Am I Liable if a Client's Personal Information Is Stolen from My Business?

Data breaches are of huge concern in the modern world, primarily because online theft is not uncommon, and ensuring proper cybersecurity protection can be difficult. For businesses, the protection of their customers’ identities and sensitive information should always be of utmost concern.


While the theft of personal information can occur from careless cybersecurity practices, it’s typically caused by a security breach. While most businesses do their best to ensure such breaches don’t occur, the question is, are you liable if a breach does happen and a client’s information is stolen?


Am I Liable for the Theft of Personal Information?

The simple answer is, yes, if a client’s information is stolen from a business, that business is probably liable. Many companies store customer information, whether physically, digitally, or both, and the fact of the matter is, if you store it, it’s at risk of theft. If that happens, not only will your clients be extremely upset, but you could be legally liable.


Most business proceedings require the collection of some personal information from clients, such as name, email address, IP address, and phone numbers. If your business conducts online payments, this could also include credit card information. If your servers lack security, your employees are negligent, or if you outsource data to a third-party that isn’t sufficiently secured, you’re at risk of having sensitive information stolen. Therefore, by default, you’re also at risk of being held legally responsible.


How to Take Appropriate Preventative Measures Against a Security Breach

Right off the bat, the initial theft doesn’t necessarily open you up to legal repercussions. You might have some very unhappy customers, but that doesn’t make your business legally liable. What does make you legally responsible for the theft is if your client’s stolen information is then used to steal their identity. At the end of the day, it’s the direct responsibility of your company to protect the sensitive information you collect from your clients.


At an absolute minimum, you should have proper security measures in place. Never assume that a breach won’t happen, always assume that one will. Be ready and know how you will respond if an incident does occur. In this situation, preparedness is absolutely key. Remember, proper security measures do not only include physical security systems, but also information security and software security proceedings such as policies amongst employees regarding cybersecurity and firewalls, passwords, and other such measures. It may also be worth looking into the benefits of cyber liability insurance, particularly if you collect payment information from customers.


If your security measures are breached, it’s your responsibility to inform clients of the event and what information was stolen. You may also need to prove that you were not being negligent in upholding sufficient security measures. As mentioned earlier, a security breach doesn’t automatically mean you’re liable, but you are going to have to prove that you did everything you could to protect the best interests of your customers.

Proving that you weren’t being negligent with security measures is one aspect, but you should also be ready to prove you did everything you could to reduce harm if a breach does occur. This involves notifying clients, but it also involves taking the appropriate investigation and remediation steps after the fact.


To protect yourself further, delete all personal information stored after it has served the purpose for which it was intended. Unnecessarily storing the information of thousands of individuals is increasing your risk and opening you up to a higher likelihood of theft. You should also shred any personal records that are held physically. Additionally, if necessary, only outsource your data storage to responsible companies that can prove they have exemplary security. You will still be liable for personal data stolen from a third-party company.


Of course, as business owners, your clients are your primary concern and you should absolutely take all measures necessary to protect their personal information. You can never know if or when a security breach will happen, so being prepared is the best defensive measure you can take. Unfortunately, your business can be held legally liable for the theft of sensitive information. To find out more about liability questions or concerns, contact Emerald Law today.

  • Facebook
  • LinkedIn

4700 Sheridan St STE J

Hollywood, FL 33021

(561) 621-3573

info@emeraldlaw.us

​​​​© 2020 Emerald Law, PLLC