Data Breaches, Privacy and Cyber-Insurance - "What You Need To Know To Protect Your Business"

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.virtual-strategy.com/2013/12/28/data-breaches-privacy-and-cyber-insurance-what-you-need-know-protect-your-business-report

In light of the recent front page issues involving data breaches and data
leakage – Edward Snowden, the NSA and the PRISM Program from the
governmental side and Facebook's year-long data breach which exposed the
information of over 6 million users on the private side – it seems like an
appropriate time to once again emphasize that that it is crucial for all
companies to proactively address cyber data security and privacy issues:
the question is not if these issues are going to affect business but when
and to what extent.

In recent months, there have been countless examples of large data
breaches, both in the government sector and in the private sector. Because
of the high profile nature of these breaches and the possible criminal
implications associated therewith, many smaller business owners seem to
think “Oh well, that will never happen to me.” This attitude is a mistake.
These issues are not limited Fortune 500 companies. Cyber risk is an issue
for small businesses. In fact, studies have shown that hackers specifically
target smaller businesses because they have less resources to defend
against cyber-attacks.

All businesses retain information which, if breached or inadvertently
disclosed, could cause significant damage to that company, both in terms of
pure financial implication and loss of goodwill in the marketplace.
Companies of all sizes retain records in both paper and electronic form
which often contain sensitive personal information that would allow someone
to trace an individual’s identity, such as their Social Security number,
date and place of birth, maiden name, etc. This information is broadly
referred to as Personally Identifiable Information (“PII”) and is given
significant protection under the law. Beyond this broad category, there are
a variety of other subsets within PII which are often subject to specific,
more stringent rules related to protection and disclosure throughout the
business and legal spectrums. For example, Protected Health Information
(“PHI”) – any information about health status, provision of health care, or
payment for health care that can be linked to a specific individual – is
vigorously protected under both state and federal law.

The purpose of this article is not to scare businesses, but instead inform
them before an incident so that they too may be at risk with respect to
these issues, and that there are options available regarding data breach
prevention and remediation. As with anything else, the proper way to manage
a large volume of information is through proper proactive (as opposed to
reactive) controls. These controls include consultation with appropriate
advisors including lawyers with expertise handling privacy, e-commerce, FTC
regulatory complaints, litigation and intellectual property related issues
as well as insurance brokers who can assist with an evaluation of whether
or not a company should purchase insurance policies to cover the fallout
from data breaches, cyber-liability or other related issues.

Data breaches are caused by a variety of sources including
cyber-crime/hacking, system error and, shockingly enough, human error.
There are countless recent examples related to an employee losing a
computer or leaving a thumb drive with customer information laying around
for public consumption. If a company has employees, it is imperative to
recognize that many significant breaches come from uneducated employees who
are the primary target of various schemes and malware contained on the
Internet and otherwise. Even more troubling, though many companies very
often have privacy policies and guidelines in place – which if not should
be priority number one in response to this article – response also becomes
an issue. Employees inadvertently cause breaches and there is insufficient
protection or protocols in place to address these incidents.

The fallout from these breaches can be many tiered and cause substantial
damage from both a financial and good will perspective. First, if the
information is trade secrets or sensitive business information, it could
have a competitive impact on the business. Additionally, if PII is
compromised, a company may have to have to put in place credit monitoring
services and other avenues for each record breach to help mitigate the
damage caused by any disclosure of PII as well as restore customer
confidence in the business. It is often prudent to understand how data
breach insurance can help healthcare organizations mitigate HIPAA fines
prior to an incident. Moreover, with respect to cybercrime, a Distributed
Denial of Service Attack (“DDoS”) attack can take down a company website
and affect the ability to run a business effectively on a going forward
basis -- especially if the e-commerce platform is the lifeblood of the
operation. In order to give a rough estimate of data breach costs, in the
“2013 Cost of Data Breach: Global Analysis”, the Ponemon Institute stated
that the average cost of a data breach is $136 per record globally and $188
per record in the U.S.

As briefly intimated above, the best way to deal with data protection is on
a proactive basis. Before an incident happens, a company should consult
with tailored team of advisors, including data privacy attorneys like
OlenderFeldman LLP, to help develop reasonable data security policies and
procedures which include the monitoring and auditing of the policies on the
front end as well as the encryption of PII. After these consultations,
companies should take great care to educate and train employees about the
policies so as to make them aware of the issues before they arise.

Of course, however comprehensive a company's protection may be on the front
end, breaches can still occur. Post breach, there are two factors that will
help a company address issues most quickly and efficiently. First, because
a company was proactive and hired consultants to address these matters at
the outset, the security plan should help carry it through the difficult
times. To ensure effectiveness, this program should be regularly monitored
and tested within an organization and each company should designate
employee contacts within the organization to implement and effectuate the
security program.

Second, there are a burgeoning number of insurance products designed to
protect companies in the event of a breach and, for that matter, generally
protect the public face of companies as the inevitable cyber expansion
continues. There are a variety of coverages available which include
coverage for loss of assets, business interruption, cybercrime/terrorism, D
& O and privacy liability insurance and social media coverage, among
others. As each business is different, it is crucial for each company to
consult the right advisor such as Cyber Data Risk Managers LLC in order to
be property informed about this vital piece of protection in the event of a
data breach.

Data Breaches are here to stay and as each company’s cyber presence
increases, it is crucial to proactively plan to address the same as opposed
to reactively deal with them in the back end which could significantly harm
a company's business. The involvement of trusted counselors like
OlenderFeldman LLP and Cyber Data Risk Manager LLC is crucial to the proper
protection and ultimate success of businesses in the event of an
unfortunate data breach.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.