The laws, technology and science regarding your business’s exposure to cyber liability are evolving rapidly. Privacy breach laws passed in other states may apply to your company if you’re a downstream service provider, or your business could fall under federal requirements for protecting personal identifiable information. And with stricter rules in place for consumer privacy, a breach could cost you and your company far more than damage to your reputation, says James Misselwitz, CPCU, vice president for ECBM.
“The average cost to notify a record holder of a breach is now $350,” says Misselwitz. “Part of the restoration costs can require continued monitoring and biennial privacy audits for as long as 20 years, in some cases.”
In the health care and financial services industries, the average breach costs more than $2.4 million, according to Net Diligence.
Smart Business spoke with Misselwitz about what steps employers can take to decrease exposure to cyber liability.
What is cyber liability?
Cyber liability exists because companies collect, store and share information about consumers. The Federal Trade Commission has been charged with safeguarding privacy for consumers. As a result, there is an emerging group of federal regulations in the form of laws such as the Gramm-Leach-Bliley Act, HITECH Act and Health Insurance Portability and Accountability Act, along with guidance from the Securities and Exchange Commission for publicly traded companies that force disclosure on their 10Q reports.
In addition, most states now have passed their own version of privacy breach laws; only Alabama, Kentucky, New Mexico and South Dakota do not have laws on the books. Of these, the biggest game changer came from Massachusetts, which requires all downstream service providers to comply with its law and have a signed contract addendum certifying that they meet the requirements for all customers.
What cyber liability exposure do employers often fail to consider?
It’s obvious the financial, health care and retail segments face exposure. But when you take a closer look at cyber liability regulations, they easily encompass law offices, accountants, nonprofits and any Internet storage provider. Think about the following when trying to determine your cyber liability exposure.
- Do you collect in your files the name, address, date of birth and Social Security number of your customers?
- Do you have more than 500 customers with this information on file?
If so, you need to urgently consider cyber protection.
What are the particular dangers for mid-sized businesses?
Mid-sized business owners need to take steps now to create self awareness of their data. What data do you store? How many files do you have and what information is contained in those? Where and how is it stored? Do those files have back ups and who has access to the data? What controls are in place? Is the data kept on portable devices? As employers go through these questions, they start to get an understanding of what data they have and whether they could be subject to a significant breach.
Employers may believe that if they don’t do business over the Internet, there’s nothing to worry about. However, cyber liability laws cover data, not the way that data is obtained.
How can employers safeguard their businesses and prioritize the protection they put in place?
You need an assessment process to recognize potential breaches. You also can seek expert help in establishing formal polices and procedures while ensuring that portable devices are not loaded with information that would trigger a breach if lost or stolen.
However, the first basic step should be encrypting the data. Encryption is cheap, readily available and usually easy to install. It also provides a great defense.
When prioritizing protection, use a knowledgeable broker and a detailed analysis of risk to review which insurance coverage is available and at what price as an integral part of your cyber liability business strategy. At that point, you’ll need to put in place testing, an audit and a timetable to re-evaluate your exposure. The laws, the technology and the science are changing too rapidly to just buy an insurance policy and leave it alone.
What risk drivers cause business owners to obtain cyber liability coverage?
Usually it takes an event, such as a missing laptop or a disgruntled employee, to get the owner to focus on what just happened and what could have just happened. At that point, they start to think about risks and how to transfer them to an underwriter. More important, they start to consider the steps they need to take to ensure that if this event happens again, they have eliminated or significantly reduced risk.
Cyber liability insurance is at approximately 15 percent of the market and growing. Larger health care providers, credit card companies, social network providers and banks have been the first big purchasers of the coverage.
What do employers need to know about their cyber liability coverage?
You need to understand the amount of limits; how much coverage is in first-party and third-party benefits; whether the legal expense is inside or outside the limits, and does that portion of the policy have limits; and whether your lawyers, accountants and crisis management teams are acceptable to the underwriter. If you are dealing with a knowledgeable broker, these will be part of the due diligence and product design.
Although some 16 million confidential records were exposed through more than 662 security breaches in 2010, according to the Identity Theft Resource Center, if you consider your liabilities carefully you could minimize your risk of joining that number.
James Misselwitz, CPCU, is a vice president for ECBM. Reach him at (888) 313-3226, ext. 1278, or [email protected]
Insights Risk Management is brought to you by ECBM Insurance Brokers and Consultants