In a recent article, I went over what you need to do when hackers steal your customers' private data (for the first part in this series about data breach liability read "What's Your Data Breach Notification Plan? (Part 1 of 2)"). Now let's go over what you need to do when a client's customer information is stolen in a data breach.
For starters, you should know you can be held responsible for data breaches on client computers. If you set up their network, install software, or make IT recommendations to clients, you can be sued if anything goes wrong.
Third-Party Data Breaches
Before we start talking about lawsuits and what you can do to prevent them, let's go over the different kinds of data breaches that can happen on client computers.
A data breach is when someone has unauthorized access to data. Unauthorized personnel may access client data to install malware (like viruses and ransomware), download personal information / commit identity theft, or steal trade secrets and intellectual property.
To get a better understanding of these threats, let's go over the different sources of data breaches.
- Insider data breaches. A recent study by SpectorSoft revealed that 23% of firms have suffered an insider data breach. These breaches happen when employees take information from their employers' computers, putting it on their own computers, USB drives, or cloud storage. Studies show that employees who steal intellectual property from their employer tend to do it within 30 days of leaving the company. To prevent insider data breaches, you should have protocol in place to check employee activity logs around the time they hand in their notice.
- Targeted attacks by hackers. As you probably know, hackers may try to break into your clients' computers, looking for personal information like credit card numbers, SSNs, and other data that they can use to steal money. More and more, hackers are also using ransomware, a type of malware that encrypts your clients' data and refuses to release it unless your client pays a "ransom."
Understand Your Legal Requirements for Data Breach Notifications
State laws require businesses to notify their customers if any personal information is unlawfully accessed in a data breach. The tricky thing about this is that each state sets its own requirements. There is no universal federal law.
Instead, you'll have to look up state laws for your clients and their customers (a helpful resource is this state-by-state data breach guide by the corporate law firm Perkins Coie). Combing through these laws is time-consuming and complicated, but if you fail to adhere to the various regulations that govern data protection, you could face additional lawsuits or legal fines.
Damage Control: Prevent Data Loss and Minimize Damage
When a client's data is hacked, you need to respond quickly and effectively. Having a data breach plan in place can save you time in these crucial moments. Here are some steps that all data breach plans need to have.
- Prepare your client ahead of time. The only way you'll be able to respond effectively to a client's security breach is if you are on the same page. You should share your data breach security plan with your clients, explain proper safety protocol, and emphasize that time is of the essence in these situations. A failure to respond quickly to data breaches can increase your liability exposure. Emphasize to clients the importance of informing you as soon as they become aware of a data breach.
- Shore up their defenses. After a data breach occurs, you'll need to figure out what caused it and address any weaknesses immediately.
- Fortify their data. You should have strong data protection services that back up client data almost continually. Having cloud-based data backup can be especially helpful in this situation. As the data backup company intronis points out, cloud backup can neutralize ransomware attacks. When hackers use ransomware, they encrypt your data and refuse to decrypt it until you pay them a ransom. However, because cloud backup services store data outside your network on a third party's cloud, your backups won't be affected by the malware.
- Notify affected parties. As we saw above, you or your client will have to notify any customers whose private data may have been breached according to various state laws.
- Protect your cyber liabilities. Data breaches are expensive and can cause your clients to lose business and suffer damages to their reputation. Cyber Liability Insurance pays for lawsuits when your clients sue you over a data breach. Though you can work to prevent data breaches and have a strong plan to respond to them, the best way to protect yourself from lawsuits is through Cyber Liability coverage.