The Legal Costs Of A Data Breach: How One Break Can Spell Disaster
Dan Levenson April 26, 2016
Hackers and computer viruses are everywhere. Even the best, most skilled, and most conscientious organizations in the world occasionally experience data breaches. Even the federal government’s Office of Personnel Management has experienced problems. In 2015, hackers broke into this well-secured agency’s databases to steal confidential information about federal employees.
The legal costs of a data breach can be exorbitant. In 2014, hackers used a vendor’s credentials to breach Home Depot’s network. The hackers used this access to steal credit card and payment information for 50 million shoppers. As a result, Home Depot has agreed to spend nearly $20 million to reimburse affected customers and provide identity protection services for consumers.
In addition to direct costs, the data breach has caused harm to Home Depot’s image among customers and required the company to pay its employees to manage breach-related problems. In November of 2015, Home Depot announced that its total cost for breach-related expenses would exceed $150 million.
Who Is Liable For A Data Breach?
As mentioned before, the breach took place when hackers got access to a vendor’s authentication credentials. In a case like this, the vendor may have some financial liability, and might be forced to pay some or all of the home improvement retailer’s expenses.
Data breach victims have sued IT vendors over issues related to data breaches. Bloomberg Law reports that, in 2014, HarborOne Bank sued both Target and Trustwave, Target’s IT security vendor, over losses related to Target’s data breach. HarborOne claimed that Trustwave was liable because it had certified Target as being compliant with retail industry data security standards prior to the breach.
While good security practices can reduce the risk of a data breach, they cannot eliminate the risk. Because of this, even the best IT professionals need appropriate insurance.
What Type Of Insurance Protects Against Data Breaches?
Cyber liability insurance, also known as cyber theft or data breach insurance, helps to address the liability that companies like IT contractors and staffing agencies generate through their use of other companies’ login credentials. Cyber liability insurance typically covers at least three main areas of liability: data breach management, network security, and media liability.
Data breach management coverage protects you from the cost of dealing with a data breach emergency. This coverage may pay for costs such as investigation, network remediation, legal fees, and credit checks for those whose data has been illegally accessed.
Network security coverage protects you from third-party damages related to unauthorized access to your network. Media liability coverage protects you if you are accused of infringing intellectual property rights (except patent rights).
The Consequences Of A Data Breach
Recently, IT vendors have been hit by lawsuits related to breaches of their customers’ networks. In 2013, a Nevada-based casino operator started receiving notification that customers’ credit card information had been misused. The casino operator, Affinity Gaming, was a victim of a data breach.
Affinity Gaming hired Trustwave, a data security firm from Chicago, to remove the offending malware from its systems. Trustwave investigated Affinity’s network, removed malware and declared the job to be as close to complete as possible.
A second data breach occurred within three months. Affinity Gaming believes that Trustwave failed to fully investigate the first breach. In particular, Affinity claims that Trustwave failed to investigate anomalous communications involving a piece of malware that it did not identify. Affinity is suing Trustwave for fraud, gross negligence, and a variety of other claims.
Who Needs These Types Of Insurance?
Traditionally, engineers and architects have carried errors and omissions insurance. Today, the obligation to maintain insurance extends to IT vendors, IT staffing agencies, and other organizations who work with networks that belong to third parties. This insurance protects professionals from liability when a client believes that their work contributed to a harmful event. Errors and Omissions insurance can be coupled with cyber liability insurance or can have a cyber liability component included in it.
If your business provides IT services, errors and omissions or cyber liability insurance can protect you if your or your customers’ network is hacked. This type of insurance can provide legal counsel and help to pay for damages if you are found to be liable for harm.
Data breaches can be expensive. Although good IT security practices can reduce the risk of a breach, they cannot eliminate it. If you or your company might be at risk of liability for data or login credentials belonging to others, please contact us.