IT Security: Potential Liability for Small Businesses
Torts – or civil wrongs – evolved over a thousand years as a means of preventing blood feuds, but they are constantly being applied to new situations by the courts. Negligence, one of the most common torts, has been around for several hundred years, long before the invention of the automobile where we so often see it applied today.
Negligence does not require intentional wrongdoing, but simply: 1) a standard of care; 2) deviation from that standard; 3) proximately causing; 4) damages. The law requires you always take reasonable care.
Generally, an entity is not liable for the criminal acts of third parties, but, if a relationship exists between parties, the failure to take reasonable protections may constitute negligence. Common examples include a lifeguard and swimmer, a driver and passenger, or even a business owner and customer.
Further, there is a duty to protect if contractually obligated to do so, whether express or implied.
Thomas Watson, the President of IBM in 1943, once said, “I think there is a world market for maybe five computers.” Today business operates by storing consumer and employee information. There is a duty to take reasonable care, outside of specific obligations HIPAA and the PCI Industry put on health care providers and credit-card acceptors.
If a business does not follow reasonable IT security protocols, it may be found negligent and liable for all damages that result. To avoid the risk of suit, educate yourself on reasonable IT security precautions. Does your business:
- Encrypt stored data?
- Require passwords?
- Have anti-virus software?
- Educate employees and enforce IT security policies?
- Receive IT security audits?
If you are not taking reasonable IT security precautions, you are risking a lawsuit.
Most states have also passed laws that require disclosure of customer data breaches. The Nebraska Financial Data Protection and Consumer Notification of Data Security Breach Act, Neb. Rev. Stat. § 87-802, et. seq., provides any entity that does business in Nebraska and owns or licenses personal data, when it becomes aware of a breach of security, must investigate. If an unauthorized use is discovered, or even likely, the entity must give notice to the Nebraska residents of the breach without unreasonable delay.
Personal data is defined as the customer’s name with: 1) a social security number; 2) a driver’s license or state identification card number; 3) an account number or credit/debit card number (with security code, access code, or password that would permit access to the financial account); 4) unique electronic identification number or routing code (in combination with any required security code or password); or 5) unique biometric data, such as a fingerprint, voice print, or retina or iris image, or other unique physical representation.
In essence, under Nebraska law you must provide your customers with notice of a breach they can then use in a lawsuit against you. Concerned? Call Berry Law for a free consultation on how to reduce your business risks.