Data Breaches, Liability, and Vigilance: Insight for Businesses and Individuals

Use these links to jump to different sections:

• Strategies for Addressing Cyber Security Threats Vary By Company
• Assess Your Company’s Vulnerabilities Through an Independent Audit
• How is Liability for Data Breaches Determined?
• Insights for Individuals Protecting Their Sensitive Information
• Find an Experienced Cybersecurity Lawyer for Data Protection

“One of the most common misconceptions on data privacy with respect to the new internet of things (IoT) is that if a data breach occurs, there must be liability against somebody,” states Usama Kahf, an employment law attorney at Fisher & Phillips in Irvine, California.

“But you know what? Data breaches happen to the best of us. They happen even if you do everything right and take every precaution technologically feasible. It still happens.”

The cost of a data breach, whether due to human error or a ransomware attack, can be significant. The best way to protect sensitive information is to prepare before a leak or attack occurs.

Strategies for Addressing Cyber Security Threats Vary By Company

Best practices for implementing security measures against hackers or cybercriminals trying to access personal data—dates of birth, driver’s license numbers, social security numbers, healthcare information, credit card numbers, phone numbers, or other personally identifiable information (PII)—can vary based on the size of the company, available resources, the particular industry, and even location.

Kahf represents companies looking to protect their types of data against unauthorized access, as well as wanting to do everything they can to prevent a breach of information they keep on behalf of clients and customers. Preventing data security incidents is essential to any business utilizing technology to store customer financial information, but efforts can range from relatively simple to sophisticated—and costly.

“If things like this go to court, it’s usually a battle of the experts as to what’s considered best practice,” he says. “What’s best practice for a small mom-and-pop shop in a small town versus a multinational company in a metropolitan area? It’s going to be a different standard based on circumstances.”

Assess Your Company’s Vulnerabilities Through an Independent Audit

No matter his client’s size, Kahf recommends they undergo an external independent audit of their data security—emphasis on “independent.”

It’s essential this review be undertaken by an IT specialist who isn’t part of the company and with whom there is not a prior working relationship so as to constitute a credible assessment that will hold up under later scrutiny if something goes wrong.

Kahf emphasizes that even small businesses, with fewer than 25 employees, should undertake this precaution regularly—though some businesses are more at risk than others, such as medical or financial firms. For most companies, he recommends a security audit at least every three years.

How is Liability for Data Breaches Determined?

But even with the best efforts, data breaches do occur. What then? Kahf advises his clients on managing circumstances upon discovery of a security breach. This will initially entail notifying those who may have been affected and then fielding their calls, which can be challenging.

“People are understandably angry when their private data has been breached, but what most people don’t know is that there is no absolute liability for data breach,” Kahf explains. Liability is assessed based on whether the company subject to the breach failed to take reasonable steps under the circumstances to protect the information.

“Mistakes can happen to the best of us, but as long as you did everything in your power to try to prevent it, and it happened anyway, that’s OK,” Kahf adds. “Then you would be judged on your post-breach actions. Even though it’s not your fault, you still have to take certain actions to try to remedy or mitigate harm.”

Insights for Individuals Protecting Their Sensitive Information

Even in our personal lives, we’re all at risk of disclosure of compromised data. Does Kahf have any advice?

“I recommend that people be more vigilant. Some people are less careful with their data than others. For example, I don’t think you should ever have a public Facebook [or social media] profile unless you need one for business purposes. Even a private one can still get hacked. But the public one is a source of information for people who want to hack your data,” he says.

“They’ll learn all sorts of things about you, like your cat’s name, your child’s name, your birthday, things they’ll plug into their algorithms to figure out what your passwords are. I think people just need to be more vigilant about who they share their data with and what they do online.”

Having strong login credentials, using a password manager, managing permissions, using multi-factor authentication, and operating with a VPN are also strategies that individuals and businesses can use to protect their sensitive data.

Find an Experienced Cybersecurity Lawyer for Data Protection 

If your firm or business is responsible for others’ private data, be sure that you are doing all you can to protect it from leaks or cybercrime. Talk to a data privacy attorney about what steps you should take to prevent data breaches and shield your business from possible liability.