The frequency of cybersecurity breaches is on the rise, posing a serious threat to Long Island businesses of all sizes. According to statistics, 41% of small businesses were victims of a cyber attack in 2023. Breaches may not only lead to operational disruption, IT issues, and costly remediation efforts, but they can also expose a business to legal liability and regulatory penalties. If you’re a business owner, it’s crucial to understand how cybersecurity breaches occur, what’s at stake, and how to mitigate risk to protect your company from liability.
What is a Cybersecurity Breach?
A cybersecurity breach is an incident that occurs when an unauthorized individual or malicious actor gains access to a company’s digital systems. There are many different types of breaches that can affect a business. Some of the most common include the following:
- Ransomware attacks
- Phishing schemes and social engineering
- Malware or viruses
- DDoS attacks
- Password attacks
- Insider threats
- Supply chain attacks
- Theft of customer or client information
Without a data security plan and other strong protections in place, your company is vulnerable to a cybersecurity attack. This can lead to loss of information and revenue, significant investigatory costs, and reputational damage. Notably, if you did not take reasonable precautions to safeguard your company’s data, a breach can create civil liability — especially when sensitive or proprietary information is compromised.
How Can Cybersecurity Breaches Lead to Litigation?
There are various ways a cybersecurity breach can trigger litigation. For instance, if a breach arises from inadequate cybersecurity measures, a business can be sued for negligence by an individual customer or employee who suffered damages as a result. Shareholders may also bring a derivative action on behalf of the company if the directors breached their duty of care by failing to take necessary measures to prevent risks. In these cases, a court would evaluate whether a company took reasonable steps to secure the data in light of foreseeable cyberattack risks.
Additionally, cybersecurity breaches can sometimes give rise to breach of contract claims. For example, if a company failed to protect sensitive data as specifically promised in a contractual agreement, the aggrieved party may pursue a breach of contract claim for the financial harm they suffered as a result. These types of claims can emerge in connection with third party vendor agreements, or client, employee, or partner agreements that contain specific data protection clauses.
The Attorney General can also bring a NY SHIELD Act violation against a business if it fails to fulfill the data security duties imposed by the law, resulting in unauthorized access to private information. A violation of the ACT can also occur if a business does not provide timely notification to those affected by a data breach. The Attorney General may seek civil penalties, injunctive relief, and issue an order requiring stronger cybersecurity measures. Although not a private cause of action, such regulatory findings may be used as leverage in related civil lawsuits.
How to Protect Your Company from Risk
While no business is immune to cyberattacks, it’s crucial to take proactive measures to reduce the likelihood of a breach and the legal exposure that can come with one. Notably, under New York law, businesses are expected to take reasonable steps to safeguard sensitive information. What is considered reasonable may depend on a variety of factors, such as the size of the company, the type of data collected, and the standards within the industry.
Regardless of the nature of the company, some proactive measures that can help mitigate the risk of a cyberattack can include:
- Conducting regular risk assessments
- Training employees and management on cybersecurity practices
- Developing and maintaining an incident response plan
- Ensuring contracts and privacy policies reflect the company’s cybersecurity practices
- Using technical safeguards such as firewalls, encryption, and intrusion detection
- Establishing clear policies for reporting suspicious activity
- Monitoring vendor compliance
- Securely disposing of data that is no longer needed
- Maintaining a cyber liability insurance policy
Consulting with legal counsel to ensure compliance with New York’s data security laws is vital to mitigating risk. They can best advise on what constitutes reasonable safeguards, provide guidance on your legal obligations, and protect your company’s position in the event litigation is anticipated following a breach.
Contact an Experienced Long Island Business Litigation Attorney
If your company is facing litigation due to a cybersecurity breach, it’s essential to have a knowledgeable attorney by your side who can protect your interests. At Barnes & Barnes, P.C., we offer high quality legal services and results-driven representation for a wide range of commercial matters, including those involving data breach litigation. Contact us at (516) 673-0674 to schedule a consultation and learn how we can assist you.
