Highly publicized lawsuits against Target arising from breaches hacked into its consumer credit and debit card records are just the face of a growing trend of data protection lawsuits. Website liability today is no longer limited to what is on your website. It also includes private data that is not publicly available.
Have you ever wondered how a spammer got your email address? It is often the result of a website being hacked and email addresses stolen. That kind of activity is now giving rise to laws against website owners by consumers who rightfully demand that their personal information be protected.
The legal question that arises is: was the website negligent in the maintenance, storage and protection of private data?
When a hack occurs, no matter how sophisticated, the answer is almost always likely to be yes. In effect, this is not a “negligence” standard but one of strict liability. If your website is hacked, assume that you face responsibility if the user’s private information was compromised.
How to protect yourself
To protect yourself, you can get commercial insurance. Make sure it is specialized insurance that covers this type of incident. If necessary, have an attorney review the policy. After a claim arises, many companies are surprised to learn that the exclusions in their policy make it virtually illusory.
To minimize potential damage and possibly avoid liability, have a security plan and demonstrate that something has been done to protect user data. This may mean that you are not hosting with Local Bubba’s web hosting company. This may mean keeping your software up to date. This can mean that your web forms and other access points are hardened against attacks. You should be using hard-to-hack usernames and passwords.
The larger the business, the more actions it is expected to take. That doesn’t mean a small business doesn’t need to do anything. The more important the data, the more steps you need to take to protect it. Financial records, like credit cards, are probably more valuable than an email address.
Another liability issue Target has is failing to immediately notify customers of a data breach. When it comes to identity theft, speed can be important to avoid long-term problems. Not only did Target not notify its customers in person, but the only notice it issued was on its corporate website, and then only after a third party disclosed the violation.
It is difficult to imagine a more incompetent reaction and the company will be legally punished. Make sure this doesn’t happen to you too. If a data breach arises, be responsible and acknowledge it quickly. There’s a saying from the Nixon days that the cover-up is worse than the crime. Now, the cover-up can be worse than not reporting the crime.
By taking these steps, you may be able to avoid, or at least minimize, your exposure if customer data is hacked from your website.