With the global shift to more digitally-dependent business operations, our personal information is becoming more and more vulnerable to breaches and theft.
As entrepreneurs, the law mandates that business owners are liable for any such data breach on their systems, regardless of an internal or external attack. Why? Because it is the responsibility of businesses to protect the sensitive information that has been entrusted to them by their customers. These pieces of information can be anything from location to actual credit card information. Hence, cybersecurity is an important investment for every enterprise.
Here are a few legal implications for not properly securing data
1. Businesses are required to notify anyone affected by the breach.
The General Data Protection and Regulation, which protects the digital privacy of Europeans, mandates that all businesses must notify all affected individuals in cases of cybersecurity issues.
While this protection only applies to EU members, all businesses that transact online must comply with these rules. That’s because the GDPR has an extraterritorial scope which means any website visited by a European is mandated to follow this rule.
Not only will you have to notify affected individuals, but you are also required to inform a regulatory office as soon as possible. Under the GDPR, this includes notifying the Information Commissioner’s Office within 72 hours upon discovery of the cyber threat. For US-based companies, this also means having to inform your state attorney general, the FTC, the SEC, the FCC, and other regulatory bodies.
2. Business owners must immediately implement a cybersecurity response plan.
After notifying authorities, and all possibly affected customers, a business must then proceed to implement its existing cybersecurity response plan to prevent further damage.
This means the organization must mobilize its IT department, which should be working directly under an appointed Data Privacy Officer who will then secure the remaining data and find out the extent of damage done to the systems.
At this point, it is prudent that businesses automatically contact their legal counsel and insurance brokers to help them identify possible benefits and assistance.
3. Entrepreneurs will have to pay penalties.
More than a decade ago, Florida-based health insurance provider AvMed had to shell out as much as $3.5 million in fines just to settle a data breach lawsuit, all because they kept unencrypted copies of their customers’ sensitive data in laptops that ended up getting stolen. Imagine how much bigger this penalty would be if the incident happened today.
Indeed, the government can levy fines that can drive your entire operations to the ground if you’re not careful about data breaches. Depending on the applicable federal and state laws, this could rack up to the million-dollar levels.
It gets worse.
Under the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act, penalties are computed at 4% of global annual turnover or 20 million euros, whichever is highest. These are hefty penalties as they are applied to turnover, not profits.
4. You might have to see your day — or days — in court.
The next time you think investing in a comprehensive enterprise resource and planning software program like JDE Software is way too expensive for the business you’re trying to build, consider how much you would have to spend on legal representation if your business ever gets sued for violating cybersecurity laws.
Data protection may be a relatively new legal category, but ample precedent is already in existence. Take, for instance, the example mentioned earlier about AvMed’s stolen laptops. You might think the company could have protected itself and avoided footing the bill when the data breach took place because some unscrupulous outsiders decided to hack (or steal) their database, but that’s simply not the case.
This was affirmed in a recent U.S. Supreme Court ruling on the case of Zappos.com v. Stevens, wherein the ruling was that customers have the right to sue companies when their data is stolen, even if it is never used for anything that detriment them.
Failure to secure customers’ data is akin to criminal negligence, wherein good faith is not a valid defense.
Aside from federal laws, you likewise have to be mindful of state-level rulings and regulations in the area where your business is put up.
In Georgia, for one, when a data breach occurs and the business was not able to immediately notify the affected clients or customers, the Attorney General is bound to impose civil penalties of up to $500 for each resident who did not receive the required notice within the specified time.
Properly securing the data of your business is a serious matter with even more severe repercussions if not handled appropriately. Don’t find yourself and your business on the wrong side of the law; Take all necessary precautions to keep you, your business, and your customers safe in an era where cybersecurity can make or break a business.