It may seem unfathomable, but it's true: you can be sued when software, SaaS, cloud storage, or technology made by another company is hacked. Why are you liable for another company's products? It's simple: you're liable for anything you recommend to a client.
To better understand how third-party liabilities work, let's look at a recent data breach that occurred on Goodwill's point-of-sale system.
IT Data Breach Liability: Goodwill's POS System Hacked
When CK Systems announced the data breach in a press release, it acknowledged that its POS system failed and exposed Goodwill's customer data for 18 months. (That's right – Goodwill's chain of resale stores suffered a data breach for a year and a half!)
Let's say an IT consultant had recommended Goodwill use CK Systems for their POS system. Goodwill could sue the contractor over the 18-month data breach, claiming damages to the store's reputation, lost profits, and losses for money spent repairing and replacing its faulty credit card system. Even though the consultant didn't write the software or design the POS technology, they are liable for recommending it and could be on the hook for millions in damages.
What to Learn from an 18-Month Data Breach
With all the stories of data breaches in the news, it's easy to be overwhelmed. In particular, IT consultants need to pay attention to four key takeaways:
- Data breaches are hard to detect. Many data breaches last months before someone catches on. Don't assume that the third-party service you recommend will be able to spot and stop a data breach. In reality, businesses struggle to do so. By the time a breach is stopped, your clients could have lost months of customer data.
- Even "brand name" IT comes with significant risks. It doesn't matter whether you recommend a top-of-the-line SaaS, cloud storage, POS system, mobile payment system, or another IT solution – you can be liable. Recently, hackers have shut down big-name IT providers like Salesforce and NeuStar. In "The Puns Are Bad, but the Security Threats Are Worse," we profiled how many off-the-shelf routers (aka SOHO routers) had firmware vulnerabilities that could lead to hacks. As it turns out, you can be sued for recommending off-the-shelf devices. There's liability everywhere.
- Some technology is especially susceptible. In the last 12 months, retailers with old credit card machines have been hit time and time again as hackers use the same malware tricks to steal data. Given that a risk like this is well documented, a court may quickly rule that you should have taken more steps to prevent a POS attack and slap you with a 6-figure judgment.
- Many businesses rely on old technology. As an IT consultant, you've undoubtedly worked with many clients who have a patchwork of IT solutions – some new and some old. Businesses get so used to their workflow that they're hesitant to switch from old technology to new. Other businesses have legitimate concerns about new technology not working with certain formats they need in their industry. But relying on old technology is risky because it's more susceptible to hacks. POS machines are a great example: despite security flaws, they persist in the retail world.
Given the way IT liability works, it's crucial for consultants and contractors to make sure their Professional Liability Insurance (also called Errors and Omissions Insurance) is adequate to protect them from third-party data breach liability. You can get free quotes by submitting an online insurance application.