All companies are at risk of cyberattacks, and small and mid-sized business are increasingly being targeted.

The cost to respond to being hacked can easily exceed $50,000, including business costs such as technical costs to investigate how the breach happened and repair systems, loss of business and customers, and increased insurance costs.

However, federal and state laws can also create significant costs after a breach, and companies need to be aware of these laws and how to lower the risk of legal repercussions after an attack.  Knowing before an attack ever happens what laws apply will help any company take reasonable and cost-effective steps to lessen the risks of an attack, and limit liability if one does occur. This article will highlight just a few of the most important legal issues surrounding a cyber attack.

Federal Law

For any company that has consumers as its customers, the Federal Trade Commission, or FTC, is the primary federal agency in charge of protecting customer information.  The FTC enforces a several statutes, including the Children’s Online Privacy Protection Act, the Consumer Fraud and Abuse Protection Act, anti-spam laws, and certain laws relating to personal healthcare information.  In recent years the FTC has been much more active in investigating companies suffering a cyberattack.  These include large companies, such as Target, but many smaller ones as well. In just the past year, the FTC settled cases against the following smaller companies:  LabMD, D-Link, Henry Schein Practice Solutions, and Cornerstone and Company, none of them household names.

If a company has suffered a cyberattack resulting in the loss of consumer information that the company had promised to keep private, the FTC can bring an enforcement action alleging that the company did not take “reasonable” measures to protect that information.  There is no specific checklist as to what measures the FTC considers “reasonable;” they depend on the type of data the business has, its resources, and other factors.  If the FTC determines that the company had reasonable security measures in place prior to an attack, it is more likely to find no violation.

However, if the FTC finds that the company did not take reasonable steps to protect data, or had taken no steps, it may allege a violation of the law. Usually the FTC will settle such cases, and will require the company to take various actions, including affirmative steps to remediate the behavior, implementation of a comprehensive security program, outside assessments by independent experts, fines, and notice to the affected consumers.

Also on the federal level, the Federal Communications Commission (FCC) has become more active in enforcing law against companies suffering a data breach over a communications network.  Of course, most cyberattacks or hacking incidents are likely to occur over the internet or phone lines, so the FCC will also claim jurisdiction. In 2015, for example, it investigated AT&T over a breach in the company’s foreign call centers which affected over 50,000 AT&T customers, and the company agreed to pay a $25 million fine as part of a settlement.

If your company handles personal health information, either directly or for a client, then that information is governed by HIPAA, which has specific requirements for securing such information. If there is a breach, the U.S. Department of Health & Human Services can investigate and require notification to customers and the media.

This list is not exhaustive; the Department of Justice, the Securities and Exchange Commission, and other agencies also have a role in certain types of data breaches.

State Laws

Most states also have laws relating to cybersecurity and data privacy, and many state attorneys general have established cyber crime task forces or similar initiatives.  In addition to federal investigations, therefore, in the event of a breach a company may face an enforcement action by a state attorney general where the company is located but also where the company has customers.  State attorneys general often join together in such investigations, so a company may find itself responding to requests for information, subpoenas, and court actions in several different states.

Adding to the cost of a cyberattack are customer notification laws, which are on the books in 47 states and several U.S. territories.  Under these laws, a company holding customers’ personal information is required to make certain notifications if that information is compromised.  Personal information is usually defined as the customer’s name plus at least one of the following: social security number, financial account information, driver’s license number, medical or health information, or some other data. If a company has individual consumers as customers it may be required to notify them, either by mail or email. If customers are in different states, notification must follow the law of the state where the customer lives, not the state where the company is located.  This can become complicated, time-consuming, and expensive.

Lawsuits

Finally, after an attack, customers or vendors whose information is compromised may sue the company who had their data.  As a result, a company may face litigation, often class action suits, alleging the company either did not do enough to protect customer information, or did not respond appropriately after a breach.  While few of these cases ever go to trial, defending them can be extremely expensive, take up a great deal of the company’s time, and result in unfavorable publicity.

Conclusion

Before implementing a cybersecurity plan or preventive measures, it’s important to know what laws apply to your company in the event of a breach, so that you take measures that are appropriate and cost effective for your company.