Can a cyberattack lead to your business being sued?
The media often has reports of high-profile cyberattacks on large organizations and corporations. This leaves many small business owners believing that their businesses are safe simply because they’re small. This is a dangerous belief to hold.
Consequently, if you have a small business, it’s quite likely for it to fall victim to a cyberattack of some sort. This is especially true if your business has many social media accounts, as they’re often easier to hack due to poor security controls and privacy settings.
It’s essential that you implement strong security measures that will make it more difficult for hackers to attack your business. It also raises the question of whether or not your business can get sued if your business is hacked and customer data is exposed.
The Legal Consequences of Exposed Customer Data
In the UK, organizations that experience data breaches that lead to exposure of people’s personal information due to inadequate security can be fined or prosecuted by the Information Commissioner’s Office (ICO) under the Data Protection Act (DPA). The DPA also allows for civil suits after data breaches.
The EU also has a set of data protection regulations which are very similar to those of the UK’s DPA. After we had learned of the news that the UK will leave the European Union (EU), however, the situation became quite complicated. Nevertheless, both the UK’s DPA and the EU’s data protection regulations allow for fines, criminal prosecution and civil lawsuits.
This means that if your business falls prey to a cyberattack and your customer information is exposed, your customers can sue your business. In the UK, customers can and do resort to class-action lawsuits. In 2013, 14 people settled for £43,000 after bringing a class-action lawsuit against the London Borough of Islington. This happened after their personal data was disclosed without their permission.
This type of lawsuit is more common in the United States and can result in extremely large settlements. Target found itself in this situation after an enormous data breach in 2013 that exposed customers’ banking details. After the class-action, Target agreed to pay $10 million in damages to settle the lawsuits. So, depending on the size of the data breach, your business can face massive financial losses.
Civil lawsuits are not the only problem your business might face after a data breach. As mentioned earlier, your business can be fined under either the DPA or EU regulations. For example, the Islington council had to pay £70,000 in fines under the DPA. This was in addition to the £43,000 settlement. Think W3 was also fined by the ICO after a hacker obtained 1,163,996 credit and debit card records. The ICO commented that the lapse in security was “staggering” and imposed a £150,000 fine on the business.
The comment by the ICO in the Think W3 case indicates that you do have some control over the outcome of a data breach. Essentially, the better your security, the less likely you are to be sued or fined. So it’s crucial that you use strong security measures and follow the correct procedures if your business does get hacked.
How to Protect Your Business from Getting Hacked
Given the extent of the financial losses your business could face, it’s critical to do your best to avoid getting hacked in the first place. The following measures will improve your business’ security and diminish the potential for civil suits or fines:
- Use strong passwords, especially for social media accounts (They present a major weakness in business security)
- Encrypt all your customer information
- Activate all your system logs
- Use a Virtual Private Network
- Install anti-virus software on all your business devices
- Use a firewall
- Back up your website and social media page content regularly
- Moderate the user comments on your social media pages
- Use two-factor authentication
- Train your staff in proper security practices
- Get proper cyber insurance (This won’t prevent cyberattacks, but it will help your business’s financial situation in the event of a cyberattack)
While these security measures won’t necessarily prevent every type of cyberattack, they will certainly make it more difficult for anyone to hack your business.
What to Do If Your Business Gets Hacked
If your business does get hacked, there are certain procedures that you should follow to avoid further security breaches and diminish its liability.
- Hire a legal representative as soon as possible.
- Review your system logs to find out what type of cyberattack has occurred (you need to know what you’re dealing with to fix it).
- Fix the system weakness as quickly as possible.
- Check for other security weaknesses and repair them as well.
- Notify the ICO and all other relevant organizations of the breach as soon as possible
- Notify your customers of the breach (this is not currently required by the Data Protection Act, but the ICO strongly recommends that you do).
- Contact your insurance company to find out if you can submit an insurance claim.
Following the proper procedure after your business is hacked is essential to limit your liability. This procedure applies when any of your systems come under attack, including social media accounts.
Cyberattacks are only going to become more of a problem over time, especially given the speed at which technology advances and the increasing number of businesses with website and social media accounts. Cyberattacks will become more common, and hackers will find new ways bypass security measures. This is why it is so important to understand your business’s potential liability, how to avoid being hacked, and what to do if your business does get hacked.
Has your business website or social media account been hacked? How did you handle the situation? Please let us know your thoughts in the comments below.
Cassie Phillips writes a tech blog with a heavy security focus. She hopes that this post will help business owners protect their businesses from lawsuits and cyberattacks. You can find her on Twitter.