Am I liable if my vendor causes a data breach?

Yes. Businesses remain legally responsible for customer data even when a third-party vendor causes the breach. Courts, regulators, and class-action lawsuits target the company that collected the data, not just the vendor. Business Associate Agreements and vendor contracts can allocate some liability, but they do not eliminate your exposure.

How much does a data breach settlement cost for a small business?

A breach affecting a few thousand customers can cost an SMB $500,000 to over $1 million when you include notification, credit monitoring, legal defense, regulatory fines, forensics, and remediation. Costs scale with the number of affected individuals and the sensitivity of the data. Cyber insurance can offset these expenses if the policy covers the incident type.

What is a Business Associate Agreement and do I need one?

A Business Associate Agreement (BAA) is a contract required under HIPAA when a vendor handles protected health information on your behalf. It specifies the vendor's security obligations, breach notification duties, and liability. Even outside HIPAA, similar contract terms protect you under other regulations (FTC Safeguards, state privacy laws) and provide legal recourse if a vendor fails.

How do I assess vendor security if I am not a technical expert?

Request a SOC 2 Type II report, ISO 27001 certification, or a completed security questionnaire. Ask whether they encrypt data, use multi-factor authentication, conduct penetration testing, and have an incident response plan. Document their answers. If a vendor cannot provide basic assurances, consider that a risk factor in your decision. Your IT provider or MSP can help review technical responses.

Does cyber insurance cover vendor-caused breaches?

It depends on your policy. Many cyber insurance policies cover third-party breaches, but exclusions and conditions vary. Review your policy to confirm coverage for vendor incidents, notification costs, regulatory fines, and legal defense. Work with a broker who understands cyber risk to ensure your coverage matches your vendor footprint and regulatory obligations.

What Does a $35M Data Breach Settlement Mean for Your SMB?

by The Creator | Jun 12, 2026

lc-data-breach-settlement-cost-smb-compliance

Why did Labcorp pay $35 million for someone else’s data breach?

Labcorp did not lose the data themselves. A billing vendor called American Medical Collection Agency (AMCA) suffered a breach that exposed personal and financial information belonging to Labcorp customers. Yet Labcorp wrote the settlement check.

This is the hard lesson of vendor liability. When you share customer data with a third party (a billing company, a cloud host, a marketing platform, a payroll processor), you remain legally responsible for what happens to it. Courts and regulators do not accept “but our vendor messed up” as a defense.

For SMBs in healthcare, financial services, legal, or any sector handling sensitive data, this settlement is a warning shot. You might have 50 employees and a single outside billing partner. If that partner gets breached, your business faces the lawsuits, the notification costs, the regulatory scrutiny, and the reputational damage.

What did the $35 million settlement actually cover?

Settlement amounts break down into concrete expenses that small businesses need to understand. Labcorp’s agreement likely funded:

Breach notification letters to millions of affected individuals (printing, postage, call center staffing)
Credit monitoring and identity theft protection services, often required for multiple years
Legal defense fees for class-action litigation that dragged on for years
Plaintiff attorney fees and court costs
Actual damages to individuals whose information was misused
Regulatory investigation costs and potential fines (though these are often separate)

A small professional services firm or manufacturer might face similar categories on a smaller scale. A breach affecting 5,000 clients instead of 5 million still requires notification, monitoring, legal counsel, and potential damages. Budget $150 to $400 per affected record when you include all costs, and the math gets frightening fast.

Does an SMB really need to vet every vendor for data security?

Yes, and the law is clear on this point. HIPAA requires covered entities and business associates to execute Business Associate Agreements (BAAs) and ensure vendors implement appropriate safeguards. The FTC Safeguards Rule mandates financial institutions assess third-party service provider security. The Gramm-Leach-Bliley Act (GLBA), state privacy laws, and contractual obligations all impose similar duties.

Vendor risk management does not require a dedicated compliance team. It requires a process:

Inventory every vendor that touches, stores, or transmits customer data (including names, emails, payment info, health records, or anything personally identifiable).
Require written agreements that specify security obligations, breach notification timelines, and liability allocation.
Ask for proof of security controls (SOC 2 reports, ISO certifications, completed questionnaires, or at minimum a written attestation).
Review higher-risk vendors annually, especially before contract renewals.
Document the process so you can show regulators and plaintiffs you exercised reasonable care.

This work takes hours, not months. The absence of it, however, can cost millions.

How much would a similar breach cost a 50-person business?

Scale matters, but liability does not disappear at smaller sizes. A breach affecting 2,000 customers at a mid-sized accounting firm or medical practice might generate:

Notification and monitoring: $300,000 to $800,000
Legal defense (even for a settlement): $100,000 to $500,000
Regulatory fines (HIPAA penalties range from $100 to $50,000 per violation, with annual caps in the millions): $50,000 to $250,000 for a smaller entity
Business interruption and remediation (forensics, system rebuilds, consultant fees): $150,000 to $400,000
Lost revenue from clients who leave and prospects who choose competitors: incalculable but often the largest long-term cost

Total exposure can easily exceed $1 million, even for a small firm. Most SMBs do not have that sitting in reserves, and many general liability policies exclude cyber incidents unless you carry specific cyber insurance.

What compliance steps actually prevent these settlements?

Prevention is less expensive and more effective than response. The core controls are not exotic:

Encrypt data at rest and in transit. If a vendor’s database is breached but the data is properly encrypted with keys the attacker cannot access, notification requirements and damages shrink dramatically. Encryption is no longer optional under HIPAA, FTC Safeguards, and most state breach notification laws.

Limit data sharing to the minimum necessary. Do not send your entire customer database to a marketing vendor when they only need email addresses. Every field you share is another field you are liable for.

Implement access controls and logging. Ensure vendors (and your own employees) can only access the data they need for their job function. Audit logs let you prove who accessed what and when, which is critical in litigation and investigations.

Require multi-factor authentication (MFA) everywhere. AMCA’s breach reportedly stemmed from compromised credentials. MFA stops most credential-based attacks cold.

Test your incident response plan. Know who will handle notifications, who will communicate with customers, who will manage legal and regulatory reporting, and who will coordinate technical remediation. Fumbling these steps compounds costs and liability.

These are not theoretical best practices. They are the checklist courts and regulators use to determine whether you exercised reasonable care. Failing them turns a bad situation into a catastrophic one.

Do small businesses really get sued and fined like big corporations?

Yes. Regulatory actions and class actions target SMBs regularly. The Office for Civil Rights (OCR) publishes HIPAA enforcement actions against solo practitioners, small clinics, and regional firms. State attorneys general pursue businesses with a few dozen employees under consumer protection and data breach notification laws. Plaintiffs’ attorneys file class actions whenever the economics justify it (which they often do, since legal fees come out of the settlement).

You may fly under the radar longer than a Fortune 500 company, but a breach puts you on the map instantly. Notification letters trigger regulatory inquiries. Affected individuals trigger lawsuits. Competitors and the press amplify the story.

The advantage large companies have is not immunity. It is resources: dedicated legal teams, compliance officers, crisis PR firms, and insurance policies with high limits. SMBs need to compensate with preparation, solid vendor agreements, and appropriate cyber insurance before anything goes wrong.

What should an SMB owner do tomorrow to reduce vendor risk?

Start with an afternoon of focused work:

List every third party that handles customer or employee data. Include your accounting software vendor, your CRM provider, your payroll processor, your website host, your email marketing platform, and any consultants with system access.

Pull out the contracts and check for security and breach notification clauses. If they are missing, add them at the next renewal or via amendment. If a vendor refuses to agree to reasonable security terms, that is a red flag worth considering during vendor selection.

Ask your top three vendors for evidence of their security program. A SOC 2 Type II report is ideal. A completed security questionnaire or a written attestation is better than nothing. If a vendor cannot or will not provide any assurance, evaluate whether the risk is worth the relationship.

Review your cyber insurance policy (or get one if you do not have it). Confirm it covers third-party breaches, regulatory defense, notification costs, and business interruption. Policies vary wildly; read the exclusions.

Document what you have done. A one-page vendor risk summary and a folder of agreements and attestations become your evidence of reasonable care if you ever need to show it.

This is not a one-time project. Vendor risk management is an ongoing discipline. But the initial effort takes less time than a single settlement negotiation and costs infinitely less than $35 million.

Keep reading

Sources

Source: Labcorp Agrees to $35M Settlement to Resolve AMCA Data Breach Litigation