[BreachExchange] Can a cyberattack lead to your business being sued?

[Audrey McNeil]

http://sociable.co/business/cyberattack-business-sued/

The media often has reports of high-profile cyberattacks on large
organizations and corporations. This leaves many small business owners
believing that their businesses are safe simply because they’re small. This
is a dangerous belief to hold.

Consequently, if you have a small business, it’s quite likely for it to
fall victim to a cyberattack of some sort. This is especially true if your
business has many social media accounts, as they’re often easier to hack
due to poor security controls and privacy settings.

It’s essential that you implement strong security measures that will make
it more difficult for hackers to attack your business. It also raises the
question of whether or not your business can get sued if your business is
hacked and customer data is exposed.

The Legal Consequences of Exposed Customer Data

In the UK, organizations that experience data breaches that lead to
exposure of people’s personal information due to inadequate security can be
fined or prosecuted by the Information Commissioner’s Office (ICO) under
the Data Protection Act (DPA). The DPA also allows for civil suits after
data breaches.

The EU also has a set of data protection regulations which are very similar
to those of the UK’s DPA. After we had learned of the news that the UK will
leave the European Union (EU), however, the situation became quite
complicated. Nevertheless, both the UK’s DPA and the EU’s data protection
regulations allow for fines, criminal prosecution and civil lawsuits.

This means that if your business falls prey to a cyberattack and your
customer information is exposed, your customers can sue your business. In
the UK, customers can and do resort to class-action lawsuits. In 2013, 14
people settled for £43,000 after bringing a class-action lawsuit against
the London Borough of Islington. This happened after their personal data
was disclosed without their permission.

This type of lawsuit is more common in the United States and can result in
extremely large settlements. Target found itself in this situation after an
enormous data breach in 2013 that exposed customers’ banking details. After
the class-action, Target agreed to pay $10 million in damages to settle the
lawsuits. So, depending on the size of the data breach, your business can
face massive financial losses.

Civil lawsuits are not the only problem your business might face after a
data breach. As mentioned earlier, your business can be fined under either
the DPA or EU regulations. For example, the Islington council had to pay
£70,000 in fines under the DPA. This was in addition to the £43,000
settlement. Think W3 was also fined by the ICO after a hacker obtained
1,163,996 credit and debit card records. The ICO commented that the lapse
in security was “staggering” and imposed a £150,000 fine on the business.

The comment by the ICO in the Think W3 case indicates that you do have some
control over the outcome of a data breach. Essentially, the better your
security, the less likely you are to be sued or fined. So it’s crucial that
you use strong security measures and follow the correct procedures if your
business does get hacked.

How to Protect Your Business from Getting Hacked

Given the extent of the financial losses your business could face, it’s
critical to do your best to avoid getting hacked in the first place. The
following measures will improve your business’ security and diminish the
potential for civil suits or fines:

Use strong passwords, especially for social media accounts (They present a
major weakness in business security)
Encrypt all your customer information
Activate all your system logs
Use a Virtual Private Network (Secure Thoughts has recommendations as to
which one)
Install anti-virus software on all your business devices
Use a firewall
Back up your website and social media page content regularly
Moderate the user comments on your social media pages
Use two-factor authentication
Train your staff in proper security practices
Get proper cyber insurance (This won’t prevent cyberattacks, but it will
help your business’s financial situation in the event of a cyberattack)

While these security measures won’t necessarily prevent every type of
cyberattack, they will certainly make it more difficult for anyone to hack
your business.

What to Do If Your Business Gets Hacked

If your business does get hacked, there are certain procedures that you
should follow to avoid further security breaches and diminish its liability.

Hire a legal representative as soon as possible.
Review your system logs to find out what type of cyberattack has occurred
(you need to know what you’re dealing with to fix it).
Fix the system weakness as quickly as possible.
Check for other security weaknesses and repair them as well.
Notify the ICO and all other relevant organizations of the breach as soon
as possible
Notify your customers of the breach (this is not currently required by the
Data Protection Act, but the ICO strongly recommends that you do).
Contact your insurance company to find out if you can submit an insurance
claim.

Following the proper procedure after your business is hacked is essential
to limit your liability. This procedure applies when any of your systems
come under attack, including social media accounts.

Conclusion

Cyberattacks are only going to become more of a problem over time,
especially given the speed at which technology advances and the increasing
number of businesses with website and social media accounts. Cyberattacks
will become more common, and hackers will find new ways bypass security
measures. This is why it is so important to understand your business’s
potential liability, how to avoid being hacked, and what to do if your
business does get hacked.

Has your business website or social media account been hacked? How did you
handle the situation? Please let us know your thoughts in the comments
below.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161031/4266371f/attachment.html>