Crime against businesses, services and retailers doesn’t usually involve physical businesses as much as it used to. Instead, what we find is a rise in cybercrime from both “freelancers” and hacking syndicates. They want sensitive user information to sell to identity thieves (or use themselves).
Yet, what about the legal consequences to businesses that fall victim to these attacks? Do they have a responsibility to protect information? And what is the extent of that responsibility?
The short answer, it depends. In most modern societies, there are very few cut and dried situations when it comes to liability. There are degrees of reasonability, culpability and matters of scale to consider. Given that websites can deal with millions of users and a great deal of money on a regular basis, and hence millions of pieces of potentially private information, a clear answer is impossible.
As a note, much of what has occurred has applied mostly to large corporations, but if you run a small business (web-based or otherwise), most of the same laws would apply should your website get hit with a breach.
Let’s look at a few previous cases and breaches to better determine your risk:
Data Breaches: Scale and Types
The reality of data breach (2016 statistics, source: Breach Level Index).
Consider, hypothetically, that your business has fallen victim to a data breach. Before you attend to the damage, you need to determine the scale of the attack. How does one do this?
First, let’s consider the data that was stolen:
- Your business isn’t going to face much legal trouble over an email address getting stolen. The victim might not even notice. Email addresses are cheap and common, and a small breach or a hack into your subscriber lists is often the cause of this sort of breach.
- Account information is another matter. If accounts are stolen from your website, fraud is possible, and therefore, damages are possible.
- If a data breach occurs and the financial and identifying information of your customers is stolen, especially en masse, it will be a problem if you can be found negligent. Identity theft will occur, and other potential problems can arise (consider what a criminal can do with someone’s address).
The scale can also matter greatly. Many settlements and fines are levied per person affected (as is the nature of a class-action lawsuit). Your business can probably afford the loss of 10 records since it is very unlikely a breach of this size would make it to court. It cannot, however, handle the loss of 100,000 financial records. For example, Target recently paid out an $18.5 million settlement to various state governments for a 2013 data breach involving millions of credit card records.
What Precedents Have Been Set?
Fundamentally, the law is as much about precedent as it is about what’s written in the books, so let’s look at what we know from previous breaches and cases:
1- Companies Can Be Held Liable (or Will Be Soon)
Companies and websites have a responsibility to their customers and clients. This is especially the case in certain fields, such as health care and law, where the mishandling of records and confidentiality had consequences far before the age of the Internet. These rules still apply, and if your website operates in sensitive fields, you should know what you can and cannot do. The law is clear.
For everyone else, though, the waters are still murky as to the extent of responsibility, if only for now. In the UK, settlements and fines are increasing. New legislation in the EU, once it comes into effect, will come down hard on businesses, potentially levying billions of dollars in fines on firms who do not sufficiently protect their information and find themselves on the wrong end of a data breach.
What could we expect from the United States on this matter? This is little to no explicit legislation on this. Lawsuits are filed nearly automatically when there is a large-scale data breach, but that is to be expected when lawyers see dollar signs and a chance to gain some publicity. Instead, it’s worked out on a case by case basis, leading us to look at other examples.
2- Damages Must Be Clear
Data breaches happen frequently and often they appear to mean very little.
Many lawsuits from consumers would likely not be too successful, as potential injury down the line from identity theft will not hold up as a strong argument. There would need to be evidence of actual or imminent injury, which is difficult to provide immediately after a data breach. This may change, but it seems to be the case so far.
Most hackers and cybercriminals know better than to try out newly acquired data, and many more are simply looking for someone to buy the data for identity theft rings (one hacker isn’t likely to use millions of credit card numbers). Even then, most of the identity theft wouldn’t get stolen simultaneously, meaning a class action lawsuit is more difficult to organize.
Wendy’s, for example, had a class action brought up against them, but the case was eventually dismissed. The court stated the damages were not sufficient, and since those damages were reimbursed, the case didn’t stand up in front of the law. More interestingly, courts found simple fraudulent charges on a credit card weren’t enough to warrant damages.
3- Negligence and Proper Protocol
As an example of a class action lawsuit that did work out, Neiman Marcus customers won a $1.6 million dollar suit against the company after it was confirmed the retailer failed to provide proper protection. While this is a large company and not just a website, if you are running a business, this is a clear message that neglect may not be tolerated.
The government has already gone after companies such as Wyndham and TerraCom for failing to properly protect information. Some examples of offenses include:
- Storing card information without protection or encryption.
- Failing to use firewalls or other security measures at physical locations.
- Using easily guessed passwords.
- Failing to restrict outside connections.
- Storing information on clearly unprotected servers.
Additionally, the government has required companies to implement better security measures, adding extra costs on top of fines.
4- Certain Records Matter More
As mentioned earlier regarding health records, HIPAA (or an equivalent) will be enforced if found to be violated.
Recently, there has been a series of high-profile health data breaches both in the States and abroad, and it would be foolish to think there won’t be increasing pressure to mandate stricter enforcement and create harsher penalties in the digital age. If your website is related to health care, you should consider professional cyber security help.
Records related to direct financial management or other confidential information will also be held to a high standard. Morgan Stanley failed to protect client information and lost $1 million for it.
Additionally, it should be noted contract stipulations or other legally binding circumstances will have their own weight in a court of law. If your business agrees to keep some information safe, you’re legally responsible for keeping it safe, regardless of other precedents.
5- It Could Differ by Region
In the United States, laws differ from state to state regarding the use of technology and responsibility of website use and privacy. Every state has laws on the books regarding cyber-crime, albeit there are differences in penalties and standards.
It might be far more complicated if you’re dealing with an international incident. The tenants of international law are not exactly easy to understand. This is especially the case with laws regarding corporate responsibility, and even more so when relatively new laws regarding technology are involved.
As stated, legal systems operate as much by legal precedent as by legislation, and there haven’t been many precedents set in this field of law. You don’t want to be a test case, either, as people will come to associate your site with a data breach, whether you were liable or not. It is nearly impossible to recover from that kind of damage to your image.
Breach incidents in 2016 by region.
Reducing Your Liability Risk
Your liability risk can be mitigated, though, even if you find yourself at the wrong end of a breach. If you are responsible and open about what happened, and there is no reasonable way you could have prevented the breach, you will likely be in the right and can focus on rebuilding your website’s brand and audience. As always, due diligence pays dividends.
In summary, you should do the following as soon as you possibly can:
- To the fullest extent that you are able, place protections on your website that will protect your visitors. Get HTTPS enabled on your website, make sure your comments are automatically moderated (or disable them, depending on your website), keep your plugins up to date and remove any that are out of date.
- Protect your devices similarly and take precautions against human error. A person not following proper procedure or laws is far more likely to make you liable than a supervirus that has no defense.
- Read up on your state’s laws regarding the matter. If your organization can afford it, look into getting legal counsel to determine the risk of liability should there be a leak of information. Be aware this is a constantly changing field, and the precedents and laws of a few years ago might no longer apply.
- Try to future proof your website’s security as much as possible. While there’s no way to do this perfectly, try to imagine potential strategies a skilled hacker might use.
- If you find your website breached, respond quickly and decisively. Make sure you do not try to cover up the leak or otherwise conceal the extent of the damage. It will only make you look far worse in any potential investigation and will make it look like you are to blame (your website’s users have a right to protect and defend themselves). Do not implicate yourself and accept full blame (even in a blog post), but rather acknowledge the situation and tell user’s what you are doing to mitigate the damage and prevent it from occurring again.
There are likely other measures you can take to protect yourself, but they are far too situational to be able to offer any real insight into this question about liability. Things such as whether the scripts you use on your website make you vulnerable (be careful about what methods you use to collect data), the exact data you collect and the level of interaction you have with your audience (hackers might view communications and extrapolate information from there) matter when it comes to the issue of cybersecurity liability.
Regardless of your thoughts on your potential liability, you will be better off if you protect yourself and use whatever knowledge you come across. This situation will continue to change, so stay vigilant to make sure you are on top of any risks, legal or cybersecurity-related. With the right ideas and dedication, you shouldn’t have to worry about this problem.
About the Author: Cassie Phillips
Cassie is a technology and cybersecurity blogger who writes regularly for Secure Thoughts. You can usually find her researching new trends and trying to build her audience. She hopes this information will help you keep away from online threats as you build your business.