As 2011 has come to a close, it may be remembered as the “year of the hack.” Last week, we learned of an attack on Christmas day that compromised an information security firm, supposedly putting at risk information from the Department of Defense and allegedly exposing 90,000 credit card numbers. This is only the latest in a year that has had one profile attack after another. In addition to hacking and data breaches, 2011 also saw a large scale outage from a well-known cloud services provider, disrupting businesses using the service. We have reported on similar incidents since the inception of this blog.
If you think your business is not at risk, think again. Reflect on how central computers and IT have become even to “old fashioned” businesses. I can remember practicing law without a computer in my office. In those days, you relied on a dictaphone or even a legal pad to compose letters and write legal briefs, and, although our assistants had computer terminals for the mainframe, the good old IBM Selectric typewriter was there in case of a computer failure. Lawyers just a few years older than me can remember when there were no computers, and copies of letters were actually produced on carbon paper.
Law is not considered a particularly high tech profession, but those days are long gone. We are now completely dependent on our computers and computer networks. The vast majority of communications are by email. Court filings are either exclusively electronic in the federal courts or are gradually going that way in the state courts. Most law firms have dispensed with law libraries and now rely on computer services such as Lexis/Nexis and Westlaw.
If this is true for a somewhat stodgy profession such as the law, it is true for just about every business. Computers and the Internet have become to most of us in business what a hammer and saw are to a carpenter: Key tools that are necessary to get anything done. Even for those of us who remember doing things the old way, there is no going back. Steve Jobs and Bill Gates aimed to change the world, and they did.
Despite the importance of computer systems and IT to businesses, many businesses have not taken basic steps to secure their information, much less prevent against outside attack. Tough management that asks the right questions and implements the right policies and procedures will help minimize the risk. The IT security professionals that I have spoken to stress that the vast majority of incidents they see – resulting in data loss, trade secret theft, or system failure - could be prevented by better procedures.
If your company has outsourced, for example, to a cloud services provider, it needs to know what the services provider is expected to do in the event of an outage. If the cloud provider goes down, your business may go down with it. You need to understand the risks. Hint: Most form terms and conditions from providers limit any meaningful liability.
No matter what steps are taken, however, businesses will remain at risk for data loss and hacking. The costs associated with a data breach can be staggering. If you think your insurance will protect your business, you may be in for a nasty surprise. As the New York Times recently pointed out, insurers will try to avoid coverage for data loss and data breach under most conventional policies. As the article also points out, insurers are responding to the need by making new policies available that provide coverage.
If your business has not considered these issues thoroughly, here are some steps that you might want to consider taking:
1. Do a thorough review of your IT policies and procedures. If you use a cloud provider, understand what the contract provides and what the provider will do in the event of an outage. Consider engaging counsel and an IT security expert to help assist.
2. Review your existing insurance coverage and consider purchasing insurance for added protection. This is not an area that you want to trust to a small time agent who mainly writes auto policies. There are many different products out there and they all cover different things. You need to consult with an expert in the field. If your business is at all complex, you may also want to involve coverage counsel in reviewing your company's situation.
3. If you have a breach or a data loss, you still may have coverage even if you have not purchased special insurance. Although insurers who write commercial general liability policies have tried to limit coverage for such losses, an experienced coverage lawyer may still be able to help. It depends on the type of loss, the policy, and the jurisdiction. In addition, some policies contain endorsements that may provide at least some level of coverage. Note: I am not suggesting that you simply take a chance and assume your existing coverage may be adequate. You should still review it. However, if you do have a loss, as always, do not believe your insurer's statement (or your agent's statement) that there is no coverage until you consult with an experienced coverage attorney.
We live in a world that has become dependent on computers and the Internet. Although technology changes and opens new opportunities, human nature and human fallibility do not change. Anything that is made by human beings can fail and there will always be crooks and rogues among us looking to steal and disrupt. As always, the rest of us have to adapt and be vigilant.© 2013 BARNES & THORNBURG LLP