“If my website is hacked and customer data is exposed, can I be held liable?”
That is a question most small business owners aren’t losing sleep over or are readily prepared to answer. But in an era where data breaches routinely occur, it warrants serious consideration.
You may think that just because you run a small business, the chance of your website getting hacked is minimal. That is not the case.
A survey conducted by the Poneman Institute, an information security research firm, on behalf of insurer Hartford Steam Boiler found that 55 percent of small businesses had experienced a data breach, and 53 percent reported multiple invasions.
How Does a Website Get Hacked?
Before delving into the liability issue, it’s important to address the question of how websites get hacked in the first place.
Tony Perez, co-founder and CEO of Sucuri, a website security technology provider, said in an email exchange with Small Business Trends that sites typically get hacked in one of four ways:
Access control has to do with how we log into our environments, whether that’s the admin panel of our platform or the servers and hosts themselves.
According to Perez, hackers can figure out how to log into your site’s hosting panel or server through a brute force attack, a trial-and-error method used to obtain information such as a username and password. Brute force attacks utilize automated software to generate a large number of consecutive guesses, to uncover the desired information.
Hackers exploit software vulnerabilities by using cleverly “malformed Uniform Resource Locator (URL)” or “POST Headers,” Perez says.
He explains that the way to think of vulnerabilities is as software bugs or kinks in the website’s armor.
“Since the early days, bugs have been a way of life with any code,” he says. “Code is built by humans, and though unintentional, we make mistakes.”
Poorly Managed Environments
“You can purchase a website hosting account with a company that has hundreds of sites installed or configured on what I call ‘soup kitchen’ servers,” Perez says. “This is complicated by the fact that site owners don’t employ any website management principles (i.e., functional isolation, updates, backups).
Third-party software integrations and services are commonplace in today’s website ecosystem, Perez says, and are especially popular in content management systems such as WordPress, Joomla and Drupal. The problem with the exploitation of third-party integrations and services is that it is beyond the website owner’s ability to control, according to Perez.
Advertising networks present yet another problem.
“There is a big issue with ‘malvertising,’ where attackers can abuse the ad networks businesses use on their sites to rotate and serve malware to users on a conditional basis,” Perez says.
How Do I Prevent My Site From Being Hacked?
Unfortunately, there is no way to guarantee that your site will never get hacked. There are steps you can take to reduce your risk, however, that include:
- Incorporate two-factor authentication. According to the website TechTarget, two-factor authentication is a security process in which the user provides two means of identification from separate categories of credentials. Examples include a physical token, such as a card, and something memorized, such as a security code.
- Use a website firewall and anti-virus. This helps guard against software vulnerability. Sucuri offers both options as part of its product lineup.
- Backup your site’s content. Many content management systems, such as WordPress and Joomla, have backup capabilities built-in. If your CMS doesn’t offer backup protocols, your website host provider can probably help. Companies such as Mozy, Barracuda and Sucuri also offer website backup services.
- Register with search engines. Google and Bing have webmaster tools that can tell you the health of your site.
What’s My ‘Cyber Liability’ if Customer Data Is Exposed?
Unfortunately, there is no cut-and-dried answer to that question. Some attest that the entity holding the information is liable while others suggest the customer bears responsibility.
Judith Delaney, founder and chief new media compliance strategist for CMMR Group-TurnsonPoint, a digital media compliance firm, said in an article addressing consumer concerns regarding liability, that if hackers accessed information through your company’s online systems, most likely, you would be held responsible.
She also said that everyone — businesses and consumers alike — bears the responsibility to protect sensitive information.
Perez, weighing in on the liability issue, warns that small businesses running an ecommerce site must comply with the Payment Card Industry Data Security Standard (PCI DSS).
“It’s not law, but it’s a regulation that will create big problems for you if you’re compromised and found to have been the reason why credit card data was stolen,” he says.
He adds that consumers expect and demand a safe online experience when they visit your site.
“They trust that when they visit your website, as a company that cares, you are doing your part,” he says. “When you’re not, and you break that trust, you not only break the trust with your brand but with users general experience with the Internet. Our impacts are larger than our little corner of the web.”
State Laws Protect Consumers
“The landscape of cyber security is shifting rapidly as data breaches are spiking,” Delaney said. “Congress, regulators and state attorneys general are taking a hard look at how companies … are protecting consumer information from unauthorized access. Hearings have been held, and new laws pushed.”
California was the first state to pass a data breach law, in 2003, which requires that consumers be notified if their personally identifiable information is compromised.
Following California’s lead, other states enacted laws requiring organizations to notify individuals when a security breach puts personal information at risk. The National Conference of State Legislatures provides a comprehensive list as does BakerHostetler, a law firm.
In addition to the states, federal law may require notice for particular types of data breaches.
Cyber Liability Insurance Protects Businesses
Notification can quickly become very expensive, however, particularly if you have thousands of customers with which to communicate.
Unfortunately, standard commercial property and liability insurance does not cover the loss of personally identifiable information. To address the issue, several companies now offer cyber liability policies intended to cover a data breach where customer information, such as Social Security or credit card numbers, is exposed or stolen.
The policies include a variety of expenses associated with data breaches, including notification costs, credit monitoring, crisis management, costs to defend claims by state regulators, fines, penalties and loss resulting from identity theft and business interruption.
The problem of cyber attacks is not going to go away but will become more sophisticated over time.
While the question of liability is still not clear cut, businesses can protect themselves and their customers by following the guidelines included in this article.
Take the necessary steps to prevent your site from being hacked and consider purchasing cyber liability insurance to protect yourself in the event it is, and customer data is exposed.
Hacker Photo via Shutterstock
Even if the liability is limited, it is still our responsibility as business owners to protect our customers. While it is ideal to have some form of security in place, it is harder in reality where our site is constantly exposed to threats.