keeping your company at a desired security level by assessing the risks you face, deciding how you will mitigate them, and planning for how you will keep the program and your security practices up to date.
- Product information, including designs, plans, patent applications, source code, and drawings
- Financial information, including market assessments and your company’s own financial records
- Customer information, including confidential information you hold on behalf of customers or clients
“Having a WISP means that you’ve taken steps to mitigate the risk of losing data, and that you have defined plan for managing the security of information and technology within your organization,” advises Martin.
Cyberattacks happen to be the fastest growing crime in this country, and are ever-increasing in size, sophistication and cost. Cybercrime costs include:
- Destruction and damage of data
- Reputational harm
- Lost productivity
- Intellectual property theft
- Personal and financial data theft
- Stolen money
- Embezzlement
- Forensic investigation
- Restoration and deletion of hacked data and systems
- Fraud
- Post-attack disruption to normal course of business
Having a plan in place when it comes to cybersecurity liability and reporting requirements for your industry is a wise idea in today’s world.
Contact Sayer Regan & Thayer for Cybersecurity Information
To learn more about cybersecurity liability, please contact us for your free initial consultation.
These materials have been prepared by SRT for informational purposes only and are not intended and should not be construed as legal advice.