Pitfalls for Professional IT Consultants: Ways to Avoid Data Breach Liability Claims

June 06, 2018

When are you liable in a data breach?

IT professionals, including consultants and developers, handle sensitive data every day, and even a few compromised records can be enough to give hackers a gateway into your clients' systems. If this happens, you could be held liable.

Clients can sue you if a system is compromised or data is lost as the result of work you did or actions you failed to take. It doesn't matter if a breach is the direct result of negligence on your part or not. Liability in breaches is complex, and the legal system hasn't completely caught up with the many risks posed to data in modern systems. If clients feel they have a reasonable cause to sue an IT professional they hired, there's a good chance that the lawsuit will stick.

What is data security?

A data breach occurs when vital information is lost. Information may be stolen, manipulated, held for ransom, leaked or destroyed, leading to a variety of legal expenses and a lengthy recovery process. In the age of big data and connected devices, data breach risk looms large in the minds of business owners and IT professionals.

The data most often compromised in breaches includes sensitive information like credit card numbers, customer profiles and proprietary company files. Whether you work as an IT consultant or as a developer, a breach involving data you handle or data processed by your clients could land you in the middle of a lawsuit.

Part of the reason for this is the complicated nature of data security. Data security involves preventing unauthorized access to private information whether intentional or accidental. When implemented properly, data security measures ensure the privacy of information stored on your own systems and those of your clients. Maintaining data privacy in this way means data is only used in accordance with the terms agreed upon when it was first collected.

What kind of insurance does a consultant need?

Protecting yourself from lawsuits related to data security requires more than standard business insurance. When you first established your IT business, you should have invested in:

General liability insurance
Professional liability insurance
• A business owner's policy

This group of policies covers common issues faced by most business owners but doesn't do much to help in the event of a data breach lawsuit. Comprehensive IT consultant insurance should also include a cyber liability policy. Cyber liability covers:

• Payments to hackers in the event of ransomware attacks
• Expenses associated with notifying affected parties and making restitution
• Credit monitoring services
• Legal expenses from associated lawsuits

Depending on the complexity of the way you store and process data, you may need a cyber liability policy for your own company and one to cover any client data you handle on a regular basis.

How to avoid a data breach

While it's impossible to reach a point of zero risk when handling data, you should do all you can to minimize the likelihood a malicious third party will gain access to sensitive information. Protect yourself and your clients by: 

• Conducting assessments: Review the systems currently in place to deal with potential security problems. Determine the level of risk in relation to the types of data being stored, and be sure to work with clients to strengthen weak areas

• Installing anti-malware software: These programs scan systems for and prevent the spread of suspicious software. They can also be used to block websites known to house and distribute such programs.

• Encrypting client data: Use encryption keys to protect data during transfer and storage. Even if hackers intercept the encrypted information, they can't decode it without the key.

• Minimizing data collection: Look at how much data you and your clients keep on file. Take note of any unnecessary records or stored information no longer being used. Remove redundant and old data, and work with clients to streamline collection so that only critical data comes into the system. 

• Performing routine updates: Software updates include patches for known security vulnerabilities. Set all software you and your clients use to update on a regular schedule, ensuring none of these patches are missed. Some of the largest data security breaches in the recent past could have been minimized if companies prioritized routine updates.

• Not using public or unsecured networks: Working on clients' projects over unsecured networks leaves their information open to theft. Use only secure networks with solid passwords when working with client data.

• Creating clear policies: Look at your existing security policies and those of your clients. Make updates as necessary, focusing on the implementation of strong defenses and educating clients on how to uphold and enforce new rules.

• Ensuring compliance: Research and understand local, federal and international privacy laws. Review data security policies, and make changes to align procedures with regulations.

Hiscox provides errors and omissions insurance to a variety of IT professionals, including home-based and self-employed consultants and developers. If your business lacks adequate coverage for issues relating to data security, get in touch with Hiscox for a quote on the policies you need to prevent losses in the event of a breach.

Combining a detailed data security plan with the right insurance lowers the risk of data breaches and keeps you safe in the event that a client sues you for liability. Work with clients to implement the proper security measures and be diligent to maintain your own security so that sensitive information is as safe as possible from hackers and your integrity remains intact.