Posted on Mar 04, 2015 by Carmelo B. Sammataro
Some of the biggest names in American business were the victims of data breaches last year, but hackers didn’t limit their attacks to companies such as Target, Home Depot and eBay. If trends hold, almost half of American businesses each year will have sensitive data stolen, according to the Ponemon Institute, which studies cybersecurity.
While big companies may be able to absorb the financial damage, for smaller companies, data breaches could wreck their business. Costs include lost revenue, loss of customer confidence, lost productivity, extra tech work to fix problems and, sometimes, civil damages or government fines.
For small business owners, data security should be as important as a lock on the door and a burglar alarm. And your lawyer should be a key adviser. As lawyers, our job is to help clients identify and manage risks. We may not be computer experts, but we can advise you on the legal consequences of allowing data to fall in to the wrong hands.
South Carolina law holds businesses accountable
In South Carolina, the Legislature is serious about holding businesses accountable for data breaches, and the law allows anyone affected by a breach to sue for damages. The state also can fine a business up to $1,000 per resident affected by a breach. To put that into perspective, a flower shop that stores repeat customers’ credit card numbers could face a $100,000 fine if a thief stole just 100 names from its database.
The law also requires businesses to notify those whose information was stolen “in the most expedient time possible.” There are some conditions as to how this should be done, but the bottom line is that all businesses have to notify each customer right away – and that’s expensive.
There is a lifeline
The law does throw a clear lifeline to businesses. Stolen information that is encrypted, or otherwise rendered unusable by a thief, is not subject to fines or civil damages.
Most aspects of this law have not yet been tested extensively by lawyers or interpreted in the courts, but the encryption provision seems to indicate that the Legislature wanted to give businesses the benefit of the doubt if they proactively took strong measures to protect data. (Financial institutions are excluded from the law because they are subject to the security provisions of federal law.)
Here are the key takeaways for businesses that want to be proactive in protecting data:
Remember, a data breach is a technical and legal problem. Ask your legal counsel if you’re doing everything you can to protect your business from a cyberattack and its aftermath.
Carmelo B. Sammataro is a shareholder at Turner Padget in Columbia, S.C. He has broad experience in protecting business clients in litigation, including product liability and professional negligence claims. He may be reached at (803) 227-4253 or by email at firstname.lastname@example.org.