Threat of Harm: How a Cybersecurity Lapse Can Make Your Financial SMB Liable
The chances of a company facing a data breach lawsuit appear to be increasing. And for smaller companies — particularly financial services providers — a lawsuit can put them out of business. Learn these four strategies to protect your firm from cybersecurity litigation.
We focus mostly on technological solutions in this blog, but the fact is, even companies with excellent IT security can suffer a data breach. And in some cases, people whose information has been exposed can sue for damages even if they can’t show the breach has harmed them.
In legalese, this is called “threat of harm,” and it’s a term that should be on the radar of every business that handles personally identifiable information (PII) for clients.
How the “Threat of Harm” Legal Standard May Expose Your Business to Lawsuits
Stan Sterna is an attorney and vice president, and Joe Wolfe is a risk management consultant, for Aon Insurance Services, the company that administers the liability insurance programs of the American Institute of Certified Public Accountants (AICPA).
In a 2019 article in the Journal of Accountancy (“Cyber liability: Managing evolving exposures”), they wrote about the “threat of harm” standard:
While some federal circuits require the plaintiff to have suffered actual harm in order to have standing, others have held that a risk of future harm is enough — a significant expansion of standing.
We followed up with Stan and Joe about the “threat of harm” and other matters relating to how small and medium-sized financial services firms can guard against legal action resulting from a data breach.
Stan sees a trend of more data breach notification statutes leaning toward the mere threat of harm standard, providing an easier path to lawsuits for people whose data has been exposed.
You May be Subject to the Standard, Even if Minnesota Never Adopts It
In other words, although the Eighth U.S. Circuit Court of Appeals, which includes Minnesota, hasn’t yet applied the threat of harm standard as of this writing, that doesn’t mean our state’s SMBs won’t be subject to that standard, even if the state never does adopt it.
The experts from Aon also point out that if your firm holds the data of residents in federal circuits that uphold the threat of harm standard, those people could still be granted legal standing to sue you for the mere risk of future harm.
With that in mind, we asked Stan, Joe, and another cybersecurity liability expert — Bob Cattanach, a Minneapolis-based attorney with Dorsey & Whitney — for advice that small financial firms can use to minimize liability and damages from a data breach.
Their recommendations include:
- Buy cyber liability insurance
- Create an incident response plan (IRP)
- Screen vendors who store or process critical data for your firm and clients
- Read recent cybersecurity guidance from your industry’s regulators
1. Buy Cyber Liability Insurance
The cost of defending your firm against data breach lawsuits could easily be prohibitive without cyber liability insurance (a.k.a. “cyber risk insurance” or “cyber insurance”).
If you looked into this coverage more than a year or two ago and didn’t buy it, look again. Cybersecurity products for SMBs are changing rapidly, and today you’re more likely to find an affordable option.
We’ll be describing coverage options and shopping tips in a future post (which is why you should subscribe to our blog!).
For now, here are tips from Joe and Stan, who have 38 and 20 years of experience, respectively, in risk management and claims for professional services firms.
- See if your current business owners policy covers cyber liability
Business insurance coverages such as General Liability, Professional Liability, and Errors and Omissions often don’t cover losses related to data breaches, or they provide very limited coverage.
- Contact your cyber liability insurance carrier even if a data breach wasn’t caused by a hacker
Confidential financial information can be exposed through simple human error.
If you discover a mistake, like emails containing personal financial data sent to the wrong email addresses, contact your insurance carrier. They should be able to help you determine whether a breach has occurred, and what to do about it.
- Make sure assistance with notifications after a data breach is included
The obligation to notify people affected by a data breach, and notify the necessary regulatory and/or law enforcement organizations, can be a huge burden on a small financial services firm.
“The better insurance carriers have teams that specialize in compliance with breach notification law requirements, and use qualified law firms and outside consulting firms as needed,” says Joe. “They’ll determine whether a breach actually occurred under state law.”
Joe says the claim teams will walk you through the notification process, so you’re in compliance with any state laws that apply.
- Be accurate about your current cybersecurity program when filling out cyber liability insurance applications
This tip comes to us from Bob Cattanach, a Minneapolis-based partner at the law firm Dorsey & Whitney, who specializes in cybersecurity regulatory compliance and litigation. He’s helped many firms navigate the aftermath of a breach, including representing them in court.
Bob says to be careful when filling out cyber insurance applications. You’ll be asked about certain data protections and policies you currently have in place. That information will be verified should you suffer a loss, and if your answers prove incorrect, your policy may be void.
This would be especially catastrophic if your firm is targeted by a class action lawsuit, which is becoming more of a possibility, Bob says.
As he mentioned in our previous post, “8 Cybersecurity Trends Experts Reveal for Financial Services SMBs,” the California Consumer Privacy Act (CCPA), which takes effect in 2020, appears to open the door to class action lawsuits for data breaches that generally aren’t allowed today.
“This may be the biggest change in how data breach class actions are treated by courts since these suits started, and even medium-sized firms [with annual earnings of $25 million or more] could be at risk if the exposed data involves California residents,” Bob says.
2. Create a Cybersecurity Incident Response Plan
A well-documented set of cybersecurity policies and procedures can help you defend yourself against lawsuits, Bob says. It’s also a regulatory requirement for financial services providers.
A key element of your documentation should be a cybersecurity incident response plan (IRP).
Bob is editor-in-chief of the Incident Response Guide by the Sedona Conference Working Group 11 on Data Security and Privacy Liability. (Download it here. You’ll have to set up an account, then use the publication search function for “incident response guide.”)
This would be an excellent resource to go through with your legal counsel, to help you set up your IRP.
PRO TIP: For sure, look at the IRP Guide Appendix A, a model IRP, and Appendix B, model breach notifications.
3. Screen Vendors Who Store or Process Critical Data for Your Firm and/or Clients
Getting hacked is often just bad luck. As Bob puts it, “Nobody knows what some hacker sitting in Eastern Europe with a cup of coffee tomorrow morning is going to stumble on.” But hiring vendors who don’t have proper cybersecurity in place isn’t bad luck — it’s bad management.
Bob points out that you can be sued even if your clients’ data was compromised while in a vendor’s control.
The Sedona Conference’s IRP Guide, mentioned earlier, has a good “supply chain security” section that addresses vendor management.
Here are the guide’s due diligence screening questions for vendors who store or process your company’s data:
- Does the Vendor have security certifications such as International Standards Organization (“ISO”) 27001?
- Does the Vendor follow a National Institute of Standards and Technology (NIST) or another cybersecurity framework? (Editor’s note: It might be a good idea to follow up this question with: “Approximately how much of the NIST framework do you follow? 100%? 80%? 10%?)
- Does the Vendor have adequate insurance, including cyber liability coverage?
- What history does the Vendor have in suffering from data security events?
- Will the Vendor permit security audits or provide copies of its external security audit reports?
- What due diligence does the Vendor conduct for its own employees, subcontractors, suppliers, and other third parties, especially those that might have access to the organization’s data?
- What access controls and related data security measures does the Vendor employ?
- What are the Vendor’s encryption practices, at rest and in transit?
- If the Vendor will house the organization’s data, where will it be located and how and where will it be transferred, and how much notice will the organization receive if it is to be relocated?
- What are the Vendor’s backup and recovery plans?
- Does the Vendor have an Incident Response Plan?
4. Read Recent Cybersecurity Guidance for Your Industry
If your clients’ data is compromised, you’re likely to face more fines and damages if you weren’t in compliance with your industry’s cybersecurity standards when the breach happened.
New cybersecurity guidance for financial services firms is being published regularly, as cybercrime rapidly evolves. And before you say, “My IT vendor handles all that — I don’t need to know that stuff,” imagine yourself saying that to a federal examiner or to a jury.
As an owner or top executive of a firm that handles sensitive personal/financial data for clients, you need to know the up-to-date basics of cybersecurity for your industry.
You may want to delegate the task of digesting these resources and creating a plan to follow its guidelines. But it’s a good idea for all top execs to at least be conversant with the basics framework.
NIST recommendations are crucial. They’re updated every couple of years by leading authorities from public and private-sector experts. They’re not industry-specific, but many financial industry cybersecurity checklists and guidebooks have the NIST framework baked in.
NIST breaks down the core functions of information security into specific standards for you to meet, and actions you can take to get there. Many in the financial industry will be quite familiar with the risk management concepts NIST uses.
The guide includes how to limit employee access to data and information, train employees about information security, create information security policies and procedures, and more.
This website pulls together expertise from public and private sources. For example, the Department of Homeland Security provides a basic list of cybersecurity threats, instructions for managers featuring planning and education tools, and compliance guides.
PRO TIP: All three of our experts agreed that financial services firms should heed recommendations by the National Institute of Standards and Technology (NIST).
If you manage 20 to 40 RIAs or so, it can be hard to find compliance guidance that isn’t geared for big companies or mom-and-pop shops. FINRA has materials that can help you secure data within a moderately sized but complex IT infrastructure.
If you work with your IT staff and/or vendors to complete this document, you’ll have the bones of a strong cybersecurity program you can actually follow. Should you have to show in court that you’ve made a good faith effort to perform due diligence, this checklist should be Exhibit A.
This report not only lists cybersecurity controls relevant to small financial advisor firms, it points you to many other FINRA documents on cybersecurity, such as the Report on Cybersecurity Practices (2015), and the Report on Selected Cybersecurity Practices (2018).
Performing well in cybersecurity audits or SOC for Cybersecurity examinations is another way of showing in court that your firm has taken cybersecurity seriously.
The SEC’s Office of Compliance Inspections and Examinations (OCIE) has solid guidance for small firm cybersecurity policy.
Perhaps the most valuable part of this document is the appendix that offers examples of what examiners will look for in governance, risk assessment, access rights and controls, data loss prevention, and more.
This highlights the SEC’s concerns about data storage, including best practices for working with cloud data storage providers.
“Accountants today are getting into non-traditional workspace, beyond just taxes and auditing,” Stan says. “They’re also doing IT consulting and assurance services, so it’s becoming more likely that they’ll have [IT network] access to data that’s covered by many different regulations, such as HIPAA.”
The good news is that in 2017, AICPA established SOC for Cybersecurity: its own framework for assessing and reporting on an organization’s cybersecurity risk management. It’s designed to incorporate each business’s specific regulations.
This is the main page for SOC for Cybersecurity, which uses the NIST framework among other sources. CPA firms can use it to create and document a business’s cybersecurity program.
It includes information on SOC for Cybersecurity examinations, a service performed by CPA firms to provide businesses with an independent assessment of its cybersecurity risk management program.
This page includes links to cybersecurity resources for all organizations (including CPA firms). It also provides information on consulting and assurance cybersecurity services available from CPA firms.
PRO TIP: Journal of Accountancy, which published the article by Joe and Stan we quoted at the top of this post, is an excellent resource for cybersecurity news. In particular, read the Data and Information Security section.
Even if you’re not a healthcare provider, if you handle any data that includes protected health information (PHI), you are subject to Health Insurance Portability and Accountability Act (HIPAA) information privacy rules.
In 2013, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights issued a final rule identifying provisions of the HIPAA rules applicable to “business associates,” such as lawyers, accountants, IT contractors, and billing companies.
Business associates are directly liable for HIPAA violations. The definition of business associates lists their services as legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial.
Information regarding the responsibilities of business associates under HIPAA, and related resources.
If you think your firm may have some exposure to HIPAA rules, review this checklist. There are many more HIPAA resources, but cyber liability in the medical realm is mostly outside the scope of this post.
To Prevent “Threat of Harm,” Exposure, Documentation Isn’t Enough
Our cyber liability experts agreed that many companies have excellent cybersecurity documentation — but they still lost lawsuits because they didn’t practice what they documented.
An IRP, for example, probably won’t help much if the people responsible for implementing it never look at the plan after it’s created, and never practice what they’d do in the case of a data breach.
And with the “threat of harm” standard increasing your exposure to data breach lawsuits, you need to be able to show that your cybersecurity plan is more than a document — it’s your way of doing business.
(The information in this post shouldn’t be considered legal advice. This blog post is not intended as comprehensive coverage of cyber liability issues. Always consult qualified legal counsel regarding your specific circumstances and legal exposures.)