Before Target had even officially acknowledged it was the victim of a data breach, customers had already filed cyber liability lawsuits. Now, two weeks after the attack that exposed millions of holiday shoppers, there are more than 40 lawsuits pending (with many more expected).
This high-profile case gives us an opportunity to examine how cyber liability works and get a better understanding of what legal obligations small tech businesses have after a data breach.
Who, What, When, Where, and How: Answering the Basic Questions about a Data Breach
Before we go any further, let's answer a few basic questions about data breaches and cyber liability…
- Are there different kinds of cyber liability? Yes, there are two types of cyber risk: first-party and third-party. First-party risk is the liability a company has when its customer data is hacked (this is the liability Target faces right now). Third-party liability is the risk tech companies have when their products are hacked or when one of their clients is hacked thanks to their negligence. For instance, Target could sue the developers that built the software that was hacked.
- Is there a cyber liability law that I have to follow? Yes, but unfortunately, there isn't just one law – there are many. Each state sets its own laws regulating how businesses have to respond to a data breach. Depending on where your customers live, you might have to follow multiple laws. If you work with medical businesses, you'll have to follow medical data guidelines established in HITECH and HIPAA. (For more on your legal obligations following a client data beach, check out "What Are IT Professionals Legally Responsible for?").
- How expensive is a data breach? Really expensive. Research firm Symantec estimates that a data breach costs $188 per stolen record. For example, if a software engineer's code is hacked and 1,000 customers' data was exposed, on average a data breach that size would cost $188,000. This cost is so high because breaches can spur multiple lawsuits and ongoing expenses as firms work to prevent their customers from suffering full-fledged identity theft.
- Are data leaks becoming more common? In just the last two weeks, Target, Snapchat, and Yahoo were all victims of data breaches. The prevalence of attacks makes you wonder, are data breaches unavoidable? More and more experts are starting to think so. Bloomberg's Businessweek recently lamented that even big corporations like Target that spend millions in IT infrastructure are simply "outgunned" by hackers. Numerous organizations, including the Washington Post, have dubbed 2013 "The Year of Cyber Security."
What Small Businesses Can Learn from Target's Data Breach
What does Target's massive data breach mean for small business cyber liability? Despite being much smaller than Target, a small IT company or tech contractor faces the same cyber threats and must meet similar legal obligations after a breach.
Here are five lessons you can learn from Target's breach:
- You're up against hackers from all over the world. The hacker behind the Target breach appears to be a Ukrainian man. The international nature of data breaches makes it especially complicated because data can be sold overseas, and in this case has been used to make foreign credit card replicas, which are notoriously difficult to trace.
- Response time matters. One of the common complaints showing up in lawsuits is that Target took too long to respond to the breach. Indeed, journalists and consumers knew about the breach before Target officially acknowledged it. Data breach laws vary state by state and some are vague about how quickly a company must inform customers. This ambiguity means customer lawyers have leeway to claim you failed to work fast enough.
- Loss of trust leads to lost profits. Target's stock price dropped immediately following the attack. Since then, Target has been struggling to restore customer faith.
- Data breaches are long and painful. The breach itself is just the beginning. Litigation can last years. Many individual lawsuits will probably snowball into a "class-action" lawsuit, which is when multiple lawsuits are combined to form a single massive suit against the company. These can be some of the most expensive lawsuits. Early estimates suggest Target will end up spending over $100 million in legal fees.
- More legal trouble awaits In addition to lawsuits from customers, Target will have to deal with investigations from state Attorneys General and consumer advocacy groups. As a business that uses a credit card terminal, Target might even face investigations from PCI, the trade organization that certifies point-of-sale systems.
E&O Coverage: How IT Companies Limit Their Cyber Risk
Increasing your software testing, reviewing security standards, and adopting other best practices are all good ways of limiting risk. But you can't avoid all risk.
Many of your clients know this and will require you to purchase Errors and Omissions Insurance before signing a contract with them. Most E and O policies sold to IT Firms cover third-party cyber risk – which is the kind you most likely have the most of.
These small business insurance policies pay for lawsuits when clients sue you over data breaches, professional negligence, software defects, security flaws, and other cyber risk issues.
To learn more about the E&O insurance rates, look at our sample IT insurance quotes.