How to protect your business in the event of a breach of personal information Featured

8:01pm EDT September 30, 2011
How to protect your business in the event of a breach of personal information

Hackers don’t play favorites. Whether your business is big or small, if you have people’s personal information, someone may be trying to get it.

And if someone succeeds, are you prepared to deal with the consequences?

“Hackers are not selective,” says Todd Winter, a partner at SeibertKeck. “It doesn’t matter if you’re a retailer, bank, manufacturer, health care company, educational institution, insurance agency or a government entity; they don’t discriminate against who they are hacking.”

Smart Business spoke with Winter about how privacy and security liability insurance can protect your company if personal information is stolen.

What kinds of companies should be concerned about the loss of personal information?

Any company that retains this information should be concerned. And it’s not just companies that do business electronically. Companies that have paper files containing personal information are subject to breaches, as well.

Small business owners often think that their risk of a security breach is small and don’t believe that they will be targeted, but it can be faster and simpler for a hacker to access personal information from a small business than it would be to crack the system of a corporate giant with several layers of security.

A July article in the Wall Street Journal cites examples of small business owners who never thought they would be targeted but were crippled by cyber attacks. In one example, a Chicago area magazine shop owner found software on his cash registers that was sending credit card information to Russia. In another case, a Kansas car dealership found that a hacker had added nine employees to its payroll through its bank account and transferred $63,000 to them.

As a result of the risks, businesses of all sizes need to financially protect themselves against a claim. Lawsuits resulting from breaches can come from vendors, employees, business associates and other third parties. And it’s not just the company that is at risk; directors and officers have a duty to make sure that systems are in place to make sure a breach doesn’t happen, and, if it does, they could be held responsible as well.

How can privacy and security liability insurance help protect a company if a breach occurs?

Privacy and security liability insurance provides coverage for the theft or loss of personal information and for the alteration, corruption, destruction, deletion or damage of data assets. It also provides protection for security-related events and gives a company a layer of protection above and beyond its IT systems and internal management control.

Not having coverage can prove costly in the event of a breach, if a laptop containing personal information is stolen, or a company’s electronic backup of paper records is hacked.

The average cost of a data breach is $210 per lost customer record; if your company stores 20,000 customer records, that could mean a possible loss of $4.2 million. Business leaders need to consider whether that is a hit that their business can afford to take.

What should a business owner look for in privacy and security liability coverage?

If you buy privacy and security coverage, make sure you have protection within your policy for regulatory defense and penalties that could be imposed as a result of a breach at your company.

Also consider including crisis management and public relations coverage. If your company experiences a breach and personal information is accessed, that can create a big hit to your reputation. Once customers are aware of the breach, they may no longer feel comfortable turning over personal information to your business. Public relations coverage can help you repair your reputation and create a campaign to let the public know that you are still a good company to have as a business partner.

Some carriers may not provide certain types of coverages, so with the help of an outside adviser, identify those that have broader protections for your business. That would include crisis management, network business interruption insurance, cyber extortion and event management, all coming together under one policy.

What is the cost of privacy and security liability insurance?

It can be expensive because the coverage is still fairly new and carriers aren’t yet sure how much risk is out there. And when they don’t know what the potential risk could be, they typically charge more until they get more experience in writing the coverage. However, the coverage is well worth the premium, as the potential costs of a breach not covered could prove catastrophic for an organization.

What is a business’s responsibility if a breach occurs?

Because breaches previously sometimes went unreported, states have enacted laws requiring that if personal information has been breached that a business must promptly notify those who are potentially affected. That is where notification coverage comes into play, covering the cost of notifying those affected by the breach. This privacy breach response service can offer protection for as many as two million affected individuals.

What would you say to business owners who believe that they have strong IT departments and don’t need to worry about coverage?

Often businesses feel that their IT department has done an excellent job of providing protection, that because they’ve installed firewalls and done everything possible to protect the information, they are fully protected. Larger companies, especially, may feel like they don’t need the protection of an insurance policy because they have proper controls.

But no company is ever really fully protected, and if you don’t take steps to make sure you are covered, the results for your company could be catastrophic.

Todd Winter is a partner at SeibertKeck. Reach him at (330) 865-6572 or twinter@seibertkeck.com.