Legislation provides small and medium businesses data breach liability relief
By Chuck Smith, President & CEO, Guardian Infrastructure Solutions
Texas small and medium sized businesses are in a bind with cybersecurity. You’re as much a target of hackers and ransomware seekers as enterprise organizations – in fact, SMBs are the majority of hacks – but you don’t have the resources that big companies can access to protect themselves.
And if a successful hack isn’t bad enough in terms of stolen info, lost funds, and expensive downtime, your SMB is open to lawsuits from customers and business partners. The legal market knows this – especially the “billboard attorneys” – and they’re ready to pounce.
This came to the attention of Texas state legislators, who passed Senate Bill 2610. The new law creates a lawsuit “Safe Harbor” for SMBs that have suffered data breaches. Right now, most SMBs aren’t clear on what SB 2610 does. Often, we hear “Safe Harbor” and think we’re automatically covered
So, first – and this may be painfully obvious – SB 2610 does not help stop cyberattacks. The bad actors are still after you. And, it does nothing for your hack-related costs – lost info, downtime, or ransomware paid. What it does is effectively eliminate punitive (“exemplary”) damages in a civil lawsuit brought against you by anyone or any entity whose data you were entrusted with. You’re still on the hook for the actual (compensatory) damages caused by the breach. However, since punitive damages are a multiple of actual damages, the law gives real relief.
How do you take advantage of Safe Harbor? The company must show that at the time of a breach it had a qualifying cybersecurity program in place. This gets a bit techy, but here’s an explanation as a starting point. It’s made up of three tiers, based on employee numbers, in which each tier must meet higher criteria.
Fewer than 20 employees: Small businesses need to maintain a reasonable cybersecurity program with simplified requirements with things like password policies, multifactor authorization (MFA), employee training, backups, patching, and other safeguards. The key is for the company to show proof that the program was in place before the hack occurred.
20 to 99 employees: These businesses must go beyond basic safeguards and reasonably conform to an industry-recognized cybersecurity framework, as from the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), or the Center for Internet Security (CIS). The key again is proving the program was in place before the breach.
100 to 249 employees: This tier must implement a comprehensive cybersecurity program that fully conforms to a formal framework from NIST, ISO or CIS. In effect, mid-sized firms must maintain enterprise-level cybersecurity practices. And again, the key is proving that the program was in place before the breach occurred.
The legislators felt that Safe Harbor would offer protection and move SMBs toward standards without overwhelming them. The law “incentivizes investments” in cybersecurity and best practices before a breach.
A larger issue, though, is to think of Safe Harbor only in terms of your own business. While this should be your foremost concern, you should also think of cybersecurity and safe harbor with all the SMBs you deal with. This is what I like to call the “Aspen Forest” – the relationship between you and the businesses you interact with.
Aspen forests are fascinating because, instead of many separate trees, the forest is actually a single living thing. One tree will send out underground roots that sprout new tree trunks. The forest may look like different trees, but they are all connected to the same root system. Because of this, a threat that affects one area can damage the entire system. A drought in one region of the root system can weaken the whole forest. Diseases can spread quickly. A severe enough event to the shared roots can end the entire forest.
Just like the forest, your business is part of a larger, interconnected organism. What would happen if your top supplier were hacked, and then bankrupted by punitive damages? So, while you’re establishing your Safe Harbor, it’s worth discussing cybersecurity programs with the SMBs you deal with. (Enterprise organizations should have this conversation with the SMBs in their “forest.”)
One final note: It’s great if you have cybersecurity insurance; many SMBs rely on it. But know that cyber insurers will stop paying claims if you’re not taking advantage of the Safe Harbor. By conforming to SB 2610, you can show that you did what was possible, and keep, renew or even lower your cyber insurance rates.
Want to make sure your organization actually qualifies for Safe Harbor?
Join Chuck Smith for a live webinar on Wednesday, March 11 from 1:00–1:45 PM CT where he’ll break down exactly what leaders must approve, document, and be able to defend to qualify under Texas SB 2610.
Reserve your spot and ensure your cybersecurity program is not just in place, but defensible.