Great Lakes Wire

Data breaches are becoming more common and costly for U.S. companies, with businesses in the supply chain being frequent targets. Experts stress that understanding both the risks and potential costs of data breaches is essential for suppliers.

Organizations face a persistent challenge: while cybercriminals need only one successful attempt, companies must defend against every possible threat. The increasing use of technology and artificial intelligence within organizations has led many to view cybersecurity incidents as inevitable.

Human error remains the leading cause of data breaches, often involving employees, service providers, agents, or volunteers. To address this risk, experts recommend ongoing training for all staff and thorough vetting of service providers.

"Training

Ongoing training for employees, vendors and contractors is essential to reinforce a culture of security awareness. Organizations should review policies and procedures and revise when necessary to ensure consistency. With the rapid pace of technological change, policies and procedures can quickly and easily become out of sync. A regular review of both will help identify any inconsistencies and allow organizations to correct them before major issues arise."

The article also highlights the importance of including multiple stakeholders in policy reviews to fully understand how sensitive data is used and transmitted.

Third-party vulnerabilities present another significant challenge. Data breaches involving external service providers can be especially difficult to manage because liability is often unclear until after an incident occurs. At that point, damages may already be substantial.

"Third-Party Due Diligence

Despite their best efforts, many organizations will eventually experience a data breach. The most difficult to protect against is a third-party data breach involving company data. By the time such a breach occurs, it’s often too late to negotiate with the third-party service provider over who will cover the costs. At that point, substantial damages may have been incurred, and both parties are likely to shift blame to avoid responsibility for these potentially extensive costs."

Costs associated with breaches can include legal fees, required notifications to affected individuals or media outlets, call center staffing, credit monitoring services for those impacted by the breach, as well as additional obligations if confidential information from other parties is involved.

Because laws rarely specify how liability should be divided between parties after a breach—and state attorneys general are increasingly imposing fines—companies are advised to discuss liability during initial contract negotiations with their service providers.

"Key Contract Considerations

Given the nature of a breach and associated costs, organizations should be careful to avoid waivers of consequential damages that are often boilerplate in many agreements. A court would likely categorize the types of breach-related expenses listed above as consequential damages. As a result, without a carve-out, the third party could escape any liability for associated costs."

Experts suggest considering options like “super caps” on liability—multipliers based on fees paid—or setting specific dollar limits in contracts related to breaches.

Proactive planning can reduce both the likelihood and impact of data breaches when they occur.

Small Business Association of Michigan (SBAM) offers members resources such as RiskAware assessments that help identify vulnerabilities; SensCy services aimed at improving cyber hygiene through training; and cyber liability insurance coverage designed to help manage financial risks related to cyberattacks.

"If you are seeking guidance regarding the steps you can take to protect your business from the risks and costs of a cyberattack, please reach out to Nate Steed or another member of Warner’s Cybersecurity and Privacy team. Our team has substantial experience developing incident response plans and can help you draft or update your incident response plan before an attack happens. In the unfortunate event of a cyberattack, Warner can help you navigate the aftermath to minimize the impact."

The article was provided by Warner Norcross+Judd.