Cyber Liability: The Risks of Doing Business in a Digital World

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.natlawreview.com/article/cyber-liability-risks-doing-business-digital-world

Major security and data breaches have become more prevalent in the past
decade. News headlines are dominated by stories of major corporations
having networks hacked and subjecting employees' and customers' personal,
financial and health information to cyber threats. Perhaps one of the
following from 2014 will sound familiar:

- January: Snapchat had the names and phone numbers of 4.5 million users
compromised

- February: Kickstarter had personal information from 5.6 million donors
compromised

- May: Ebay's database of 145 million customers was compromised.

- September: iCloud had celebrity photostreams hacked

-  November: Sony Pictures had the highest profile hack of the year
involving email accounts, video games and movie releases

While the news headlines make it is easy to think this is an issue for
large, Fortune 500 companies, the risk is equally widespread, but much less
publicized, for small businesses.

While the data breaches at small businesses do not garner the same
attention as the data breaches occurring at Sony or iCloud, the impact to
the organization and the liability the organization incurs are largely the
same.

Although there are many studies available giving analytics on the types of
data breaches that occur, those most common to small businesses can be
described in three general categories: unintentional/miscellaneous errors,
insider misuse and theft/loss.

Unintentional and miscellaneous errors are any mistake that compromises
security by posting private data to a public site accidentally, sending
information to the wrong recipients or failing to dispose of documents or
assets securely. For example, have any of your employees ever accidentally
sent an order (with account information) to the wrong email address?

Insider misuse is not a situation where an accidental error occurs. Rather,
an employee or someone with access to the information intentionally
accesses the data to use it for an unlawful purpose. For example, a
disgruntled clerk in the billing department accesses customer information
to obtain name, date of birth and bank account information in order to
fraudulently establish a credit card in that customer's name. Consider
another scenario where a third party vendor, a benefits provider, for
example, handles employee information. Once transmitted, the employer loses
control over information security for that data. Savvy business owners will
make sure their contracts with vendors make the vendor responsible for any
data breach that occurs during the engagement and that it will indemnify
the business for any actions arising from such a breach.

Data breaches also result from physical theft or loss of laptops, tablets,
smart phones, USB drives or even printed documents. Consider a scenario
where the Human Resource director is heading to a conference and her laptop
is stolen at the airport. The laptop is not encrypted or pass coded and the
thief can access all the employee files the director keeps on her computer.

In the past decade, laws have been aimed at narrowing the information that
can initially be collected by businesses and with whom it can be shared, as
well as mitigating the breach after it occurs.

Federal regulations like the Health Insurance Portability and
Accountability Act (HIPAA) limit the collection and use of protected health
information, and also has requirements for entities suffering a data
breach, including customer notification and damage mitigation provisions,
such as mandatory credit monitoring and fraud protection for affected
customers.

The Personal Information Protect Act requires government agencies,
corporations, universities, retail stores or other entities that handle
nonpublic personal information to notify each Illinois resident who may be
affected by a breach of data security. 815 ILCS 530/1 et seq. Personal
information is defined as: an individual's first name or first initial and
last name in combination with any one or more of the following data
elements, when either the name or the data elements are not encrypted or
redacted:

- Social security number.

- Driver's license number or State identification card number.

- Account number or credit card or debit card number, or an account number
or credit card number in combination with any required security code,
access code, or password that would permit access to an individual's
financial account.

The required notice to Illinois residents must include contact information
for credit reporting agencies and the Federal Trade Commission, along with
a statement that the individual can obtain information from those sources
about fraud alerts and security freezes. 815 ILCS 530/10(a). If the data
breached is data that the entity owns or licenses, the notice must be made
without unreasonable delay. Id. If the data breached is data that the
entity does not own or license, notice must be made immediately. 815 ILCS
530/10(b).

Failure to notify affected consumers is a violation of the Illinois
Consumer Fraud and Deceptive Business Practices Act. 815 ILCS 530/20.

Technology is everywhere. Smart phones, tablets, laptops, the internet,
online bill payments and the like have changed the way businesses operate.
There is no denying that technology allows for efficient and effective
commerce and communication. Unfortunately, the same technology that allows
for faster and more efficient commerce and communication also subjects
businesses to new forms of risk when it comes to data security.

There are risk management tools that all businesses should be aware of and
using on a daily basis. Anti-virus software, passwords on all devices,
frequent back up of data, encryption for sensitive information transmitted
electronically are just a few.

What if a business owner takes all the steps necessary to reduce the risk
of a data breach and it still occurs? There is a way to reduce damages and
to shorten the recovery and restoration timeframes.

Cyber Liability insurance can protect businesses, large and small, from
data breaches that result from malicious hacking or other non-malicious
digital risks. This specific line of insurance was designed to insure
consumers of technology services or products for liability and property
losses that may result when a business engages in various electronic
activities, such as selling on the internet or collecting data within its
internal electronic network.

Most notably, cyber and privacy policies cover a business' liability for
data breaches in which the customer's personal information (such as social
security or credit card numbers) is exposed or stolen by a hacker.

As you might imagine, the cost of a data breach can be enormous. Costs
arising from a data breach can include: forensic investigation, legal
advice, costs associated with the mandatory notification of third parties,
credit monitoring, public relations, losses to third parties, and the fines
and penalties resulting from identity theft.

While most businesses are familiar with their commercial insurance policies
providing general liability (CGL) coverage to protect the business from
injury or property damage, most standard commercial line polices do not
cover many of the cyber risks mentioned above. Furthermore, cyber and
privacy insurance is often confused with technology errors and omissions
(tech E&O) insurance. However, tech E&O coverage is intended to protect
providers of technology products and services such as computer software and
hardware manufacturers, website designers, and firms that store corporate
data on an off-site basis. Cyber risks are more costly. The size and scope
of the services a business provides will play a role in coverage needs and
pricing, as will the number of customers, the presence on the internet, and
the type of data collected and stored. Cyber Liability polices might
include one or more of the following types of coverage:

- Liability for security or privacy breaches (including the loss of
confidential information by allowing or failing to prevent unauthorized
access to computer systems).

- The costs associated with a privacy breach, such as consumer
notification, customer support and costs of providing credit monitoring
services to affected customers.

- Costs of data loss or destruction (such as restoring, updating or
replacing business assets stored electronically).

- Business interruption and extra expense related to a security or privacy
breach.

- Liability associated with libel, slander, copyright infringement, product
disparagement or reputational damage to others when the allegations involve
a business website, social media or print media.

- Expenses related to cyber extortion or cyber terrorism.

- Coverage for expenses related to regulatory compliance for billing
errors, physician self-referral proceedings and Emergency Medical Treatment
and Active Labor Act proceedings.

While cyber liability insurance may not be right for all businesses, those
that actively use technology to operate should consider the risks they
would be exposed to if a data breach occurred. In addition, there are many
different cyber policy exclusions and endorsements. Not all policies are
created equal.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!