In November 2014 Sony Pictures experienced a debilitating cyber-attack, one which many experts believe was perpetrated by the North Korean’s. While most small businesses are unlikely to incur the wrath of Kim Jong-Un, any business with a computer or mobile device, i.e., nearly every business, is potentially vulnerable to cybercrime of one kind or another.
The stakes are high. An enterprising hacker could hold your computer records hostage for ransom, and literally shut down your business if you do not pay.Even worse is a hacker who steals and sells your customers’ personal information—an event which would, in some circumstances, require you to notify everyone whose records were stolen that their confidential information is floating in the wind. The cost of sending all the notifications could be enormous by itself, not to mention the legal liability and loss of 
business goodwill.
What can a business owner do other than wring her hands? Here are three important steps:
(1) Have a professional set up and maintain your network. There is really no substitute for this. While even a professionally-maintained network can be hacked, (as Sony experienced firsthand, the job will be more difficult. Do not allow your network to be the “low-hanging fruit” for hackers to pillage. And, even if you are successfully hacked, the fact that you hired a professional to set up and maintain your system will help reduce your potential liability. In legal terms, hiring a professional demonstrates that you acted as a “reasonable prudent business owner “should.
(2) Make sure your Terms of Service and Privacy Policy limit your liability. Every website should have “Terms of Service”, sometimes just called “Terms”, and a Privacy Policy. These documents constitute the contract between you and the users of your site. Be sure this contract limits your liability by, for example, clearly stating the terms of any warranties you provide, and “disclaiming” any warranties beyond what you state in writing. Your Terms of Service should also clearly state that you cannot warranty that your website will be secure, and notify each user that he or she is assuming the risk that a hacker could obtain confidential information. A full discussion of your Terms of Service and Privacy Policy is beyond the scope of this blog, but you can refer to my prior post regarding your “Terms of Service”.
(3) Get cyber insurance. Many insurers offer cyber insurance coverage to protect business owners from the risk of cyber-related loss. A good cyber policy will do all of the following: (A) provide a legal defense if you are sued on account an internet-related issue. This is critical—even if you win, the costs of litigation are enormous. (B) Pay any damages if you are held liable, up to the policy limits. (C) Cover any losses you incur, such as the cost of notifying your customers of a breach, and the loss of income your business may suffer while you recover from a cyber-attack. Be sure to ask your insurance agent about cyber coverage. If you do not have an insurance agent, find one!
This is just a basic overview and is not legal advice specific to your situation. If you would like to speak with Jonathan about your situation, please email him at jcw@eastbaybusinesslawyer.com or call him at 925-217-3255.
