Large or small, long-established, or just launched, thousands and thousands of companies depend on IT systems to analyze customer data; to design, build and distribute intellectual property like games, software, or proprietary processes; to manage supply chains and manufacturing; to organize their human resource departments, and to conduct their financial affairs. As IT has become indispensable, the number of hackers and bad actors has multiplied, and both the frequency and the sophistication of their attacks have expanded dramatically.
Over the last decade, the rising tide of data breaches has exploded into the headlines. In today’s litigious society, this means more lawsuits over lost or stolen data are sure to be filed.
Recent cyber security attacks and breakdowns at large companies have triggered class-action lawsuits, which resulted in payouts of many millions of dollars in settlements. The theft of credit card information from Home Depot’s systems ended in a sizable settlement to account holders. A lawsuit over Target’s 2013 personal information breach resulted in a payout of some $10 million to consumers and a whopping $39 million to banks. A new wave of litigation has risen since the 2021 Colonial Pipeline and Kaseya ransomware incidents, in part because so many downstream businesses were forced to temporarily shut down or severely restrict their IT processes.
As this chapter goes to press, T-Mobile has reported a massive theft of private information – social security numbers, dates of birth, phone, and PIN numbers – affecting 8 million current customers and possibly involving a total of some 40 million people, including former customers and credit applicants. There’s no word yet on legal consequences.
The year 2019 saw some 337 confirmed ransomware events that also resulted in a data breach. That number doubled to 676 in 2020, with hacks and data exposures spanning the government, health care, retail, manufacturing, and technology sectors. As more and more companies experience crippling and costly data breaches, the number and sophistication of data breach lawsuits are also on the rise.
When customer or personnel data files are breached, there is no shortage of advice for consumers who are worried about what to do. Tip list articles abound, along with more pointed advice on how to take legal action. The sources range from well- regarded consumer publications to law firms offering advice and consultations to wiki sites that cram tidbits of practical information between ad banners.
It’s not uncommon for exposed individuals to sue the business that suffered the attack, sometimes by initiating class action suits and less often as individuals claiming compensation for damages due to negligence.
Often the MSP, as an IT contractor who recommends and installs tech tools, and manages security for clients, is next in line to be blamed – and sued – following a data breach. Breaches are costly; thus, businesses and their legal advisors look for another party to share the financial burden of stolen records as well as the costs of customer legal action. In some cases, a client could attempt to hold you legally accountable for conditions that allowed a breach in their own network.
Here are some things a small business can do to avoid a data breach lawsuit:
Prevent the data breach altogether. The best way to avoid legal action is to stop a data breach from ever happening. Work with your MSP to identify, install and maintain up- to-date end-point and firewall protections, encryption, and backup tools, and keep current on software patches, drivers, and updates.
Reinforce the “human firewall.” With your consultant and your staff, create comprehensive cyber security training and staff policies that instill a culture of security and cybercrime prevention at every staff level, from the cubicles to the C-suite.
Recently I talked with Justin Reinmuth, Founder and CEO of the Technology Risk Underwriting Group. In business since 2004, TechRUG, as it’s popularly known, manages technology risk for some 600 IT companies, covering broad categories such as cyber security, general liability, workers’ compensation, employment practices, directors’ and officers’ coverage, and errors and omissions insurance.
I put the question at the heart of this chapter to Justin: Will you be sued if your data is breached? His response was surprising. “Many people will say yes,” replied Justin. “I’d say, ‘It depends.’” There are two factors to consider, he says. “Assuming that as an MSP or as a public-facing business you do have a contract with your client, what does your contract say you are and are not responsible for? Second, are you informing your clients that you use third-party vendors – for example, IT Glue or Office 365 – and that your company’s acceptance of your vendors’ terms and conditions includes end-user agreements that extend to your clients and customers as well? Your signature indicates that you accept your vendors’ hold harmless and indemnification, and limitation of liability provisions, and so does your client’s signature on a contract with your company. And, when assessing your eligibility for coverage, your risk manager might well ask to see your client’s signature acknowledging this.”
Justin goes on to say that a managed services agreement with the end client should commit the client to carry cyber liability insurance.
“It’s well-known,” says Justin, “that architects, lawyers, physicians, accountants – in short, professionals in many business categories – all these carry professional liability insurance policies,” and when their businesses are IT-dependent, it’s vital for them to add cyber insurance coverage.
Let’s take a closer look at cyber liability insurance.
The Cybersecurity and Infrastructure Security Agency (CISA), a division of the US Department of Homeland Security, has as its mission to lead the national effort to understand and manage cyber and physical risk to our critical infrastructure. CISA defines cyber security insurance as coverage crafted to help mitigate losses from a variety of incidents – data breaches, business interruption, and network damage among them. The agency maintains that a robust cyber security insurance market could help reduce the number of successful cyber-attacks by (1) promoting the adoption of preventative measures in return for more coverage, and (2) encouraging the implementation of best practices by basing premiums on the insured’s level of self- protection. However, many companies forego available coverage because of the perceived high cost of cyber security policies, confusion about what they cover, and uncertainty that their organizations will suffer a cyber-attack.
CISA is facilitating dialogue with leaders in academia, infrastructure owners and operators, insurers, chief information security officers (CISOs), chief security officers (CSOs), risk managers and others, in search of ways to expand the ability of the cyber security insurance market to address this emerging cyber-risk area. Discussion focuses on how a cyber-incident data repository could foster both the identification of emerging cyber security best practices and the development of new cyber security insurance policies that “reward” businesses for adopting and enforcing those best practices.
Besides targeted liability coverage, many large insurers offer their cyber policyholders access to tools and resources to manage and mitigate cyber-risk – both pre-breach as well as post-breach.
Today, both MSPs and their end clients need risk management protection more than ever because they face more risks – cyber security and data privacy challenges, plus compliance, technology, and vendor issues, plus increasing competition.
Like legal or medical malpractice insurance, professional liability insurance covers the MSP if a client alleges negligence in the performance of a contract; it protects the customer if a service provider is negligent.
First-party cyber liability insurance protects the end client’s data from cyber liability risks, whatever the cause. It helps protect the end client and their customer in the event of data breaches and data losses that are not the fault of the MSP.
As Justin Reinmuth says, just as your signature binds you to accept your vendors’ hold harmless and indemnification, and limitation of liability provisions, your client’s contract with your company should commit them to accept the same terms as you do.
Service contracts should include an insurance section that stipulates that the MSP will carry first-party cyber liability insurance and that the client also agrees to carry it.
A small business’s contract with a client should also disclaim responsibility for hardware and software failures caused by third- party manufacturers and publishers.
Because data loss and compromise pose such a high risk for MSPs and clients, the service contract should also disclaim hardware and software failures related to backups and require customers to retain local backups of all critical data in addition to any backup services the MSP provides.
Some of us might long for a time before hacks and attacks became so common and so potentially devastating. But the old days of walk-in computer repair and seat-of-the-pants network management – the days before businesses and their customers became so dependent on privacy standards, system integrity, and reliability – are gone forever.
However, there are signs that new laws are taking into account the complex relationships of service providers, clients, and consumers in today’s IT environment.
In Ohio, if you adhere to NIST, CMMC, HIPAA and a specified roster of other guidelines and standards, your MSP or consumer- facing business can be protected from liability because – as long as you both follow and document that you followed the standards you are not automatically liable for losses due to a data breach. Utah has recently enacted a similar statute.
The comprehensive New York State SHIELD Act lays out clear definitions that protect the state’s consumers and also defines the responsibilities of companies that collect and use private information. Rather than applying only to companies doing business in New York, the new law covers any person or business that owns or licenses private information of a New York resident. Even if your business is located outside New York, having New York-based customers can mean it applies to you. The definition of the term “private information” is expanded to include account numbers, biometrics, credit/debit card numbers, access codes, usernames, e-mail addresses, passwords, and security questions and answers. The definition of a “breach” now includes not just unauthorized acquisition but also unauthorized access of computerized data that compromises the security, confidentiality, or integrity of private information. It imposes new data security measures, requiring that companies adopt reasonable safeguards to protect the security, confidentiality, and integrity of private information. It also requires that an employee be designated to oversee cyber security operations.
To sum up, in today’s attack-prone IT environment, it’s realistic to assume that a security breach will occur and that sensitive data can be stolen, exposed, or exploited. Depending on the details, this could lead to lawsuits claiming that businesses serving consumers, as well as MSPs, are liable for resultant damage or losses.
These are some things we must do as managers of IT-intensive businesses. We must be rigorous about maintaining the highest security, backup, and update standards. We must be diligent in practice and meticulous in the documentation of our practices. Our service contracts and user agreements must describe the responsibilities of all parties in detail. Our customers and ourselves must carry cyber insurance policies that match our roles and responsibilities. If we incorporate all these precautions into daily practice – and can demonstrate strict compliance – we may be less likely to face litigation, and if we are sued, less likely to be judged negligent.
NOTE: Are you inspired to improve your company’s contracts, cyber security, documentation, or risk management practices? Please take notice that the information presented here is meant for general informational purposes only and does not constitute formal advice on legal or risk management matters. You should contact your attorney for advice on contracts and legal liability and discuss the details of risk management and liability coverage with an insurance professional who specializes in cyber security.
Trent Milliron is the founder and CEO of Kloud9 IT, a thriving managed services provider with offices in Columbus, Cleveland, and Akron, Ohio. Kloud9 IT has built a five-star reputation by offering a menu of services from day-to-day operating and maintenance
support to IT security, to VOIP systems, to tailored cloud computing, for clients throughout the Cleveland, Akron, Canton, and Columbus metro areas.
Trent was born in Shelby, Ohio, the son of a steelworker and a homemaker. As a boy, he was obsessive about computers, reading computer magazines, visiting computer stores, and pestering his family to get a PC. Trent’s wish came true when his father’s job offered to help employees buy a computer for their families. Trent earned his BA in IT from Ohio University in 1999. Launching his career in the early dot-com era, he became keenly aware of the immense potential of IT, the value of strategic vision, and the pitfalls of poor planning.
When the dot-com bubble burst, Trent shifted to a role working with nonprofits in the Cleveland school system. He soon realized that many private and public entities don’t truly understand IT and lack a clear idea of what to look for in IT service. This insight formed the basis for Kloud9 IT.
Trent founded Kloud9 IT in 2006 as a computer repair and consulting company aimed at helping businesses find tech solutions. Realizing that there was a broader customer base to serve and an expanding range of services to offer, he refashioned Kloud9 IT into a full-featured managed services provider. Trent refers to Kloud9’s reasonable monthly rates as “Flat Fee IT.”
Kloud9 IT employs the most talented technicians and engineers; the staff lives by the motto “Do it right the first time.” Rather than “band-aid” an outdated, poorly performing network, the Kloud9 team builds from the ground up based on proven technology and best practices. The company employs both video and in-person training to bring the client’s staff on board.
Kloud9 IT is a CMMC Registered Provider Organization providing security expertise for military and government contractors and others requiring high-level security standards. The company also delivers its own SOC- backed security services. Kloud9 specializes in IT services tailored to the legal, accounting, and title industries. The company is proud to offer Fortune 500–level IT services for a budget-friendly fixed monthly rate.
Trent researches extensively to stay abreast of innovations in technology and evolving security challenges. The company strongly supports the military and donates a portion of its annual profits to St. Jude Hospital, the Wounded Warriors Project, and local charities. In his leisure time, Trent enjoys golf and relaxing by the pool with family and friends. His bucket-list wish is to take flying lessons.
To contact Trent:
Trent Milliron, Founder & CEO, Kloud9 IT
E-mail: [email protected]
Phone: 1-844-KLOUD9IT (556-8394)
Kloud9 IT – Cleveland
9999 Granger Rd., Cleveland, OH 44125