According to research, the number of data breaches is increasing year over year. Worse yet, for businesses, data loss may not be the most considerable cost associated with an IT incident — it could result in a lawsuit from customers, investors, employees, or whoever’s data was exposed in the breach. Thus, many businesses wonder how they can reduce their liability.
Challenges in IT liability
Unfortunately, understanding liability when it comes to matters of IT, such as data breaches, is not cut and dry. Of course, the wrongdoer is the primary culprit for the incident, but the organization responsible for protecting the data may also be held liable. In many instances, the actions (or lack thereof) of an organization and its employees contribute to the severity of a breach, and as such, they are held at least partially liable.
Recent technological developments have made IT liability even more complex. While the rise in remote and hybrid work structures has introduced more access points and vulnerabilities to networks, artificial intelligence technology has simultaneously allowed cyber attackers to become more sophisticated in their attacks. This means that businesses must be particularly vigilant to ensure they are not held legally and financially accountable for the consequences of any cyber attacks.
In many cases, negligence is the key determinant of the extent to which a business will be held liable for a data breach. Rarely does a business act maliciously or intentionally to cause a data breach, with the notable exception of companies that sell customer data. More often than not, a data breach results from a business failing to fulfill its responsibility to protect its customers and their data.
What can businesses do to reduce their cybersecurity liability?
At a basic level, businesses can be expected to implement core cybersecurity best practices. For example, access control, malware prevention software, and data encryption are standard measures every business should be expected to take as a bare minimum. If a business has shown complete and total disregard for the safety of its customers’ data by failing to implement even the most basic of safeguards, it will almost certainly be found liable for the consequences of the data breach.
Businesses that work with third-party contractors must take particular care when vetting potential partners, as the mistakes of these contractors could negatively affect the business that contracted them. Failing to do one’s due diligence when hiring a contractor is a form of negligence in itself, meaning that if a third party does not implement the proper cybersecurity measures and causes a data breach, the service provider could be held responsible for the consequences.
There is one tool that businesses can use to protect themselves against potential liability from data security breaches: their contracts. Contracts should include clear provisions relating to cybersecurity because this ensures that both the responsibilities of the business and the rights of the customer are defined. Examples of data security provisions that should be outlined in service contracts include what standards of encryption will be used when storing data and how long data will be stored — including after the contract is terminated.
Contracts can also include waivers that free businesses of liability for data security breaches in certain circumstances. For example, a business can include a clause in a contract that defers liability to third-party contractors in the event of a security breach caused by a third party’s actions or negligence. Some contracts may even include clauses that release the business from any and all liability relating to data breaches.
Finally, businesses must ensure that they stay up-to-date with any applicable laws and regulations regarding data security. With new technologies emerging like artificial intelligence — not to mention the fact that several new lawmakers are entering into office — these regulations are constantly changing. However, failure to maintain compliance with regulations could cause a business to face not only fines and penalties from regulators but also liability in lawsuits for their failure to adhere to regulations.
A data breach can be a costly situation for a business, but there are protections that a business can take to minimize its liability. By taking steps like implementing basic cybersecurity measures, ensuring that contracts are carefully written to minimize liability, and staying in compliance with applicable regulations and laws, businesses can mitigate their financial and legal risk in the case of a cyber attack.
