“Don’t Forget About Negligence – It Hasn’t Forgotten you”
Nearly every time I meet with a client for the first time their first question is some form of “what are the mandatory security requirements that pertain to my business?”
For starters I begin by asking about the context of their business:
- “What kind of company are you?”
- “Where are your locations?”
- “Are there any governing bodies you report to?”
- “Where do your clients live?”
- “Do you hold out internationally?”
These questions are crucial to understanding which if any laws or regulations apply. (A great list of regulations made by my colleague can be found here.)
I then delve into which laws and regulations apply to their business, and I describe in broad strokes the requirements of each.
BUT, there is another possible duty that overarches all the others, and it is often not considered by business owners who want easy bright line rules to follow and maybe don’t see the forest for the trees:
Good, old fashioned NEGLIGENCE lawsuits. I tell my clients that in the end, what is important is that they provide their customers with at least reasonable care.
Many courts have found that companies owe a duty of reasonable care with regard to their clients’ data and that having inadequate cybersecurity measures constituted negligence. More sobering still, damages for negligence do not normally have a statutorily defined maximum fine amount!
Also, it is not always clear whether a company is covered under commercial general liability coverage!
This means that one breach could potentially put a company out of business or worse.
So, what is negligence?
Generally, negligence is a cause of action in tort law that requires the fulfillment of 5 elements:
- Duty of reasonable care owed to your customer. (You need to reasonably protect their data)
- Breach of that duty. (you didn’t reasonably protect their data)
- But-for causation. (What you did actually caused damages. It wasn’t someone else.)
- Proximate causation. (Most authorities say that this means it was reasonably foreseeable what you did would cause damages. but some would say it means that you had no moral right to do or not do what you did or didn’t do that caused the damages.)
- Damages suffered.
In summation - This deep into the 21st century it behooves any and all business entities to implement a reasonably strong information security management system. We have all seen the fallout from data breaches; the massive sums of money it has cost, and the privacy it has destroyed.