Cybersecurity, the process of protecting a company’s digital assets from theft and other harm, is an important issue for every business, regardless of size or complexity. Almost every business now relies on computers to some extent, and criminals are constantly developing ways to access business computer systems to steal customer information or company financial information, or even just to cause damage. Hackers may be able to penetrate a company’s computer security remotely, but many high-profile data breaches are accomplished by stealing laptop computers, hard drives, and other hardware. A company’s legal liability for a data breach is still a developing area of law, and few answers are certain in that area. Avoiding legal liability, however, is far from the only reason to take precautions against data breaches.
Recent data breaches have led to lawsuits against the affected companies by customers and shareholders, and a data breach could also result in administrative fines or penalties in some circumstances. Few statutes directly address a company’s liabilities with regard to cybersecurity, but numerous legal claims are possible:
– Negligence: One or more customers whose personal information was compromised in a data breach could claim that the company breached a duty of care to safeguard that information, and that this caused them financial damage.
– Breach of contract: A business could face a breach of contract claim directly related to a data breach, or because of the impact of a data breach on other parts of the business’ operations.
– Shareholder liability: Data breaches can significantly damage a company’s image and reputation, which can in turn affect its overall business. In a publicly traded company, it can affect the stock price. Shareholders may claim that company management breached a fiduciary duty to the company by failing to provide adequate safeguards for the company’s digital assets.
– Specific statutes: Some businesses may have obligations imposed by specific statutes, such as health care businesses’ duty to protect the privacy of patient records under the Health Insurance Portability and Accountability Act (HIPAA).
The U.S. Department of Justice (DOJ) released a document in April 2015, Best Practices for Victim Response and Reporting of Cyber Incidents, that offers guidance to small businesses for preventing and responding to data breaches. It identifies steps that businesses should take before, as well as immediately after, an incident occurs. The first step is identifying a business’ “crown jewels,” the assets that the business absolutely needs to function on a moment-to-moment basis, and to prioritize the protection of those assets above all else.
The DOJ also recommends creating a full “action plan” before an incident occurs, which includes making sure that all necessary technology and network monitoring is in place ahead of time, familiarizing all decisionmakers and legal counsel with the plan, and developing relationships with law enforcement and cybersecurity organizations that would be useful if an attack were to occur. The DOJ’s advice for responding to a cyber attack mostly involves following the plan the business has already created. It also offers advice on what not to do after a cyber attack. Most importantly, the business should stop using the compromised computer system, especially to communicate about the response plan.
Business formation attorney Samuel C. Berger represents New York and New Jersey business owners and entrepreneurs. We offer a variety of fixed-fee legal-service packages that cover a wide range of legal issues, starting with business formation, continuing through contracts and other operational matters, and concluding with winding down and dissolving a business. To schedule a confidential consultation with a knowledgeable business law advocate, contact us today online or at (212) 380-8117.
More Blog Posts:
New Jersey Insurance Company Not Liable to Members for Data Breach, Court Rules, New York & New Jersey Business Lawyer Blog, April 16, 2015
Three Steps New York and New Jersey Businesses Can Take to Protect Themselves from Cybersecurity Breaches, New York & New Jersey Business Lawyer Blog, June 23, 2014
After Hackers Hit Another Major Internet Company, New York and New Jersey Businesses Need to Be Aware of Cybersecurity Risks, New York & New Jersey Business Lawyer Blog, May 26, 2014