The chances of a company facing a data breach lawsuit appear are increasing. And for smaller companies — particularly financial services providers — a lawsuit can put them out of business. Learn these four strategies to protect your firm from cybersecurity litigation.
First, A Note on The Threat of Harm
We focus mostly on technological solutions in this blog; however, the fact is, that even companies with excellent IT security can suffer a data breach. In some cases, people whose information has been exposed can sue for damages even if they can’t show that the breach harmed them.
In legalese, this is called “threat of harm.” It’s a term that should be on the radar of every business that handles personally identifiable information (PII) for clients.
How the “Threat of Harm” Legal Standard May Expose Your Business to Lawsuits
Stan Sterna, an attorney and vice president at Aon Insurance Services, and Joe Wolfe, a risk management consultant, share their insights on how the “threat of harm” legal standard may increase your business’s vulnerability to lawsuits.
Aon administers the liability insurance programs for the American Institute of Certified Public Accountants (AICPA) – giving them a unique perspective on business risks. In a 2019 article in the Journal of Accountancy, they wrote about the threat of harm standard:
“While some federal circuits require the plaintiff to have suffered actual harm in order to have standing, others have held that a risk of future harm is enough — a significant expansion of standing.”
We followed up with Stan and Joe about the “threat of harm” and other matters relating to how small and medium-sized financial services firms can guard against legal action resulting from a data breach.
Stan sees a trend of more data breach notification statutes leaning toward the mere threat of harm standard, providing an easier path to lawsuits for people whose data has been exposed.
You May be Subject to the Standard, even if Minnesota Never Adopts It
In other words, while the Eighth U.S. Circuit Court of Appeals—which includes Minnesota—has not yet applied the threat of harm standard, Minnesota’s SMBs could still face exposure to it, even if the state never formally adopts the standard.
The experts from Aon also point out that if your firm holds the data of residents in federal circuits that uphold the threat of harm standard, those people could still be granted legal standing to sue you for the mere risk of future harm.
With that in mind, we asked Stan, Joe, and another cybersecurity liability expert — Bob Cattanach, a Minneapolis-based attorney with Dorsey & Whitney — for advice that small financial firms can use to minimize liability and damages from a data breach.
Their recommendations include:
- Buy cyber liability insurance.
- Create an incident response plan (IRP).
- Screen vendors who store or process critical data for your firm and clients.
- Read recent cybersecurity guidance from your industry’s regulators.
1. Buy Cyber Liability Insurance
The cost of defending your firm against data breach lawsuits could easily be prohibitive without cyber liability insurance (a.k.a. “cyber risk insurance” or “cyber insurance”).
If you looked into this coverage more than a year or two ago and didn’t buy it, look again. Cybersecurity products for SMBs are changing rapidly, and today you’re more likely to find an affordable option.
Check out this article on cyber insurance coverage options and shopping tips. Here are tips from Joe and Stan, who have 38 and 20 years of experience, respectively, in risk management and claims for professional services firms.
See if your current business owner policy covers cyber liability.
Business insurance coverages such as General Liability, Professional Liability, and Errors and Omissions often don’t cover losses related to data breaches, or they provide very limited coverage.
Contact your cyber liability insurance carrier, even if a data breach wasn’t caused by a hacker.
Confidential financial information can be exposed through simple human error.
If you discover a mistake, like emails containing personal financial data sent to the wrong email addresses, contact your insurance carrier. They should be able to help you determine whether a breach has occurred, and what to do about it.
Make sure assistance with notifications after a data breach is included.
The obligation to notify people affected by a data breach, and notify the necessary regulatory and/or law enforcement organizations, can be a huge burden on a small financial services firm.
“The better insurance carriers have teams that specialize in compliance with breach notification law requirements, and use qualified law firms and outside consulting firms as needed,” says Joe. “They’ll determine whether a breach actually occurred under state law.”
Joe says the claim teams will walk you through the notification process, so you’re in compliance with any state laws that apply.
Be accurate about your current cybersecurity program when filling out cyber liability insurance applications.
This tip comes to us from Bob Cattanach, a Minneapolis-based partner at the law firm Dorsey & Whitney, who specializes in cybersecurity regulatory compliance and litigation. He’s helped many firms navigate the aftermath of a breach, including representing them in court.
Bob says to be careful when filling out cyber insurance applications. You’ll be asked about certain data protections and policies you currently have in place. That information will be verified should you suffer a loss, and if your answers prove incorrect, your policy may be void.
This would be especially catastrophic if your firm is targeted by a class action lawsuit, which is becoming more of a possibility, Bob says.
As he mentioned in our previous post, the California Consumer Privacy Act (CCPA), which takes effect in 2020, appears to open the door to class action lawsuits for data breaches that generally aren’t allowed today.
“This may be the biggest change in how data breach class actions are treated by courts since these suits started, and even medium-sized firms [with annual earnings of $25 million or more] could be at risk if the exposed data involves California residents,” Bob says.
2. Create a Cybersecurity Incident Response Plan
A well-documented set of cybersecurity policies and procedures can help you defend yourself against lawsuits, Bob says. It’s also a regulatory requirement for financial services providers.
A key element of your documentation should be a cybersecurity incident response plan (IRP).
Bob is editor-in-chief of the Incident Response Guide by the Sedona Conference Working Group 11 on Data Security and Privacy Liability. This would be an excellent resource to go through with your legal counsel, to help you set up your IRP.
Pro Tips: You’ll have to set up an account to download it, then use the publication search function for “incident response guide. Look at the IRP Guide Appendix A, a model IRP, and Appendix B, model breach notifications.
3. Screen Vendors Who Store or Process Critical Data for Your Firm and/or Clients
Getting hacked is often just bad luck. As Bob puts it, “Nobody knows what some hacker sitting in Eastern Europe with a cup of coffee tomorrow morning is going to stumble on.” But hiring vendors who don’t have proper cybersecurity in place isn’t bad luck…it’s bad management.
Bob points out that you can be sued even if your clients’ data was compromised while in a vendor’s control.
The Sedona Conference’s IRP Guide, mentioned earlier, has a good “supply chain security” section that addresses vendor management.
Here are the guide’s due diligence screening questions for vendors who store or process your company’s data:
- Does the Vendor have security certifications such as International Standards Organization 27001 (ISO)?
- Does the Vendor follow a National Institute of Standards and Technology (NIST) or another cybersecurity framework? (Editor’s note: It might be a good idea to follow up this question with: “Approximately how much of the NIST framework do you follow? 100%? 80%? 10%?)
- Does the Vendor have adequate insurance, including cyber liability coverage?
- What history does the Vendor have in suffering from data security events?
- Will the Vendor permit security audits or provide copies of its external security audit reports?
- What due diligence does the Vendor conduct for its own employees, subcontractors, suppliers, and other third parties, especially those that might have access to the organization’s data?
- What access controls and related data security measures does the Vendor employ?
- What are the Vendor’s encryption practices, at rest and in transit?
- If the Vendor will house the organization’s data, where will it be located and how and where will it be transferred, and how much notice will the organization receive if it is to be relocated?
- What are the Vendor’s backup and recovery plans?
- Does the Vendor have an Incident Response Plan?
4. Read Recent Cybersecurity Guidance for Your Industry
If your client’s data is compromised, you’re likely to face more fines and damages if you weren’t in compliance with your industry’s cybersecurity standards when the breach happened.
New cybersecurity guidance for financial services firms is being published regularly, as cybercrime rapidly evolves. And before you say, “My IT vendor handles all that — I don’t need to know that stuff,” imagine yourself saying that to a federal examiner or to a jury.
As an owner or top executive of a firm that handles sensitive personal/financial data for clients, you need to know the up-to-date basics of cybersecurity for your industry.
You may want to delegate the task of digesting these resources and creating a plan to follow its guidelines. But it’s a good idea for all top execs to at least be conversant with the basics of the framework.
NIST
NIST recommendations are crucial. They’re updated every couple of years by leading authorities from public and private-sector experts. They’re not industry-specific, but many financial industry cybersecurity checklists and guidebooks have the NIST framework baked in.
Recommended resources:
NIST Cybersecurity Framework 2.0 (2024 Update)
The new 2024 update of the NIST Cybersecurity Framework 2.0 enhances its guidance on cybersecurity for all sectors, including financial services. This latest version expands on core information security functions, offering refined standards and actionable steps to support risk management.
Familiar concepts like risk assessment, governance, and continuous improvement remain central, while new guidance on cybersecurity governance and adaptive response ensures businesses stay resilient in an evolving threat landscape. For financial professionals, this framework provides a robust foundation to bolster security and meet industry expectations.
NIST Small Business Information Security
The Small Business Information Security: The Fundamentals guide includes how to limit employee access to data and information, train employees about information security, create information security policies and procedures, and more.
Pro Tip: While the guide provides foundational guidance on cybersecurity for small businesses, the rapidly evolving nature of cyber threats and technological advancements over the past eight years render some of its recommendations outdated.
Recognizing the need for updated guidance, NIST announced plans to revise this publication in March 2024. NIST issued a Pre-Draft Call for Comments to solicit feedback for the upcoming revision – so keep your eyes open for the latest guidance.
Small Business Cybersecurity Corner
Launched by NIST in March 2019, this website pulls together expertise from public and private sources, including guidelines, best practices, and tools. For example, the Department of Homeland Security provides a basic list of cybersecurity threats, instructions for managers featuring planning and education tools, and compliance guides.
FINRA
If you manage 20 to 40 RIAs or so, it can be hard to find compliance guidance that isn’t geared toward big companies or mom-and-pop shops. FINRA has materials that can help you secure data within a moderately sized but complex IT infrastructure.
Recommended resources:
Small Firm Cybersecurity Checklist
If you work with your IT staff and/or vendors to complete this document, you’ll have the bones of a strong cybersecurity program you can actually follow. Should you have to show in court that you’ve made a good faith effort to perform due diligence, the Small Firm Cybersecurity Checklist should be Exhibit A.
Pro Tip: This tool was last updated on February 21, 2024. However, it does not reflect any regulatory changes since that date. Be sure to keep up with any new or updated laws, rules, and regulations—and to regularly update your Written Supervisory Procedures (WSPs) and compliance program accordingly.
SEC
Performing well in cybersecurity audits or SOC for Cybersecurity examinations is another way of showing in court that your firm has taken cybersecurity seriously.
The SEC’s Office of Compliance Inspections and Examinations (OCIE) has solid guidance for small firm cybersecurity policy.
Recommended resources:
OCIE 2020 Cybersecurity and Resiliency Observations
OCIE’s 2020 document outlines critical areas of focus – such as governance, risk assessment, access rights and controls, and data loss prevention – providing practical examples that help firms align with regulatory expectations.
Safeguarding Customer Records and Information in Network Storage – Use of Third-Party Security Features (May 2019)
This highlights the SEC’s concerns about data storage, including best practices for working with cloud data storage providers.
AICPA
“Accountants today are getting into non-traditional workspace, beyond just taxes and auditing,” Stan says. “They’re also doing IT consulting and assurance services, so it’s becoming more likely that they’ll have [IT network] access to data that’s covered by many different regulations, such as HIPAA.”
The good news is that in 2017, AICPA established SOC for Cybersecurity: its own framework for assessing and reporting on an organization’s cybersecurity risk management. It’s designed to incorporate each business’s specific regulations.
Recommended resources:
System and Organization Controls (SOC) for Cybersecurity
This is the main page for SOC for Cybersecurity, which uses the NIST framework among other sources. CPA firms can use it to create and document a business’s cybersecurity program.
It includes information on SOC for Cybersecurity examinations, a service performed by CPA firms to provide businesses with an independent assessment of its cybersecurity risk management program.
Cybersecurity Resource Center
This page includes links to cybersecurity resources for all organizations (including CPA firms). It also provides information on consulting and assurance cybersecurity services available from CPA firms.
Pro Tip: Journal of Accountancy, which published the article by Joe and Stan we quoted at the top of this post, is an excellent resource for cybersecurity news. In particular, read the Data and Information Security section.
HIPAA
Even if you’re not a healthcare provider, if you handle any data that includes protected health information (PHI), you are subject to Health Insurance Portability and Accountability Act (HIPAA) information privacy rules.
In 2013, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights issued a final rule identifying provisions of the HIPAA rules applicable to “business associates,” such as lawyers, accountants, IT contractors, and billing companies.
Business associates are directly liable for HIPAA violations. The definition of business associates lists their services as legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial.
Recommended resources:
HHS Guidance on Business Associates
Information regarding the responsibilities of business associates under HIPAA, and related resources.
HIPAA Compliance Checklist
If you think your firm may have some exposure to HIPAA rules, review this checklist. There are many more HIPAA resources, but cyber liability in the medical realm is mostly outside the scope of this post.
Safeguard patient information and foster a strong reputation as a trusted healthcare provider with this self-assessment.
To Prevent “Threat of Harm” Exposure, Documentation Isn’t Enough
Our cyber liability experts agreed that many companies have excellent cybersecurity documentation — but they still lost lawsuits because they didn’t practice what they documented.
An IRP, for example, probably won’t help much if the people responsible for implementing it never look at the plan after it’s created, and never practice what they’d do in the case of a data breach.
And with the “threat of harm” standard increasing your exposure to data breach lawsuits, you need to be able to show that your cybersecurity plan is more than a document — it’s your way of doing business.
Use these security best practices to enhance your business’s resilience against cyber threats and productivity-killing IT issues.
The information in this post shouldn’t be considered legal advice. This article is not intended as comprehensive coverage of cyber liability issues. Always consult qualified legal counsel regarding your specific circumstances and legal exposures.
Need Help Meeting Compliance Requirements?
For over 20 years, Teal has partnered with small financial firms to navigate complex compliance requirements with expertise across multiple frameworks. Contact us today to discover if we’re the right partner for you.