Small and midsize businesses are increasingly at risk for data breach class-action lawsuits that typically have targeted large corporations.
Large companies are learning to address cyber threats. Hackers are responding by setting their sights on SMBs. It’s simply more productive and efficient to attack poorly protected companies that could take weeks or even months to notice they’ve been breached.
As the risk of exposure moves downstream, the associated class-action lawsuits surely will follow. Statistics from the Identity Theft Resource Center show that the number of data breaches reported in 2016 exceeded 2015 levels by 40 percent, a worrying upward trend for those in the small business sector who likely will bear a greater percentage of those breaches going forward. The data stores held by SMBs may be smaller, but they’re no less rich in value to hackers. They contain financial data, healthcare information and other tantalizing personal details.
Security falls short
Unfortunately, because SMBs often lag behind larger companies in the sophistication and scope of their defensive measures, they’re much more susceptible to litigation centered on charges of negligence or a lack of due diligence. Exposures in the SMB sector also could go undetected for long periods of time, leaving more records vulnerable and increasing the size of the victim pool that may be interested in filing suit.
Smaller firms’ responses to the risk of cyber attack and litigation depend largely on their industry. Even the smallest healthcare entities are typically well adapted to address potential data breaches and cyber risks. Long-standing mandates such as HIPAA—as well as a robust centralized breach reporting mechanism—have made companies in the medical space a little paranoid about their heavily regulated environment.
Behind the curve
Other small business sectors aren’t as prepared for the risk of a breach. Outside of healthcare, the professional services industry, including legal and accounting, is much less aware of where threats exist or which measures should be taken to mitigate them. Many small firms don’t understand their responsibilities regarding data privacy or how data breach notification laws apply to them. Without a good awareness of data privacy concerns, obligations and solutions, these businesses are easy targets for any hacker who happens upon them.
Litigation bills add up
Data breach class-action lawsuits can result in million-dollar judgments, but devastating costs may be incurred even if a settlement never materializes. A breached small business still needs to defend itself against litigation, and that takes money. Between legal counsel, forensic investigations, data recovery and any other steps the company may be required to take, they’re likely to incur significant financial penalties no matter which way the lawsuit goes.
Some SMBs are realizing they aren’t prepared for a cyber attack. The truly savvy ones are waking up to the prospect that, just like the professional and employment liability insurance they already have, it would be wise to pursue coverage to defer defensive and recovery costs around their cyber liabilities. With the specter of more breaches—and more class-action lawsuits—coming down the pipeline, SMBs must find a way to minimize the threat of exposures while also putting protective measures in place should they find themselves facing litigation.
Credit: EDUARD GOODMAN, SPECIAL TO THIRDCERTAINTY