Target, Home Depot, Chase Bank and even Dairy Queen. Not a week goes by when news headlines aren’t filled with announcements that another large American-based company is the victim of a data breach or cyber attack.
While larger companies are grabbing the most attention, small and medium-sized businesses (SMBs) are also at risk of having their customer data breached. These breaches may be less publicized, but they have been popping up throughout the country. This includes the Southeast, where we have seen data breach lawsuits filed against local companies in both federal and state courts, including at least one filed in Alabama.
In many respects, SMBs make much more attractive targets for cyber-thieves. Because SMBs typically have fewer resources to combat these threats than large national and international corporations, cyber thieves see SMB customer data as “low-hanging fruit.” Hackers and other data thieves know that these smaller companies often possess valuable customer personal information, yet they may not be appropriately protecting this data from possible theft or inappropriate disclosure.
In some respects, a data breach involving an SMB can be far more devastating for the company than a similar type breach at a larger company. Although SMBs typically involve fewer potential customers, hackers and data thieves who target SMBs are most likely motivated solely to use the customer data in an inappropriate manner. In contrast, hackers or data thieves who attack large corporations may have different motivations that are not solely for financial gain. For instance, some of the international hackers who have breached large corporations’ data were motivated by political reasons. Some are merely chasing the thrill of being able to breach large corporations’ IT security systems. Hackers targeting large corporations may not actually use the data that is stolen.
The motivation and use of this customer data is particularly important, because in consumer lawsuits dealing with data breaches, one of the key issues is whether or not the consumer’s data has been misused in an inappropriate or criminal manner. Hackers and data thieves who are motivated financially typically sell the customer information they acquire or use it themselves to create fraudulent accounts or access the customers’ existing accounts. Whether customers actually suffer economic losses from the misuse of their stolen personal information during a data breach could be paramount in determining the level of financial exposure a company may face as a result of consumers suing the company following a data breach. Remijas v. The Neiman Marcus Group, LLC, 2014 U.S. Dist. LEXIS 129574 (N.D. Ill. 2014).
While the motivation of some of the data breaches for large companies may not be financial (and therefore may not result in any actual misuse of the stolen customer data), if a cyber-liability attack occurs against a SMB, it can be presumed that the business was targeted in order for the hackers/criminals to misuse the customer data for their own financial gain. This means an increased risk for SMBs in terms of the damages to the company’s clients and customers who have been affected by the data breach.
In addition to the potential for consumer lawsuits following a breach, there are other costs that can be devastating for a SMB resulting from a data breach:
- Determining the Scope of the Breach – Companies will incur expenses in their efforts to identify and determine the scope of the data breach. This may involve costs to hire a computer forensic company and legal fees associated with this process.
- Reputational Harm – SMBs can lose business if the community thinks that the company has not taken appropriate measures to protect clients’ personal information.
- Loss of Business – It is not uncommon for SMBs to have to shut down immediately following a data breach until the system can be repaired and protected from further attack. While a company’s operational system is down, the company could lose valuable revenue.
- Notification Requirements – There are often notification requirements that can be costly. Federal rules and regulations require a number of companies within certain industries to provide notifications to any customer affected by a data breach, and approximately 47 states have passed some form of a data breach notification law. While Alabama is currently not one of the 47 states that has a notification law, a notification bill has been introduced in previous years’ legislative sessions.
- Regulatory Proceedings – Federal, and even many state, agencies are becoming increasingly active in investigating SMBs following data breaches. Many of these agencies are self-funded, meaning that their budgets consist of funds obtained through fines they impose. In addition to civil litigation from customers, SMBs can expect an investigation by whichever government agency (or agencies) granted jurisdiction over the SMB or the type of data involved regarding whether a failure to meet a regulatory or statutory requirement was a factor in the data breach or theft. Additionally, credit card companies whose cards the SMB accepts as payment impose stringent data security and notification requirements – the violation of which can lead to fines, increased fees and even the termination of the ability to accept credit card payments.
For SMBs, there is also the threat that a data breach could occur from within the company. Christian & Small is currently defending a data breach lawsuit involving theft of customer information by an employee. It is important for SMBs to not only evaluate the security of their customers’ information, but also to evaluate who has access to that information from within the company itself. Just as a company restricts its employees’ access to checks and financial information, companies must also evaluate the appropriate limits for employee access to information such as names, dates of birth and specifically, social security numbers. Again, rogue employees are typically motivated to use this information for financial gain, which in turn can create a potential for significant liability and post-data breach lawsuits.
There are two primary sources where companies, especially SMBs, have problems that lead to data breaches. First, hackers often target point-of-sale systems to access a customer’s financial information. It is imperative for any company that receives a customer’s financial information to make sure that the point-of-sale systems they are using have security measures in place that are compliant with the credit card industry’s requirements.
Secondly, companies often find themselves in data breach situations that were caused by the lack of precautions regarding personal laptop computers, employee cell phones and personalized computers. Human errors and behavior still account for about one-third of data breaches. It is important that companies evaluate the different company and employee devices where customer private information is stored. All company laptops should be encrypted, and a company should restrict an employee’s ability to store personal customer information on their own individual devices, such as personal computers, cell phones and tablets. The company should also have the ability to wipe portable devices remotely.
In light of all the data breach issues that have surfaced recently, as well as the costs that can result from such an attack, it is important for SMBs to work with their insurance agents or brokers to determine what insurance products are available that are cost-effective in protecting the company from a cyber attack or data breach. Over the last couple of years, there has been a proliferation in the number of insurance companies that are now writing cyber-liability policies. The protections and pricing for these policies can vary greatly, but policies can cover the costs associated with hiring a security firm to fix and contain the breach, the costs in sending notification to affected customers, as well as providing defense and indemnity in the event lawsuits are filed against the company as a result of the data breach. Some policies also provide coverage for public relations costs and business interruption coverage. Companies should not make the mistake of assuming their commercial general liability policy (CGL) will provide coverage for damages resulting from a data breach. It’s important for SMBs to proactively work with their insurance brokers and with legal counsel to ensure there are no coverage gaps and that appropriate insurance is in place.
It is also important for SMBs to evaluate their contracts with vendors. Credit card companies and other financial institutions are now allocating the risk of loss upon vendors and companies whose lax data security led to a data breach. Lawsuits have been filed by credit card companies and banks seeking reimbursement of costs resulting from the company’s alleged failure to act appropriately in the protection of its customers’ financial and personal information. It is important to work with legal counsel to evaluate those contracts to be aware of where the allocation of risk stands.
Because the cost of a resulting data breach can be so detrimental for SMBs, it is important for them to evaluate and utilize their data security practices and processes. A number of different companies provide security audits, although their qualifications range greatly. These companies, in conjunction with legal counsel, can develop strategies and evaluate security and legal procedures on how best to minimize the risk of a data breach.
Overall, identity theft crimes are the fastest-growing crime in the United States and, despite technological advancements, data breaches and cyber attacks are showing no signs of weakening in both their frequency and sheer magnitude. SMBs should take note of recent headlines about major national and international companies and evaluate their own internal practices and procedures to minimize these risks. Through appropriate safeguards, SMBs can protect themselves from being viewed as the low hanging fruit by hackers and data thieves.