How to avoid getting sued for a data breach
Data breaches are a growing threat for every business owner. But for IT professionals, the risks are especially high.
When an IT business leaves data exposed or unprotected, the potential fallout can be devastating. A data breach at your or your client’s business can:
- Hurt your reputation
- Drain your accounts
- Result in regulatory fines or penalties
And potentially more costly than any of these, a client could sue your IT company. That means big risk for IT businesses. Data breach lawsuit damages could put you out of business.
To safeguard your business, you need to understand the risks of a data breach, why IT companies get sued, and how to protect yourself if a data breach occurs.
Why do data breaches happen?
A data breach happens when personal information like passwords, credit card numbers, Social Security numbers, or other data that should have been secured is disclosed.
This can be accidental. But most often it’s due to hackers attacking businesses to steal their data for financial gain. They then sell, ransom, or use this personal data for identity theft.
The most common reasons for data breaches include:
- Malware. Malicious software like viruses or ransomware is often spread through email links and websites. It’s designed to give a hacker access to a company’s network and systems.
- Weak credentials. Obtaining a user’s password is one of the easiest ways for a hacker to gain access. Lost or weak passwords are a leading cause of system hacks.
- Software vulnerabilities. Poorly designed or flawed software applications give hackers easy access to your network. Failing to keep system security patches up to date can also leave you or clients vulnerable to cyberattacks.
As an IT business owner, you can’t afford to neglect data security.
What’s the cost of a data breach?
The frequency and costs of data breaches are increasing, among large and small businesses alike. In 2021, there were 5,212 confirmed data breaches in the U.S., and 14% of them affected small businesses.
Data breaches cost small and medium-sized businesses an average of $101,000.
If this happens on your watch as an IT or cybersecurity consultant, you’ll have to cover the costs of:
- Possible regulatory fines and penalties
- Customer breach notifications
- Finding and fixing the security flaw
- Credit and fraud monitoring services
- Crisis management and public relations
Because state laws regulate the investigation and handling of data breaches, it's important to know the notification requirements for your business location. Learn more about the laws for data breach notification in your state.
You’re also at risk for a costly lawsuit if you or your client’s business is attacked. Even if you aren’t to blame, defending yourself can still be a lengthy and expensive process.
Why do data breach lawsuits happen?
The IT consultant or contractor who installed or recommended technology is typically the first to be sued following a data breach. Businesses often look for someone else to help foot the bills from a breach.
If your company has a data breach on your network, your client may sue you if it causes harm to their business. And if your client suffers a data breach on their network, they may also hold you accountable.
There are two big reasons for a client lawsuit from a data breach:
1. Your mistake or oversight results in a breach
If your error or omission contributed to a data breach, you may be accused of negligence for failing to take reasonable care. This means you may be on the hook to cover all or a portion of your client’s losses resulting from the data breach.
For example, let’s say you handle cybersecurity for a client. You miss a vital security patch. As a result, the client is hacked.
This client could successfully sue you for negligence.
2. Human error or weak security policies lead to a breach
Even if you’re not directly responsible for an attack, you could still be sued.
Imagine you helped a client install anti-phishing software on their systems. Your client’s employee later clicks on an email link they shouldn’t have. Sure enough, that person accidentally downloads malware onto the network. Your client may sue you and claim that the software you installed failed to flag the malware.
Keep in mind that a lawsuit doesn’t need to be successful to take a bite out of your business. Fighting a legal battle can eat up time, money, and resources you can’t afford to lose.
How can you reduce the risk of a data breach lawsuit?
These are the best ways to avoid the potential financial devastation of a data breach lawsuit:
Prevent the data breach altogether
The best way to avoid a lawsuit is to stop a data breach from ever happening. Take these important steps to protect your business from a security breach:
- Update your firewall and antivirus software. Outdated software is more vulnerable to attack. Be sure to maintain your business’s and your clients’ firewall and antivirus applications, and stay current with security patches.
- Train employees and clients. Educate your people and your customers on information security best practices regarding malware, phishing, and other cyber crime prevention. Make sure they understand the risks of weak passwords and how to spot suspicious downloads, websites, and links.
- Encrypt sensitive data. If your business stores private information, secure your database with encryption. This layer of protection essentially scrambles the sensitive information into a code that requires a key to understand. Hackers have to put in a lot of legwork to access encrypted files.
Take steps to limit your liability
You can also help limit your liability in case a data breach does occur:
- Use detailed client contracts. Your client contracts should clearly define roles and responsibilities. They should spell out what services you will provide and liability limitations.
- Create cybersecurity training and policies. Partner with clients to educate their employees on cyber crime prevention. Provide formal training sessions and document policies that should be followed to help prevent data breaches.
There’s no guarantee that you won’t be sued following an attack. But these steps can help with your defense and potentially reduce your liability.
What insurance coverage do you need?
If a data breach happens, insurance is your best bet to cover your losses and the costs of a lawsuit.
Depending on the IT services you provide, you may want to consider some or all of these insurance policies:
General liability insurance
Nearly every small business needs general liability insurance. This policy covers the most common physical risks at tech companies, including:
- Client injuries
- Property damage
- Advertising injuries such as slander
If you own or lease an office space, you can often bundle it with commercial property insurance in a business owner’s policy for better savings.
But general liability insurance alone won’t protect you from data breach costs. The digital data protection endorsement found in many general liability policies only covers data loss caused by physical damage, such as a dropped server.
Cyber liability insurance
Cyber insurance protects your business from the costs of cyber crime, including data breaches. There are two kinds of cyber liability insurance:
- First-party cyber liability insurance, also called data breach insurance, helps businesses cover losses from a cyberattack on their own network and systems. It pays for recovery costs, notifying customers, credit monitoring, lost revenue while your network is down, and more.
- Third-party cyber liability insurance covers costs associated with a data breach on a client’s networks and systems. If a client decides to sue your business, it covers legal expenses like attorney’s fees, court costs, and judgments. Third-party cyber insurance is often included in an IT professional's errors and omissions insurance policy.
Errors and omissions insurance
Errors and omissions (E&O) insurance, also called professional liability insurance, protects you if your business is sued for a mistake, negligence, or inadequate work.
If you’ve missed a deadline or made a coding error, E&O insurance can cover the legal costs.
Because an errors and omissions policy often includes third-party cyber liability coverage, it can also cover legal fees if your client sues you for a data breach.
Fidelity bonds
Fidelity bonds will help protect your business from employee theft or fraud. Because IT businesses typically have access to sensitive data, an employee could expose your company to penalties by illegally accessing or sharing that information.
Many client contracts require fidelity bonds before an engagement begins.
Unfortunately, no company is immune to the possibility of a cyberattack. Even the most prepared ones are at risk.
But with the right preventive measures and proper insurance in place, you can protect your company from the financial fallout, including client lawsuits.
Complete Insureon’s easy online application today to compare quotes for data breach insurance from top-rated U.S. carriers. Once you find the right policy for your small business, you can begin coverage in less than 24 hours.
Erinn Knight, Contributing Writer
Erinn is a well-versed technical writer having worked on various technology and security topics, as well as social media content creation and journalism. He's experienced in technical writing, web content development, social media content, and proposal and RFP writing.