How the New Cyber-Security Bill May Impact Your Business

How can I protect my business from liability due to hackers and cyber-security issues?

It seems as though every month or so, some large retailer (or the federal government) is caught scrambling to undo the latest remote hack of consumer financial data. From Home Depot to Michael’s, hackers have found intricate ways to obtain and misuse consumers’ credit card numbers, Social Security numbers, and other sensitive data. And, when this happens, where do consumers turn for answers and/or compensation? The store that allegedly allowed the breach.

Of course, stores that accept credit cards have the major credit card companies to fall back on in the event an issue occurs. Moreover, most banks will cover the cost of a data breach or fraud – reimbursing the entire sum to the cardholder with (virtually) no questions asked. Small business owners, however, wonder if there are any steps they can take to help provide added peace of mind to their worried customers, who, of course, are  eager to protect their identities and hard-earned income?

In Washington, Congress is preparing to impose international sanctions on nations considered to be involved in data hacks on American private business and government. In addition, it is preparing to add significant amendments to the Cyber Security Bill, including a clause that limit’s businesses’ liability when sharing information with the FBI or Secret Service about the details of a hack. For those who are engaged in tech, loss prevention, or anti-fraud industries, this detail could help block lawsuits from those concerned with privacy matters over the greater good of consumers overall.

Of course, consumer privacy is another major issue to consider (think: AshleyMadison.com), and many opponents of the Cyber Security Bill (in current form) object to its contents on the grounds that it provides businesses and the government with too much leeway in release personal information about perceived threats. For instance, some lawmakers are seeking to include language requiring companies to “remove, to the extent feasible, any personal information of or identifying a specific individual… that is not necessary to describe or identify a cyber security threat.” Others wish to expand this language further, requiring businesses to remove data it “reasonably believes” (as opposed to “knows”) does not pertain to a significant cyber security threat.

If you would like to discuss your business’s rights and obligations with regard to consumer data and liability, please contact one of our skilled and knowledgeable business attorneys at Willcox, Buyck, & Williams. Serving South Carolina for  over a century, we can be reached at 843.536.8050 or 843.461.3020.