Article by WHSR Guest
This article was written by a guest contributor. The author's views below are entirely his or her own and may not reflect the views of WHSR.
Crime against businesses, services and retailers doesn’t usually involve physical businesses as much as it used to. Instead, what we find is a rise in cybercrime from both “freelancers” and hacking syndicates. They want sensitive user information to sell to identity thieves (or use themselves).
Yet, what about the legal consequences to businesses that fall victim to these attacks? Do they have a responsibility to protect information? And what is the extent of that responsibility?
The short answer, it depends. In most modern societies, there are very few cut and dried situations when it comes to liability. There are degrees of reasonability, culpability and matters of scale to consider. Given that websites can deal with millions of users and a great deal of money on a regular basis, and hence millions of pieces of potentially private information, a clear answer is impossible.
As a note, much of what has occurred has applied mostly to large corporations, but if you run a small business (web-based or otherwise), most of the same laws would apply should your website get hit with a breach.
Let’s look at a few previous cases and breaches to better determine your risk:
Consider, hypothetically, that your business has fallen victim to a data breach. Before you attend to the damage, you need to determine the scale of the attack. How does one do this?
The scale can also matter greatly. Many settlements and fines are levied per person affected (as is the nature of a class-action lawsuit). Your business can probably afford the loss of 10 records since it is very unlikely a breach of this size would make it to court. It cannot, however, handle the loss of 100,000 financial records. For example, Target recently paid out an $18.5 million settlement to various state governments for a 2013 data breach involving millions of credit card records.
Fundamentally, the law is as much about precedent as it is about what’s written in the books, so let’s look at what we know from previous breaches and cases:
Companies and websites have a responsibility to their customers and clients. This is especially the case in certain fields, such as health care and law, where the mishandling of records and confidentiality had consequences far before the age of the Internet. These rules still apply, and if your website operates in sensitive fields, you should know what you can and cannot do. The law is clear.
For everyone else, though, the waters are still murky as to the extent of responsibility, if only for now. In the UK, settlements and fines are increasing. New legislation in the EU, once it comes into effect, will come down hard on businesses, potentially levying billions of dollars in fines on firms who do not sufficiently protect their information and find themselves on the wrong end of a data breach.
What could we expect from the United States on this matter? This is little to no explicit legislation on this. Lawsuits are filed nearly automatically when there is a large-scale data breach, but that is to be expected when lawyers see dollar signs and a chance to gain some publicity. Instead, it’s worked out on a case by case basis, leading us to look at other examples.
Data breaches happen frequently and often they appear to mean very little.
Many lawsuits from consumers would likely not be too successful, as potential injury down the line from identity theft will not hold up as a strong argument. There would need to be evidence of actual or imminent injury, which is difficult to provide immediately after a data breach. This may change, but it seems to be the case so far.
Most hackers and cybercriminals know better than to try out newly acquired data, and many more are simply looking for someone to buy the data for identity theft rings (one hacker isn’t likely to use millions of credit card numbers). Even then, most of the identity theft wouldn’t get stolen simultaneously, meaning a class action lawsuit is more difficult to organize.
Wendy’s, for example, had a class action brought up against them, but the case was eventually dismissed. The court stated the damages were not sufficient, and since those damages were reimbursed, the case didn’t stand up in front of the law. More interestingly, courts found simple fraudulent charges on a credit card weren’t enough to warrant damages.
As an example of a class action lawsuit that did work out, Neiman Marcus customers won a $1.6 million dollar suit against the company after it was confirmed the retailer failed to provide proper protection. While this is a large company and not just a website, if you are running a business, this is a clear message that neglect may not be tolerated.
Additionally, the government has required companies to implement better security measures, adding extra costs on top of fines.
As mentioned earlier regarding health records, HIPAA (or an equivalent) will be enforced if found to be violated.
Recently, there has been a series of high-profile health data breaches both in the States and abroad, and it would be foolish to think there won’t be increasing pressure to mandate stricter enforcement and create harsher penalties in the digital age. If your website is related to health care, you should consider professional cyber security help.
Records related to direct financial management or other confidential information will also be held to a high standard. Morgan Stanley failed to protect client information and lost $1 million for it.
Additionally, it should be noted contract stipulations or other legally binding circumstances will have their own weight in a court of law. If your business agrees to keep some information safe, you’re legally responsible for keeping it safe, regardless of other precedents.
In the United States, laws differ from state to state regarding the use of technology and responsibility of website use and privacy. Every state has laws on the books regarding cyber-crime, albeit there are differences in penalties and standards.
It might be far more complicated if you’re dealing with an international incident. The tenants of international law are not exactly easy to understand. This is especially the case with laws regarding corporate responsibility, and even more so when relatively new laws regarding technology are involved.
As stated, legal systems operate as much by legal precedent as by legislation, and there haven’t been many precedents set in this field of law. You don’t want to be a test case, either, as people will come to associate your site with a data breach, whether you were liable or not. It is nearly impossible to recover from that kind of damage to your image.
Your liability risk can be mitigated, though, even if you find yourself at the wrong end of a breach. If you are responsible and open about what happened, and there is no reasonable way you could have prevented the breach, you will likely be in the right and can focus on rebuilding your website’s brand and audience. As always, due diligence pays dividends.
In summary, you should do the following as soon as you possibly can:
There are likely other measures you can take to protect yourself, but they are far too situational to be able to offer any real insight into this question about liability. Things such as whether the scripts you use on your website make you vulnerable (be careful about what methods you use to collect data), the exact data you collect and the level of interaction you have with your audience (hackers might view communications and extrapolate information from there) matter when it comes to the issue of cybersecurity liability.
Regardless of your thoughts on your potential liability, you will be better off if you protect yourself and use whatever knowledge you come across. This situation will continue to change, so stay vigilant to make sure you are on top of any risks, legal or cybersecurity-related. With the right ideas and dedication, you shouldn’t have to worry about this problem.
About the Author: Cassie Phillips
Cassie is a technology and cybersecurity blogger who writes regularly for Secure Thoughts. You can usually find her researching new trends and trying to build her audience. She hopes this information will help you keep away from online threats as you build your business.