Can Employers Be Held Liable?
Hacking: Definition and Types
Hacking is broadly defined as the act of breaking into a computer system. Hacking isn’t always a crime as “ethical hacking” occurs when a hacker is legally permitted to exploit security networks to check for vulnerabilities. In other words, when a hacker has the appropriate consent or authorization. However, hacking crosses the criminal line when a hacker accesses someone’s computer system without such consent or authority.
For instance, if an individual acts without consent or any lawful edict and penetrates a business’s firewall to access private servers and cloud storage systems or uses phishing to install malware to desktop and laptop computers with the intent to monitor communications and activities, they can be charged with a crime. The Internet has led to an e-commerce revolution which is the result of the development of a network with increasing connectivity and functionality. However, as the size of e-business and social media increases, security and privacy remain critical obstacles that hinder more accelerated growth of e-business.
Cybersecurity plays an important role in the ongoing development of information technology, as well as internet services. Hence, enhancing cybersecurity and protecting critical information infrastructures are essential to the security and economic well-being of nations and businesses. Therefore, making the internet safer (and protecting its users) has become integral to the development of new services as well as government policy.
Unfortunately, data breaches and cybersecurity hacks are becoming increasingly common and problematic. Any business can be targeted and lots of smaller businesses assume it will never happen to them – an approach that is simply far too risky. Although large data breaches are the only ones that make the headlines, cyber-attacks and data hacking is happening every minute, of every day, and any business is a potential target.
However, it is difficult to determine how much risk or damage such breaches cause for companies, insurers, and users or account holders. According to Cybercrime Report, cybersecurity ventures predict cybercrime’s global cost will reach $6 trillion by 2021.
Cybersecurity and implementing effective network security is a vital process for every business. Businesses may be held accountable if their network is hacked and sensitive data accessed. If your business is collecting customer data, it is your responsibility to look after this data.
Effects of Hacking on a Business
One of the many dangers of hacking of businesses is the theft and misuse of business data. Global reports reveal that every single day, companies from around the world will lose about 5 million records containing sensitive data due to vulnerability in their system or a human factor failure. Only 4% of escaped data is protected by strong encryption and therefore cannot be misused. The implication of this is that the vast majority of stolen data can be decrypted and ultimately used to gain perform illegal activity. The types of sensitive data vary but can include login data, payment details, accounting or health records, as well as information about products and projects, orders, or partners.
Another major danger of hacking on businesses is that it in turn leads to loss of reputation and clients. Unfortunately, even this is not the end of the vulnerability. In many cases, the purpose of the attack is to use the company’s server for illegal purposes.
Once the attackers have access to your system, they can exploit corporate infrastructure in several ways. Most often, they are spreading spam or ad emails (if they access the e-mail server), but the misuse of system for DDoS attacks is also quite common. The sale of access data to servers on the black market presents common tactics.
Most recently, attacked servers are also used to exploit cryptocurrencies, or to long-term spying on communications and to retrieve other sensitive data, or to manipulate the data transmitted. Infection with viruses containing so-called back-doors that allow the attacker to access the system even after repairing the damage caused by the attack and updating the security policy is also a dangerous practices partners and customers.
Where Does Liability Lie?
An all-cloud environment describes a company, organization, or individual that uses a web-based application for every task rather than installing software or storing data on a computer.
In a cloud environment, under U.S. law and standard contract terms, it is the data owner that faces liability (and in some cases, criminal liability) for losses resulting from a data breach, even if the security failures are the fault of the data holder (cloud provider).
How Liable Can an Organization be in The Event of a Breach?
According to research conducted by Thomson Reuters, State and federal data privacy laws in the U.S. do not impose civil liabilities in the event of a cyber intrusion. Liability is imposed generally if the following conditions exist:
- An entity failed to implement safeguards required by statute or reasonable security measures.
- An entity failed to remedy or mitigate the damage once the breach occurred.
- Failure to timely notify the affected individuals under a state’s data breach notification statute, may give rise to liability for civil penalties imposed by a state attorney general or other state enforcement agency.
In effect, negligence must be proven in any litigation. However, liability can also exist if contractual indemnification or service agreements are in effect toward affected individuals or between business entities.
When the party liable is recognized, the damages, the costs & liability of a data breach to a law firm or company may include all or some of the following:
- Individual & class action lawsuits by customers & shareholders, settlement payments, legal expenses, government investigations, and potential penalties.
- Depending on the case, liability can include, civil monetary compensation for any economic losses incurred by the victim. It can also include reimbursement to victims for out-of-pocket expenses to restore the integrity of the compromised personal information.
- The emotional distress of victims may also come into play.