It seems like several times per day that I am sent a news alert of yet another data breach. The frequency with which they occur is frightening to say the least and unfortunately, many businesses are not covered for such an event.
Let’s take a look at data breaches that have occurred over the past week and what, if anything, can be done to prevent (or insure against) them.
- A report by Wake Forest Baptist Medical Center to the state attorney general’s office explained that 357 people were affected by documents from an 11-year period taken from the medical center due to a security breach, the Winston-Salem Journal is reporting. Wake Forest Baptist issued a statement early last month that it had fired an employee, Linda Bowden Turner, who had taken medical records and documents from 1995 to 2006 from the medical center to her own properties.
- If you used a credit or debit card at Margarita’s restaurant over the past three months, a virus might have culled your information before it could be encrypted and then sold to underground markets, Huntsville police said. At least 200 people over the past two weeks have reported incidents of stolen bank account information, and authorities said they suspect there are many more cases that have not been reported and many potential victims whose numbers have not yet been used by thieves.
- Nearly 700 Toshiba customers’ emails and passwords have been stolen from the company’s U.S. servers, the latest company to be hit by hackers, although it doesn’t appear to be the work of the same groups that have infiltrated Arizona law enforcement, Orlando tourism or PBS. TechEYE.net reported that the hacker VOiD targeted Toshiba and claimed “to gain usernames and passwords on 450 of the company’s customers” as well as about 20 re-sellers and 12 administrators on the company’s Electronic Components and Semiconductors and Consumer Products sites.
- Lady Gaga has called in police after thousands of her fans’ personal details were stolen from her website. Her record label acted after the site was hacked into by US cyber attackers SwagSec. A source said: “She’s upset and hopes police get to the bottom of how this was allowed to happen.” The group struck on June 27 but did not make the information, which included names and email addresses, public until this week.
- Anonymous, a group of “hacktivist” computer-savvy attackers, has already speared a number of big fish: credit-card companies, the church of Scientology, and Monsanto, a biotechnology firm. And the hackers have flaunted their skills by successfully attacking computer-security expert firms, like HBGary. Its latest victim is Booz Allen Hamilton, a big consulting firm to America’s government, including on cybersecurity, with bigwigs like a former CIA head and a former director of national intelligence on its payroll.
So how do companies work to prevent or mitigate the effects or data breaches? One option is cyber liability insurance. Major insurers like Chartis, ACE and Hiscox have been in the cyber liability insurance game for several years now and smaller insurers are entering the market at a rapid pace. But what types of coverage does a cyber liability policy include? According to Dave Navetta, partner at InfoLawGroup and contributor to Fox News, the following may be included:
- Breach Notice Costs. Coverage now exists for direct costs incurred by an insured to provide notice to individuals in the event of a security breach, as well as expenses to set up a call center and provide credit monitoring services. These costs involve a multiplier effect. For example, credit monitoring can cost anywhere from $10 to $200 per year, per person impacted by a breach. If one million individuals are at issue, costs could run in the millions of dollars. These costs also include attorney fees and forensic investigation expenses to determine the cause of a breach and whether notice is required under law.
- Damages and Defense Costs. Provides coverage for information security and privacy breaches and technology professional liability. This element of the insurance plan is specifically designed to provide coverage for damages and defense costs arising out of lawsuits or claims resulting from a data security breach or an act, error or omission in the rendering of professional technology services (like data storage services). Some cyber policies will also protect your business against the cost of regulatory investigations or actions due to a security or privacy breach.
- Service Provider Breach.With more companies outsourcing their data processing to third parties or the “cloud,” it is important that a cyber policy provides coverage if the security breach happens to one of the insured’s service providers. That will protect your company against many types of expenses. However, these policies are unlikely to provide any coverage for the personnel hours expended internally to address the breach.
- Crisis Management, Business Interruption and Data Restoration. This insurance can also help cover the costs for getting the network back up and running and restoring lost data. Public relations services may also be included to help restore the company’s reputation.
- Denial-of-Service Attack. If your company or a service provider, such as a web host, is shut down by a denial-of-service attack or other type of hack, some insurance policies will cover lost income and the costs of repairing the network.
- Cyber Extortion. In a case where a hacker decides to hijack your website, network or database, and demands money to restore it, a cyber extortion clause in an insurance policy can help to cover the settlement and the cost of hiring a security firm to track down the hacker.
Does your company have cyber liability insurance coverage?Risk Management Magazine and Risk Management Monitor. Copyright 2013 Risk and Insurance Management Society, Inc. All rights reserved.