Data breaches are a major concern for many businesses and with good reason. If you have a business website, there’s a good chance it will fall prey to a cyberattack of some sort. This raises the question of who will be held liable if your website is hacked and customer data is exposed.

I’ve asked Cassie Phillips, with SecureThoughts.com, to share her research insight on this important topic.

Who is Liable if Your Website is Hacked and Customer Data is Exposed?

There is no cut-and-dry answer as to who is liable if a business’ website is hacked and customer data is exposed. Judith Delaney, the founder of CMMR Group-TurnsonPoint (a digital media compliance company), stated that a business is more likely to be held liable than the customers in the event of a data breach. That being said, the situation is still a complex one without any clear solution.

It is theoretically possible for the state to prosecute your business if your website is hacked. However, if the state were to bring a criminal case against your business, the prosecutors would need to prove that you had committed a crime. To do this, they would need to have an identifiable victim who has suffered identifiable harm. This is not a simple task.

That being said, your customers can file lawsuits against your business if their data is exposed through your hacked website. This is exactly what happened to Target after a massive data breach in 2013 that exposed customers’ banking details. After the class-action lawsuits, Target agreed to pay $10 million in damages to settle.

How to Protect Your Website from Being Hacked                 

Given the complex nature of the situation, it’s best to prevent your website from being hacked in the first place. You should consider putting the following security measures in place:

  • Turn on your system logs
  • Encrypt all customer data
  • Install anti-virus software on all your business devices
  • Use a Virtual Private Network (Secure Thoughts has recommendations)
  • Use a firewall
  • Back up your website content regularly
  • Use two-factor authentication
  • Invest in cyber insurance (this won’t prevent your website from being attacked, but it will help your business recover financially if it does get hacked)

What to Do If Your Website Is Hacked

If your website does get hacked, you need to follow the proper procedure to prevent further security breaches and mitigate your liability. It is important to hire a legal representative as soon as possible because they will advise you on the best course of action. Try to understand the type of breach by reviewing your system logs to see what, if any, data has been compromised. You need to know what you’re dealing with to fix it. Avoid releasing information about a breach before you know what type of breach it is and if any of your customers were possibly affected. This will only cause your customers to panic. Ensure that you fix your system as fast as possible and check it for other weaknesses.

It is essential that you notify all the appropriate financial and legal organizations of the breach as soon as possible. Certain business sectors have stringent protocols regarding the reporting of security breaches. The situation will only worsen if you are found to be covering up information. As soon as it is appropriate, inform your users of the breach. This is required by law in some states, and federal law may also require it in certain cases. Finally, contact your insurance company to determine if you are covered for any of the expenses relating to the breach.


With the speed at which technology improves and the increasing number of businesses working online, cyberattacks are likely to become a greater problem over time. Not only will the number of cyberattacks increase, but the sophistication of the techniques used will also improve. Despite the lack of clarity regarding your business’s liability if its website is hacked, you can protect your business and customers if you follow the correct procedures.

Has your business website been hacked? If so, how did you deal with the situation? Please tell us in the comments section.