What is My Liability for a Data Breach?
If you're a business owner, you have got to be on guard against hackers. Don't just hope for the best, instead, assume the worst.
It seems like we read about a major data breach occurring almost every other day. From credit card information and PIN codes stolen from some of the largest retailers in America to very personal health records, data of all kinds is falling into the wrong hands.
“This trend will likely continue as long as companies fail to realistically assess their own systems for security flaws. Hacking themselves to find and then plug any holes that are found is highly effective,” says attorney Richard Lutkus.
Based in San Francisco, he is among a handful of lawyers in the country who focus on “cybersecurity preparedness, data breach response and data privacy,” as he explained, adding, “the best attorneys in this field have an expertise in digital forensics and cybersecurity, which enables them to understand hacker techniques, strategies and better assist breached companies.”
Sign up for Kiplinger’s Free E-Newsletters
Profit and prosper with the best of expert advice on investing, taxes, retirement, personal finance and more - straight to your e-mail.
Profit and prosper with the best of expert advice - straight to your e-mail.
When a data breach occurs, a disturbing question pops into the minds of people whose data was stolen: “If my personal information is put to a wrong use, who is responsible?”
Another, equally important question should be asked by any company or professional who routinely gathers sensitive information about customers, clients or patients: “If we get hacked and data is stolen, is it all over? Is my goose cooked? Am I on the hook for any loses sustained by that event, or is there a way to defend myself?”
I’ll give you the answer in a moment, but first meet “very worried” Lisa, who is “16 years old and living in a small, rural California town with my parents, looking forward to reading You and the Law every week in our newspaper.”
Her email stated, “My father is a dentist and up in years. His office has all of his patients’ records stored electronically, which he accesses at home from his laptop by leaving the server always ‘on’ at the office. I mentioned this to a geeky friend, and the next day he showed me dental records from Dad’s office that he had hacked. He claimed to be doing this as a favor, to get my father’s attention about cybersecurity, and I believe him.
“I told Dad, and he immediately changed passwords, but didn’t seem too bothered. How much trouble could that have gotten him into?”
Just Ask a Cyber Lawyer
We ran Lisa’s story by Lutkus. This is a familiar tale to him.
“Dennis, I knew one Fortune 500 company chief financial officer who used the same password for over 10 years. Most think it is a joke, but it was real and proved not so funny after his credentials were found in seven data breaches, which were used to hack the company’s email servers, spoof emails and steal tens of thousands of dollars without anyone noticing for months.”
He points out, “What happens to large multinational companies also happens to small dental offices, just like your reader is describing, where client or customer data is kept but they do not have good IT support to guard against being hacked. That’s a point I try to make clear. Just think of the financial damage that can be done to the dentist’s patients when their personal information is stolen. The theft of information is like a recurring nightmare and difficult to clean up.”
Is There Automatic Liability for a Data Breach?
I asked Lutkus, “Does the simple fact that a data breach occurred always mean that someone is going to be held financially responsible?”
“Not always,” he replied. “But, there are two main ways that civil liability for a data breach can occur.”
- Finding negligence. Lawyers ask, “What would a reasonable person or company do to reduce the chance of a data breach? If you are not aligned with your peers in the industry, then you look less reasonable. If you should have had better protection but did not, then negligence could be found, which may result financial liability.”
- Even if you did everything that was required to prevent a data breach, when one occurs, did you do enough after the event to reduce harm to the people affected? Did you promptly notify them? Did you take immediate investigation and remediation steps that would be viewed as reasonable?
Assume that Someone is Doing Something
“The more you have to lose — the greater the attractiveness of your data and customer information is to a hacker — it is critical to develop active defense and data-breach response techniques,” Lutkus underscores, giving an overview of what this means:
- Have a breach coach who can run your breach response under attorney-client privilege.
- There is no way to be 100% immune from attack, but having a response plan developed in advance, together with adequate cyber liability insurance from a reliable broker, could prove to be the greatest investment in security you will ever make,” he strongly maintains.
As he explained, this type of insurance is valuable if your business:
- Collects payment information for online sales;
- Maintains a database of personal information on current, past or prospective customers;
- Stores information on employees digitally, including Social Security numbers or medical information;
- Relies heavily on technology for daily operations;
- Is located in any jurisdiction that has mandatory data breach notification laws.
A Look at What Cyber Insurance Can Do for You
“Cyber insurance coverage is especially valuable for small-business owners, offering protection from a variety of cyber security breach claims and lawsuits — from accidental loss of customer or employee personal information, to online hacking, fraudulent wire transfers and theft of confidential information.
“You’ll want coverage for expenses relating to the investigation of a data breach, the cost of legal counsel, the cost of communicating the breach to customers and expenses related to business interruption while your network is down in addition to public relations expenses.
“These policies also cover third-party costs, including their legal defense costs, resulting settlements and judgments, any liability to banks for re-issuing credit cards and notifying customers, and regulatory fines and penalties. You may also want to consider investing in a policy that covers employee privacy liability, in case employee records are exposed.
“Finally, these policies often cover extortion — blackmail — and can, quite literally, be worth their weight in gold,” Lutkus concluded.
And a personal note: This column is made possible by lawyers who share their knowledge. Abraham Lincoln was correct when he stated, “A lawyer’s time and advice is his stock in trade.” We sell advice. We sell time — our time — which is known as billable hours.
I am careful to respect that reality — not taking more time than is needed, and typically in setting up an interview, I will be told, “Happy to help, and I can give you 15 or 20 minutes.”
But Rick Lutkus had no time limit for my questions. He wanted me to understand, to help me understand the terminology and concepts of this new and complicated area of law. We talked for close to an hour, and I left our interview with the feeling that, “Here’s a lawyer who truly places the needs of his clients first, a lawyer who wants to help.”
Get Kiplinger Today newsletter — free
Profit and prosper with the best of Kiplinger's advice on investing, taxes, retirement, personal finance and much more. Delivered daily. Enter your email in the box and click Sign Me Up.
After attending Loyola University School of Law, H. Dennis Beaver joined California's Kern County District Attorney's Office, where he established a Consumer Fraud section. He is in the general practice of law and writes a syndicated newspaper column, "You and the Law." Through his column, he offers readers in need of down-to-earth advice his help free of charge. "I know it sounds corny, but I just love to be able to use my education and experience to help, simply to help. When a reader contacts me, it is a gift."
-
Target Is the Worst S&P 500 Stock After Earnings. Here's Why
Target stock is down big after the retailer missed expectations for its third quarter and slashed its full-year outlook. Here's what Wall Street is saying.
By Joey Solitro Published
-
Tax Credit vs. Tax Deduction: What’s the Difference?
Tax Breaks Your guide to tax deductions and credits, how the IRS treats them differently, and how they impact your tax bill.
By Kate Schubel Published
-
How Trusts Can Be Used to Protect LLCs From Creditors
Combining limited liability companies with domestic asset protection trusts can achieve maximum asset protection.
By Rustin Diehl, JD, LLM Published
-
Financial Planning Tips for Business Owners Raising Kids
BORKs face specific challenges that other business owners don't, so they need a different approach to their financial plans to ensure their family is protected.
By Eric Kleinstein Published
-
How to Sell Your Business With No Regrets
The key to a successful exit: You've got to be prepared. So, start now by maximizing profitability, planning for succession and avoiding the dreaded five D's.
By Nick Guida, Investment Adviser Representative Published
-
Debunking the Myth of the Silver Spoon
Just because your family is wealthy doesn't mean life's all smooth sailing for your kids. When family dynamics are complicated, communication is key.
By Elizabeth Chand, Esq. Published
-
Beware of 'Buy a Business' Coaching Scams
Just because someone says they can make you rich by helping you buy the business of your dreams doesn’t mean they actually have the expertise to do that.
By H. Dennis Beaver, Esq. Published
-
Limited Liability Companies (LLCs): How Assets Are Protected
An LLC can prevent problems with assets within the LLC from affecting assets outside the LLC, but there are limits to asset protection.
By Rustin Diehl, JD, LLM Published
-
Succession Musts: Thoughtful Planning and Frank Discussions
When it comes to passing on the family business, you don't want anyone to be surprised about who will control or inherit the business after the owner's death.
By David Handler, J.D. Published
-
Electing to Be an S Corporation: Benefits You Need to Know
Entrepreneurs who meet the requirements and choose to be an S corporation could see lower taxes and experience several other advantages.
By Derek A. Miser, Investment Adviser Published