Cybersecurity attacks skyrocketed after the onset of the COVID-19 pandemic. These incidents have thrust companies leaders with an online presence into the throws of cybersecurity preparedness. However, no framework is foolproof as threat actors continue to push the boundaries at an estimated $1 trillion in global losses.
Data breaches are not only an expensive financial loss, but they also cause harm to a company’s intellectual property and intangible assets, not to mention the damages incurred through tort actions. State legislators around the United States are taking note and now provide for cybersecurity preparedness as an affirmative defense.
Making a Case for Cybersecurity “Safe Harbor” Laws
Data breaches are bound to happen, regardless of the safeguards and protocols in place. Should a company be held indefinitely liable for a situation beyond its control? Some states are inclined to disagree with imposing fines upon companies with reasonable cybersecurity measures in place and suffer consequences based on someone else’s actions. Plus, many companies use cybersecurity products from third-party providers and should not have to pay for their negligence.
Not a Replacement for Cybersecurity Preparedness
However, these affirmative defenses or “safe harbor laws” should not replace cybersecurity preparedness. In fact, the protections gleaned from these laws are contingent upon the company’s security practices. As such, protecting valuable customer data should be proactively managed to significantly mitigate the potential financial and non-financial impact of a data breach claim.
The True Financial Impact of a Data Breach
Under various data protection acts, companies that are victims of a data breach will face expensive breach notification requirements. For example, they must notify consumers of a specific period, leverage credit protection services and incur tremendously serious civil damages and penalties. Other indirect losses of a data breach include productivity losses, opportunity costs, reduction in market share, company devaluations and lower stock values.
In short, businesses should avoid a cybersecurity data breach at all costs, regardless of whether safe harbor laws are in place or not. According to IBM’s annual “2021 Cost of a Data Breach Report,” the average global cost for a single data breach is $4.24 million to a company for a single event. These numbers do not include the penalties and fines imposed by government departments and agencies over the breach.
Lost Business Hurts Companies the Most
There is a significant business loss associated with a data breach and often the largest of all penalties. Lost business accounts for 38 percent of financial losses, as referenced in the above report. When companies lose business, they see higher rates of customer and employee turnover, as well as lost revenue and a diminished reputation. Consumers will take data breaches very seriously in the future, which is reasonable considering the ways in which data is abused and utilized to create a drain on American markets.
Ransomware Attacks Are the Most Expensive Data Breach
An average ransomware attack costs companies more than a typical data breach at a staggering $4.62 million, as revealed in IBM’s report. Additional costs not included in this figure come with a ransomware attack, including data recovery, encryption and lost data availability revenue.
This number also does not include the ransom, which many cybersecurity experts advise against companies paying. Again, this average does not include government-imposed levies and fines associated with a ransomware attack. Companies should view these averages as underscoring the importance of cybersecurity protocols.
Punitive Fines Cause Companies to Shut Their Doors
State regulators are aware that data privacy violations and penalties can dwarf the actual breach costs, according to the state and government involved. For instance, in Europe, general data protection regulation fines can reach a maximum of 4 percent of global revenue or 20 million euros, whichever is greater. The magnitude of these numbers can cripple businesses, especially those classified as small or microbusinesses.
It is vital to consider affirmative defense laws across the United States to encourage fair trade while under the guidance of cybersecurity practices. Cybersecurity preparedness is non-negotiable and should be viewed as such. Otherwise, the public could lose faith in policy, which results in a host of other negative consequences that far exceed any form of a data breach.
What Affirmative Defenses Mean for Businesses
Business leaders must update how they approach cybersecurity protocols. As they draft incident response plans and user agreements, these efforts should incorporate any new legal requirements and practices. Affirmative defense laws release the company from liability but only if they have the right provisions in place. Otherwise, they cannot use an affirmative defense should a data breach occur.
Business leaders should also consider working with legal counsel that understands the issues surrounding cybersecurity preparedness and affirmative defenses in case a legal issue arises. Doing so can ensure that their companies continue operating into the future.
Bahar Ferguson is president of Wasatch I.T., a Utah-owned and operated provider of outsourced IT and managed compliance services for small and medium-sized businesses.