Are You Liable for Data Breaches?

By at 18 March, 2024, 9:16 am

by Barbara Weltman –

Data breaches—from hackers or insiders—can leak sensitive information about customers and employees. According to the Identity Theft Resource Center (ITRC)’s 2023 Business Impact Report, 73% of small business owners experienced a data breach or cyberattack in the past year. If this happens to you, are you liable? What do you do?

FTC Safeguards Rule

Banks and other financial institutions have long been subject to FTC rules governing data breaches…what to do to be secure and when to report breaches. Last year, the FTC adopted a rule for certain other businesses to guard customer information.  The FTC has the authority to impose penalties up to $100,000 per violation, and business officers can be personally liable.

Businesses subject to the rule. Only businesses over which the FTC has enforcement authority must comply with the rule. These include, but are not limited to, mortgage lenders, “pay day” lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, investment advisors that are not required to register with the Securities and Exchange Commission, and entities acting as finders. But other types of businesses are subject to the rule because of the nature of their activities, including:

● A retailer that extends credit directly to customers through its own credit cards (but merely “lay away” or deferred payment plans don’t make the retailer subject to the rule)

● An automotive dealership that leases vehicles for longer than 90 days

● A property appraiser

● A career counselor providing services to individuals currently employed by or recently displaced from a financial organization, individuals who are seeking employment with a financial organization, or individuals who are currently employed by or seeking placement with the finance, accounting or audit departments of any company is a financial institution

● A business that prints checks for consumers

● A travel agency operating in connection with a financial institution

There is no small business exception. This means a solo CPA who does tax return preparation is subject to the FTC rule (and to the IRS requirement to guard customer information).

Actions required for compliance. Businesses subject to the rule must develop, implement, and maintain an information security program. This includes:

1.) Designating a qualified person responsible for overseeing the company’s program

2.) Basing the company’s program on a risk assessment of reasonably foreseeable internal and external risks.

3.) Periodically performing additional risk assessments

4.) Designing and implementing safeguards to control the risks

5.) Regularly monitoring the effectiveness of the safeguards

6.) Implementing policies and procedures to ensure personnel are able to do the program

7.) Overseeing service providers

8.) Evaluating and adjusting the program in light of the results of testing and monitoring

9.) Establishing a written incident response plan

10.) Requiring the qualified individual to report in writing on a regular basis (at least annually)


Even if you’re not subject to the FTC rule, it’s highly advisable to follow the same actions to ensure your data is protected to the extent possible. Companies that experience data breaches face liability from customers and employees. What’s more, customers may shun the companies going forward.

● Assess where you are vulnerable. For example, you may have data breaches through remote workers or even through third-party vendors.

● Determine the cost of complying with the FTC rule and following the same steps even if not mandatory so you can budget accordingly.

● Prepare in advance for notifying customers and employees if you experience a data breach and what recovery services you’ll offer to them.

Final thoughts

Check your business owner policy (BOP) to see whether and to what extent you have cyber coverage. This may be an add-on to your BOP or a stand-alone policy. Check with your insurer on what’s required with respect to data security. Also check the FTC’s 10 cyber security tips for small business, which go beyond the FTC’s safeguards rule.

Find more blogs about data security here.

Barbara Weltman is a member of SBE Council’s advisory board, and has been a leading consultant for small businesses of every kind for over twenty years. She’s the founder of Big Ideas for Small Business® and has written numerous books on small business operations, including J.K. Lasser’s Small Business Taxes, Complete Idiot’s Guide to Starting a Home-Based Business, and The Rational Guide to Building Small Business Credit. Follow Barbara on Twitter @BigIdeas4SB.

News and Media Releases