Cyber Liability: The Risks of Doing Business in a Digital World
Major security and data breaches have become more prevalent in the past decade. News headlines are dominated by stories of major corporations having networks hacked and subjecting employees' and customers' personal, financial and health information to cyber threats. Perhaps one of the following from 2014 will sound familiar:
January: Snapchat had the names and phone numbers of 4.5 million users compromised
February: Kickstarter had personal information from 5.6 million donors compromised
May: Ebay's database of 145 million customers was compromised.
September: iCloud had celebrity photostreams hacked
November: Sony Pictures had the highest profile hack of the year involving email accounts, video games and movie releases
While the news headlines make it is easy to think this is an issue for large, Fortune 500 companies, the risk is equally widespread, but much less publicized, for small businesses.
While the data breaches at small businesses do not garner the same attention as the data breaches occurring at Sony or iCloud, the impact to the organization and the liability the organization incurs are largely the same.
Although there are many studies available giving analytics on the types of data breaches that occur, those most common to small businesses can be described in three general categories: unintentional/miscellaneous errors, insider misuse and theft/loss.
Unintentional and miscellaneous errors are any mistake that compromises security by posting private data to a public site accidentally, sending information to the wrong recipients or failing to dispose of documents or assets securely. For example, have any of your employees ever accidentally sent an order (with account information) to the wrong email address?
Insider misuse is not a situation where an accidental error occurs. Rather, an employee or someone with access to the information intentionally accesses the data to use it for an unlawful purpose. For example, a disgruntled clerk in the billing department accesses customer information to obtain name, date of birth and bank account information in order to fraudulently establish a credit card in that customer's name. Consider another scenario where a third party vendor, a benefits provider, for example, handles employee information. Once transmitted, the employer loses control over information security for that data. Savvy business owners will make sure their contracts with vendors make the vendor responsible for any data breach that occurs during the engagement and that it will indemnify the business for any actions arising from such a breach.
Data breaches also result from physical theft or loss of laptops, tablets, smart phones, USB drives or even printed documents. Consider a scenario where the Human Resource director is heading to a conference and her laptop is stolen at the airport. The laptop is not encrypted or pass coded and the thief can access all the employee files the director keeps on her computer.
In the past decade, laws have been aimed at narrowing the information that can initially be collected by businesses and with whom it can be shared, as well as mitigating the breach after it occurs.
Federal regulations like the Health Insurance Portability and Accountability Act (HIPAA) limit the collection and use of protected health information, and also has requirements for entities suffering a data breach, including customer notification and damage mitigation provisions, such as mandatory credit monitoring and fraud protection for affected customers.
The Personal Information Protect Act requires government agencies, corporations, universities, retail stores or other entities that handle nonpublic personal information to notify each Illinois resident who may be affected by a breach of data security. 815 ILCS 530/1 et seq. Personal information is defined as: an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
Social security number.
Driver's license number or State identification card number.
Account number or credit card or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account.
The required notice to Illinois residents must include contact information for credit reporting agencies and the Federal Trade Commission, along with a statement that the individual can obtain information from those sources about fraud alerts and security freezes. 815 ILCS 530/10(a). If the data breached is data that the entity owns or licenses, the notice must be made without unreasonable delay. Id. If the data breached is data that the entity does not own or license, notice must be made immediately. 815 ILCS 530/10(b).
Failure to notify affected consumers is a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act. 815 ILCS 530/20.
Technology is everywhere. Smart phones, tablets, laptops, the internet, online bill payments and the like have changed the way businesses operate. There is no denying that technology allows for efficient and effective commerce and communication. Unfortunately, the same technology that allows for faster and more efficient commerce and communication also subjects businesses to new forms of risk when it comes to data security.
There are risk management tools that all businesses should be aware of and using on a daily basis. Anti-virus software, passwords on all devices, frequent back up of data, encryption for sensitive information transmitted electronically are just a few.
What if a business owner takes all the steps necessary to reduce the risk of a data breach and it still occurs? There is a way to reduce damages and to shorten the recovery and restoration timeframes.
Cyber Liability insurance can protect businesses, large and small, from data breaches that result from malicious hacking or other non-malicious digital risks. This specific line of insurance was designed to insure consumers of technology services or products for liability and property losses that may result when a business engages in various electronic activities, such as selling on the internet or collecting data within its internal electronic network.
Most notably, cyber and privacy policies cover a business' liability for data breaches in which the customer's personal information (such as social security or credit card numbers) is exposed or stolen by a hacker.
As you might imagine, the cost of a data breach can be enormous. Costs arising from a data breach can include: forensic investigation, legal advice, costs associated with the mandatory notification of third parties, credit monitoring, public relations, losses to third parties, and the fines and penalties resulting from identity theft.
While most businesses are familiar with their commercial insurance policies providing general liability (CGL) coverage to protect the business from injury or property damage, most standard commercial line polices do not cover many of the cyber risks mentioned above. Furthermore, cyber and privacy insurance is often confused with technology errors and omissions (tech E&O) insurance. However, tech E&O coverage is intended to protect providers of technology products and services such as computer software and hardware manufacturers, website designers, and firms that store corporate data on an off-site basis. Cyber risks are more costly. The size and scope of the services a business provides will play a role in coverage needs and pricing, as will the number of customers, the presence on the internet, and the type of data collected and stored. Cyber Liability polices might include one or more of the following types of coverage:
Liability for security or privacy breaches (including the loss of confidential information by allowing or failing to prevent unauthorized access to computer systems).
The costs associated with a privacy breach, such as consumer notification, customer support and costs of providing credit monitoring services to affected customers.
Costs of data loss or destruction (such as restoring, updating or replacing business assets stored electronically).
Business interruption and extra expense related to a security or privacy breach.
Liability associated with libel, slander, copyright infringement, product disparagement or reputational damage to others when the allegations involve a business website, social media or print media.
Expenses related to cyber extortion or cyber terrorism.
Coverage for expenses related to regulatory compliance for billing errors, physician self-referral proceedings and Emergency Medical Treatment and Active Labor Act proceedings.
While cyber liability insurance may not be right for all businesses, those that actively use technology to operate should consider the risks they would be exposed to if a data breach occurred. In addition, there are many different cyber policy exclusions and endorsements. Not all policies are created equal.