How can your small business prevent a data breach lawsuit?

Data privacy lawsuits are all over the news. TD Ameritrade and Charles Schwab are being sued following the massive MOVEit data breach. The ongoing saga of Facebook’s $725 million settlement rooted in invasion of privacy still continues. However, corporate giants are not the only companies at risk. Small businesses across the country are facing such lawsuit filings every day.

Over the past three years, the cost of the average data breach has increased to a new high of $165 per compromised record. That equals an average cost of $4.45 million per event. If your company is based in the US, that number is an eyewatering $9.48 million. Over the past year, small businesses (less than 500 employees) experienced an increase of 13% in breach costs compared to the net decreases experienced by large corporations.

Unfortunately, as we saw in the recent MOVEit breach, your company does not even have to be a hacker’s target to experience a serious attack. Last year, 15% of attacks were propagated from business partners, and 12% as passed down through the software supply chain.

For the small business that manages to survive a breach, these attacks often lead to a long, complicated recovery—regardless of the where it came from. Even once they are done cleaning up the initial mess, several complicated (and expensive) long-term effects of the attack endure: loss of reserves and revenue due to downtime and cleanup costs, loss of reputation in the marketplace, and costly implementation of improved security protocols, services, and resources.

However, one particularly prolonged and painful outcome of a data breach is often overlooked—a lawsuit.

What are the legal claims brought against companies that have been breached?

Most claims revolve around the compromise of “personally identifiable information” or “(PII)”. This is the information that comes to mind when most of us think of identity theft: full names, addresses, dates of birth, gender, and Social Security Numbers.

Although the exact accusations in each lawsuit will vary, data privacy violations can result in a wide range of injury claims. The recent case filed against financial giant TIAA serves as a helpful example to aid us in understanding the potential consequences of such a case.

TIAA manages nearly $1 trillion in teacher retirement funds across the United States and was compromised in the MOVEit breach. Aside from the size of the organization, it stands as a fairly standard example of the type of case brought against impacted businesses—small or large.

Plaintiffs in the suit claim that, due to the breach, the company is responsible for

• Lost or diminished value of their PII;
• Implied breach of their privacy contract;
• Invasion of privacy;
• An increase in spam calls, text, and email; and
• Continual increased risk to their PII (over the lifetimes of the affected customers).

In order for these claims to stick, the claimants are trying to prove that TIAA behaved in a reckless manner with their PII. This means that the company was aware of the risks, aware of the potential impact to their clients, and negligently failed to take adequate action.

In this particular case, the plaintiffs claim that TIAA was negligent due to its

• Failure to encrypt or redact customers’ PII in its internal files;
• Failure to audit or verify the integrity of its IT vendors’ and partners’ data security equipment and procedures;
• Failure to adequately train its employees in the handling of PII;
• Failure to properly monitor its own systems for existing intrusions; and
• Failure to maintain an adequate data security system to reduce the risk of attack.

The case uses the modern tumultuous cybersecurity environment as additional fuel for their claims. According to the claimants, any company that is managing a database of private information must be actively increasing and evaluating their cybersecurity measures in order to avoid charges of negligence. The case also accuses TIAA or failing to follow industry standard in cybersecurity and the FTC’s 2016 guidance for cybersecurity in business.

As more state legislatures add consumer protection laws to the books, joining the likes of federal laws like HIPAA and FERPA, these types of claims are likely to become increasingly common.

Who is being accused?

It would be easy to dismiss the TIAA example as just one more juicy target for a ravenously litigious society, these types of lawsuits are cropping up in nearly every sector against businesses of all sizes.

In just August of 2023, we find suits against a range of institutions—from small, rural businesses and non-profits to large educational and healthcare organizations.

• The University of Minnesota is being sued by former students and employees for “failure to establish appropriate security safeguards” for private information.
• Advocate Aurora Health reached a $12.25 million settlement with those affected by its 2022 breach.
• Tampa General Hospital was served a class action lawsuit addressing the compromise of 1.2 million patient files.
• A small, local Pennsylvania business Turnkey Realty is settling for $600,000 following a 2021 data breach.
• A regional non-profit behavioral health organization, Allwell Behavioral Health Services, will pay $650,000 to resolve claims resulting from a March 2022 breach.

The settlement figures in these few examples are concerning for a business of any size—their bottom-line impact could devastate or even close a recovering small business. However, even more than the obvious financial cost of the settlement, the fact that the payouts are occurring at all suggest that an increasing number of plaintiffs are winning their privacy lawsuits against a diverse range of organizations.

Beyond the prospect of a settlement, any company shudders at the prospect of legal fees and lost time that can be consumed by such a case.

How can small businesses prevent a data breach lawsuit?

The answer to this one is simple: a comprehensive, proactive approach to cybersecurity.

As you might have guessed, though the answer is simple, implementation can be a bit tricky. Here are a few suggestions to guide you through the process.

1. Assume that your business is an active target of cybercriminals.

Many small businesses dismissively assume that ransomware and breaches only impact “the big guys.” The data does not bear this out. Nearly 43% of cyberattacks target small businesses.

Do not get comfortable with your current state of cybersecurity. The FTC, FBI, and cybersecurity institutions are continually issuing warnings about the perilous state of cyberattacks at this point in time. Potential plaintiffs can and will use this common knowledge against you. “I didn’t know,” is no longer an acceptable defense.

2. Do your research to prevent a data breach.

You cannot be sued for losing PII if you never lose it in the first place. To do so, we recommend starting with the FTC’s excellent guide to preventing a data breach, Protecting Personal Information: A Guide for Business. A reference point for many successful companies, the guide recommends that modern businesses build their data security approach around five key principles:

1. Take Stock – Determine what information you have and where.
2. Scale Down – Keep only what you need.
3. Lock It – Protect the critical information that you need to retain.
4. Pitch It – Properly dispose of what you do not need.
5. Plan Ahead – Create a plan for potential security incidents.

Educate yourself and your leadership team on how you will protect your business from a data breach and potential lawsuits.

3. Establish solid IT policies.

When you look through the list of failures claimed by plaintiffs in TIAA’s case above, do you see recognize any holes in your own business’s policies?

Hardly anyone enjoys creating and evaluating policies, but in order to successfully avoid a data breach or privacy lawsuit, you must not only create IT policies, but implement them as well. Consider what elements you need to put together a comprehensive IT policy.

Just remember, once the policies are written, you must consistently implement them well. Failure to do so leaves the door open to accusations from potential plaintiffs that you did not follow your own directives—adding fuel to the legal fire that could already burning around you.

4. Implement a thorough cybersecurity system.

Once you have done your research and written your policies, it is time to implement a solid cybersecurity system. No one tool, approach, or service can protect your company, but a comprehensive and holistic approach to cybersecurity can dramatically reduce your risk exposure.

Multi-factor authentication (a.k.a. MFA or 2FA), advanced email scanning, endpoint protection, round-the-clock monitoring, cybersecurity insurance, and ongoing employee education are all great places to start, but do not get too comfortable—cybersecurity is a constantly evolving game with incredibly high stakes.

If all of the above seems a bit overwhelming—or overzealous—for your company to take on alone, consider contracting a qualified managed service provider (MSP) to help you with your policies, plans, and cybersecurity system implementation. Although not all MSPs are created equally, a good MSP with a solid track record can alleviate the weight of facing the IT burden alone.

Data breaches happen every day, and they are the type of disaster that can be mitigated at the very least, if not completely prevented. Take the time now to prepare your team against the attacks that will surely come—if not in court, certainly on your network.