Turner Padget Insights
Don't Let Hackers Cripple Your Business
Posted On Mar 04, 2015
Some of the biggest names in American business were the victims of data breaches last year, but hackers didn’t limit their attacks to companies such as Target, Home Depot and eBay. If trends hold, almost half of American businesses each year will have sensitive data stolen, according to the Ponemon Institute, which studies cybersecurity.
While big companies may be able to absorb the financial damage, for smaller companies, data breaches could wreck their business. Costs include lost revenue, loss of customer confidence, lost productivity, extra tech work to fix problems and, sometimes, civil damages or government fines.
For small business owners, data security should be as important as a lock on the door and a burglar alarm. And your lawyer should be a key adviser. As lawyers, our job is to help clients identify and manage risks. We may not be computer experts, but we can advise you on the legal consequences of allowing data to fall in to the wrong hands.
South Carolina law holds businesses accountable
In South Carolina, the Legislature is serious about holding businesses accountable for data breaches, and the law allows anyone affected by a breach to sue for damages. The state also can fine a business up to $1,000 per resident affected by a breach. To put that into perspective, a flower shop that stores repeat customers’ credit card numbers could face a $100,000 fine if a thief stole just 100 names from its database.
The law also requires businesses to notify those whose information was stolen “in the most expedient time possible.” There are some conditions as to how this should be done, but the bottom line is that all businesses have to notify each customer right away – and that’s expensive.
There is a lifeline
The law does throw a clear lifeline to businesses. Stolen information that is encrypted, or otherwise rendered unusable by a thief, is not subject to fines or civil damages.
Most aspects of this law have not yet been tested extensively by lawyers or interpreted in the courts, but the encryption provision seems to indicate that the Legislature wanted to give businesses the benefit of the doubt if they proactively took strong measures to protect data. (Financial institutions are excluded from the law because they are subject to the security provisions of federal law.)
Here are the key takeaways for businesses that want to be proactive in protecting data:
- A breach is a business crisis, and it’s potentially a big legal problem. Do everything you can to avoid becoming a victim of hackers, because it will be expensive.
- Start with a review of your data. Identify whatever is sensitive, which will include personal information about customers such as names, addresses, bank account and social security numbers, and anything useful to an identity thief.
- Review your procedures and establish best practices. This will include technical measures such as firewalls and encryption, but establishing procedures for the way employees access your data using passwords and mobile devices also is important.
- Get professional help. It will be worth the expense to have a consultant come in to assess your vulnerability. And that will also help your lawyer defend you if you should end up on the wrong end of a lawsuit.
- Have a plan for when bad things happen. If Fortune 500 companies can get hacked, no business is safe. A recovery plan should include technical fixes, notification procedures, assignment of responsibilities, dealing with law enforcement and taking measures to limit your legal exposure.
Remember, a data breach is a technical and legal problem. Ask your legal counsel if you’re doing everything you can to protect your business from a cyberattack and its aftermath.
Carmelo B. Sammataro is a shareholder at Turner Padget in Columbia, S.C. He has broad experience in protecting business clients in litigation, including product liability and professional negligence claims. He may be reached at (803) 227-4253 or by email at ssammataro@turnerpadget.com.
