Nearly every business faces cybersecurity challenges on a constant basis. The modern digital landscape comes with many risks that impact organizations in all industries. These threats evolve alongside the innovations that are meant to combat them, leading to a familiar back and forth between business owners and cybercriminals. Data breach is a significant problem that presents security and fraud issues for both businesses and consumers.
An organization can be held responsible when consumer data is leaked or stolen, among other potential issues. A closer look at the legal ramifications of a data breach can help us to understand what is at stake from a cybersecurity perspective and beyond.
Data in the Crosshairs
Major data breach incidents have appeared in recent headlines. These press-grabbing attacks often affect large businesses that collect and store significant amounts of data on their customers. This data is a treasured target for cybercriminals because it can serve multiple nefarious means. Ransomware incidents involve threat actors demanding a ransom in exchange for their return the stolen data, and they often profit handsomely when an organization pays up. Cybercriminals also acquire a precious resource in the form of consumer personal information that they can use to commit other forms of fraud outside of the initial data breach.
This often-lucrative form of cybertheft keeps data in the crosshairs of hacker networks and other threat actors looking to benefit in multiple ways from each incident. On the other side of things, businesses targeted in these attacks face various issues including financial loss, consumer trust issues, regulatory fines, and even potential legal complications.
Legal Precedent
Cybersecurity laws and regulations are constantly evolving and escalating within the business world. Emerging cyberthreats are steadily shaping modern legal precedent relating to the many risks and incidents that have grown consistently in recent years. A look at some higher profile data breach related cases provides a precedent for legal concerns businesses and owners should understand.
A 2018 Supreme Court ruling of Zappos.com vs Stevens was one of the first major cases to establish that customers can sue businesses if their personal information is stolen as a result of a data breach. This ruling is important because it holds organizations responsible even if the stolen data isn’t immediately used for fraud or other criminal purposes.
Another federal ruling, Medidata Sols. Inc. v. Fed. Ins. Co., established the precedent for the extent to which cybersecurity insurance coverage can help deal with the consequences of a scam or hack. This case is significant because it implies that businesses need to show they incurred a direct financial loss from a cybersecurity incident to receive coverage from an insurance provider.
The California Consumer Privacy Act is a more recent set of regulations established on a state level. This act has been in effect for over a year and requires companies to remain transparent with how consumer personal information is collected while also allowing customers to control how their information is used to some degree. This legislation is important because if companies don’t follow the regulations spelled out in the act, they face potential consumer lawsuits if a data breach occurs.
Recent FTC Ruling on Health Apps and Data Breaches
A recent FTC ruling might indicate a growing trend of increased federal regulations relating to data breach transparency. In September, the FTC voted on and passed a policy statement that requires health apps and devices that collect personal information to inform consumers if their data is compromised as part of a breach. This policy piggy-backed compliance with the Health Breach Notification Rule, which was established in 2009, expanding the reach of the rule to include modern health technology.
Apps that collect personal information are abundant, and the FTC aims to push developers to focus on increased cybersecurity measures to prevent breaches while also forcing the notification to the app-using consumers when their information has been compromised. Companies that collect any health data now must inform consumers whenever there is a data breach or other unauthorized use of personal data. If organizations don’t follow the established regulations, they face fines of up to $43,792 for each violation per day.
Employers Also Face Issues with Internal Data Breaches
Even if a data breach doesn’t compromise consumer data, businesses can still face other issues. A recent data breach at the University of Pittsburg Medical Center (UMPC) resulted in the loss of personal information for over 60,000 employees. Employees sued UMPC because of a 2014 incident where hackers obtained personal data that was used to commit fraud, including the filing of fake tax returns to obtain the refund dollars. UMPC reached a settlement with the employees this summer and ended up making payments totaling nearly $2.7 million to cover the losses stemming from this incident.
The Future of Fines, Regulations, and Ramifications
The breaches and case studies mentioned above represent just a small fraction of cybersecurity and data breach issues facing businesses. Taking an objective look at these provides insight into the future of fines, regulations, and ramifications that will affect organizations of all sizes. Federal and state governments are taking a more active role in forcing how businesses handle cybersecurity incidents. New rules and regulations will continue to appear in the future as these agencies attempt to protect the public from fraud and financial loss.
Business owners should ensure that they follow all data breach and cybersecurity regulations in their state and the states in which they do business while also doing everything they can to limit the potential for a breach in the first place. A board of directors should also share in the burden of this responsibility, if applicable. Data breach planning and response services should be in effect before an incident even occurs. Employees and management also need to understand their role in establishing best practices to limit the risk of a cyberattack resulting from digital behaviors.
Businesses will continue to be a prime target for cybercriminals, and new regulations will amplify the complications brought on by a data breach incident. Compliance with these rules and policies will be necessary to avoid hefty fines and lawsuits. Success in business is often defined by adaptation and forward thinking, and the time is now for your organization to put cybersecurity issues on the front page.
LibertyID is the leader in identity theft restoration, having restored the identities of tens of thousands of individuals without fail. If you retain personal information on your customers, now is the time to get data breach planning and a response program in place with our LibertyID Business Solutions data breach preparation program. With LibertyID Enterprise you can now add value to existing products, services, or relationships by covering your customers, employees, or members with LibertyID’s fully managed identity theft restoration service – at a fraction of our retail price – with no enrollment and no file sharing. We have no direct communication with your group members – until they need us.
Call us now for a no obligation proposal at 844-44-LIBERTY (844) 445-4237