When a Data Breach Hits a Business, Who is Liable?

Data breaches and cybersecurity have become a huge issue for many different industries now. The number of breaches and attempted breaches, as well as the sophistication of hackers,  is growing each year. No amount of security can perfectly seal off a system from intruders. Who is ultimately responsible for the integrity of the customer’s personal information (PI) if a breach occurs? Are your assets protected by your business insurance program? 

Data is Becoming More Vulnerable

Data storage has been increasingly shifted off-site to third-party public cloud providers. In a cloud-based environment there are generally three parties involved: 

  • Customer or user of the service
  • Data owner – a business that provides service or products to customer 
  • Data holder – a third-party cloud service provider that provides hosting (storage, application, hardware) for the data owner such as IBM Cloud, Microsoft Azure Cloud Storage, Amazon Web Services (AWS).

Data involving PI is especially vulnerable in the cloud due to a variety of unique threats: lack of transparency of operations, remote and indirect management, external threat enhancement since anyone can obtain an account to the cloud provider’s environment, increased malicious insider threats as the data owner does not have direct control over who can access or administer the data, and insecure application programming interfaces (APIs) which are completely open to the internet.

Who’s Legally Responsible?

With the growing and increasingly severe intrusions Congress, regulators and state governments are looking at how to protect PI from unauthorized access. There is no current central federal mandate that covers data breaches affecting personal information. However, all states require organizations to notify customers and in some cases regulators if a data breach occurs impacting residents.

In a cloud environment, the data owner faces liability for losses resulting from a data breach, even if the security failures are the fault of the data holder (cloud provider). Typically, all damages flowing from a data breach of the data holder will be considered consequential damages and barred by a standard provision disclaiming all liability for consequential damages. If the breach involves a cyberattack in a traditional data owner’s proprietary network & data center, the data owner is obviously potentially liable.

State and federal data privacy laws in the U.S. do not impose civil liabilities in the event of a cyber intrusion. Typically, liability is imposed if the following conditions exist:

  • An entity failed to implement safeguards required by statute or reasonable security measures
  • An entity failed to remedy or mitigate the damage once the breach occurred
  • Failure to timely notify the affected individuals under a state’s data breach notification statute, may give rise to liability for civil penalties imposed by a state attorney general or other state enforcement agency.

Negligence must be proven in any litigation. However, liability can also exist if contractual indemnification or service agreements are in effect toward affected individuals or between business entities.

Be sure your organization is protected with proper business insurance (specifically a cyber liability insurance policy) and implement an infrastructure for preventing, detecting, and responding to security incidents. This includes not only anti-malware, firewall software, and hardware implementations, but threat analysis, incident training, response protocols & standards, agile management, and remediation policies and procedures

About Transparity Insurance Services

Transparity Insurance Services was founded for the purpose of helping clients to ensure their property and assets with no hassle. We are committed to providing a simple, easy, efficient, and positive experience to all of our clients, and prioritize open and transparent communication with our clients. Through our excellent customer service and technology, we can help you to find the right insurance program at a competitive price. Contact us today at (855) 889-2037 to learn more about what we can do for you.