Failing to Meet Cybersecurity Standards Can Have Legal Consequences
Cybercrime is one of the most significant threats facing companies today. With the average cost of a data breach reaching an all-time high of $4.24 million, the business case for cybersecurity has never been stronger. Still, some businesses seem to misunderstand the urgency of meeting current cybersecurity standards.
It may help to consider the legal consequences of poor cybersecurity. While the United States has no comprehensive nationwide cybersecurity law, American companies can still face legal trouble if they fail to meet certain standards. Various state, industry, and international regulations still apply to many businesses.
Understanding how cybersecurity standards affect companies’ legal standing can help encourage tighter security. In that spirit, here’s a glimpse at how failure to meet various regulations can result in legal consequences.
Ramifications of International Regulations
Perhaps the most well-known cybersecurity law is the European Union’s General Data Protection Regulation (GDPR). While this is a European law, it can still apply to some U.S. companies. If a U.S. business partners with firms or stores data in the E.U. or collects European customers’ data, they may fall under the jurisdiction of the GDPR.
Similarly, China’s new Data Security Law applies to non-Chinese companies if they store data within China or collect it from Chinese citizens. While regulations like these may not affect most U.S. businesses, noncompliance can carry hefty ramifications for those that do.
Fines for noncompliance with the Chinese Data Security Law start around $15,000 and can reach as high as $1.55 million. The GDPR is similarly punitive, charging up to tens of millions of dollars in some situations. Under both, non-compliant companies could risk losing their license to operate in other countries, as well.
Industry-Specific Standards
Many specific industries carry their own cybersecurity regulations, as well. The most notable of these is the Health Insurance Portability and Accountability Act (HIPAA), which affects companies that handle health care data. Given how sensitive this information is, covered entities under HIPAA must meet strict standards.
These organizations must consider the security of their third-party apps and services as well as their own systems. For example, some teleconference software like Zoom features HIPAA-compliant systems, but not all options do. Using a third-party app that doesn’t meet these regulations could put companies in legal jeopardy.
HIPAA violations can cost as much as $50,000 per violation, up to $1.5 million a year. Severe enough violations can result in criminal charges and jail time. Other industry-specific regulations are similar, like the Gramm-Leach-Bliley Act (GLBA), which covers financial information and can result in hefty fines and jail time.
Government Contracts
Companies that hold government contracts may find themselves subject to even higher standards. These contracts can be lucrative, but failure to comply with their cybersecurity standards will incur substantial penalties, including the loss of these profitable positions. Even past failures can create legal trouble if a company attempts to gain a government contract.
For example, in 2019, Aerojet faced False Claims Act allegations related to their past noncompliance. Aerojet had previously failed to meet relevant cybersecurity standards and didn’t disclose this failure when the Department of Defense (DoD) awarded them a contract. Even though the cybersecurity standards in question didn’t directly apply to their work with the DoD, they still faced trouble because of them.
Government agencies expect their contractors to meet certain standards. Failure to meet them, or in Aerojet’s case, failure to disclose their security shortcomings beforehand, can lead to legal action.
State Legislature
The federal government may not have comprehensive cybersecurity legislation in place, but many states do. One of the most notable, and a pioneer of state cybersecurity regulations, is the California Consumer Privacy Act (CCPA). Like the GDPR or Data Protection Law, the CCPA can apply to non-Californian companies under some circumstances.
The CCPA, like other state cybersecurity legislation, deals mostly in transparency. Companies must be clear with consumers about the kinds of data they collect and give them more control over what happens to it. As cybersecurity becomes a more prominent issue, more states will likely adopt similar policies.
Under the CCPA, data breaches can result in fines of $750 per customer per incident or actual damages, whichever is greater. If a breach affected 10,000 customers, the noncompliance fee could reach $7.5 million. Companies can also face fines of $7,500 per violation if they don’t remedy noncompliance after the state notifies them.
Cybersecurity Compliance Is More Crucial Than Ever
Governments across the world are taking cybersecurity more seriously, and so should businesses. Apart from the direct losses of a data breach, non-compliant companies could face hefty fees, loss of business, and even jail time under these growing regulations. No business has any excuse to ignore cybersecurity standards anymore.
Preparation is always better than damage control. Businesses should act now to ensure they comply with all relevant cybersecurity laws. Failure is too costly to risk.
About the Author: Devin Partida is a cybersecurity and data privacy writer whose work is regularly featured on Yahoo! Finance, Entrepreneur, AT&T’s cybersecurity blog, and other well-known industry publications. She is also the Editor-in-Chief of ReHack.com.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
