With the news full of stories about the NSA's Prism project, Edward Snowden's status a fugitive, and Chelsea Manning's recent conviction for leaking classified documents, more and more Americans are asking questions about data security and data risk management. Among those who deal with matters of cyber risk most often are the owners of IT and technology businesses, who are often responsible for decisions about data hosting, cloud computing, and transmitting sensitive client data.
So what exactly is cyber liability? And how does it affect IT professionals who work as independent contractors or own a business? Read on for answers.
Cyber Liability: Your Legal Responsibility for Digital Assets
The simplest definition for cyber liability is legal responsibility for "cyber" assets, which might include email, websites, customer information, and any other data or material stored digitally (on the cloud, on a machine's hard drive, or on external storage devices).
It's easier to understand the essence of cyber liability by comparing it to a more tangible form of liability. Think about the property liability that owners of real estate have:
- Responsibility for maintenance and repairs.
- Responsibility for keeping out criminals.
- Responsibility for paying taxes and other dues.
Cyber liability works in much the same way. As the owners of cyber properties (software, code, a website, etc.), IT professionals are legally liable for:
- Maintaining those properties (e.g., by installing patches to correct vulnerabilities).
- Establishing and maintaining security elements (firewalls, antivirus protection, encryption, etc.).
- Paying fines or penalties if and when they violate state and federal cyber laws.
And just as real estate owners have to take into consideration thieves breaking in (or walking in legally) and taking physical property they have no right to, the owners of digital properties have to consider how hackers and viruses can compromise the safety of those properties.
Avoiding Data Loss & Financial Loss: Cyber Risk Management
If you own a home, it's pretty clear what you have to do to protect yourself from thieves and criminals: keep locks on your door, invest in good lighting, maybe buy an alarm system. Keep your most valuable assets out of sight.
For IT professionals, protecting cyber assets is a little less straightforward, in part because the threats to digital data are constantly shifting. But standard cyber safety measures (like using strong and regularly updated passwords, installing antivirus software, encrypting data, and limiting access to sensitive information) go a long way toward minimizing the likelihood that your business will be responsible for data loss.
Another reason to maintain strong data security? State laws often require certain baseline cyber protections, especially for businesses that work with clients in certain industries (e.g., banking services).
If you serve clients in the healthcare sector, federal legislation (specifically HIPAA and HITECH) outlines data protection protocol to follow, along with steep fines for companies that fall short - even if no data breach incident occurs. How? Starting this fall, the HITECH Act permits regulators from the Department of Health and Human Services to conduct random audits of HIPAA-regulated entities and the companies they work with.
For more on HITECH's regulations, read "HITECH: The Strictest Data Protection Law." in our blog.
IT Professionals: Double Cyber Liability Exposure
One final note about cyber liability for those in IT fields: in addition to having responsibility for the data your company handles (e.g., credit card or bank account numbers for your clients - known as first-party liability), you may be liable for the sensitive data your clients handle.
Why? Because chances are good that you were involved in the process of implementing, building, or choosing at least one of the tools they use to store, collect, or process that data. This means that if any of your clients experiences a data breach, you could be named in a lawsuit for having third-party cyber liability. (Read more about this in the blog post "Third-Party Vs. First-Party Cyber Risk Insurance.")
The bad news? You can only do so much to control how your clients implement data security protocol. The good news? You can