Data breaches are no longer rare, headline-only events. Data breaches can happen to any business, regardless of size, from startups and small businesses to established companies. When customer data is stolen, whether by hackers, leaked by an employee, or accidentally exposed due to a website error, one question comes to mind: Who is responsible? Nowadays, companies collect more personal information than ever, increasing their reliance on cloud-based storage solutions. With this, the risk of data falling into the wrong hands increases. When breaches occur, responsibility and liability become a critical issue.

What is a Data Breach?

A data breach happens when sensitive information is accessed, disclosed, or stolen without authorization. Today, many businesses no longer store data in-house. Instead, data resides in cloud-based systems, which primarily involve three parties: the customer whose data is collected, the business that owns and uses that data, and a third-party provider, the data holder, that stores or processes it, like IBM Cloud or Azure, to name a few. A data breach can be highly consequential when the criminals access customer information and sell it or exploit it for fraud.

Common Ways Customer Data Gets Stolen

As a business, your data can be stolen in various ways. One of the most common is when hackers use malware, spyware, or tactics to break into your systems. Another type of data theft is through internal breaches, which can be just as damaging, whereby employees or contractors intentionally or carelessly expose sensitive data. Data theft can also happen through physical device theft, especially with payment systems, where skimming devices placed on ATMs or fuel pumps silently collect card information.

Who Is Responsible for the Data Breach?

In most cases, U.S. law places responsibility on the data owner, the business that collects and uses customer information. Even if the breach happens through a cloud provider’s system, vendor contracts often limit the data provider’s liability and exclude indirect or consequential damages. This leaves the business that owns that data accountable for the losses.

However, there is one exception. Under Health Insurance Portability and Accountability (HIPAA), cloud providers and other data handlers can be held responsible for medical data breaches. Still, the data owner must notify individuals and regulators when protected health information is compromised.

As a business, your liability may significantly increase if you fail to use reasonable security measures, delay notifying the appropriate parties, or mishandle your response to the data breach. When this happens, you may be exposed to lawsuits, regulatory fines, investigation costs, and recovery expenses.

How Can You Reduce Risk Before and After a Data Breach?

In the event of a data breach, speed is crucial. The longer a breach goes undetected, or if mistakes are made when handling it, the higher the cost. To reduce the risks, consider taking the following steps:

Have a solid response plan to help your employees act quickly and consistently

Have draft customer notifications and media statements to reduce chaos

Consider carrying cyber liability insurance

Speak with an attorney familiar with internet law to review contracts and advise you on the state and federal laws that the breach may implicate.

Preserve evidence and work with forensic experts before making system changes.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.