The laws, technology and science regarding your business’s exposure to cyber liability are evolving rapidly. Privacy breach laws passed in other states may apply to your company if you’re a downstream service provider, or your business could fall under federal requirements for protecting personal identifiable information. And with stricter rules in place for consumer privacy, a breach could cost you and your company far more than damage to your reputation, says James Misselwitz, CPCU, vice president for ECBM.
“The average cost to notify a record holder of a breach is now $350,” says Misselwitz. “Part of the restoration costs can require continued monitoring and biennial privacy audits for as long as 20 years, in some cases.”
In the health care and financial services industries, the average breach costs more than $2.4 million, according to Net Diligence.
Smart Business spoke with Misselwitz about what steps employers can take to decrease exposure to cyber liability.
What is cyber liability?
Cyber liability exists because companies collect, store and share information about consumers. The Federal Trade Commission has been charged with safeguarding privacy for consumers. As a result, there is an emerging group of federal regulations in the form of laws such as the Gramm-Leach-Bliley Act, HITECH Act and Health Insurance Portability and Accountability Act, along with guidance from the Securities and Exchange Commission for publicly traded companies that force disclosure on their 10Q reports.
In addition, most states now have passed their own version of privacy breach laws; only Alabama, Kentucky, New Mexico and South Dakota do not have laws on the books. Of these, the biggest game changer came from Massachusetts, which requires all downstream service providers to comply with its law and have a signed contract addendum certifying that they meet the requirements for all customers.
What cyber liability exposure do employers often fail to consider?
It’s obvious the financial, health care and retail segments face exposure. But when you take a closer look at cyber liability regulations, they easily encompass law offices, accountants, nonprofits and any Internet storage provider. Think about the following when trying to determine your cyber liability exposure.
- Do you collect in your files the name, address, date of birth and Social Security number of your customers?
- Do you have more than 500 customers with this information on file?
If so, you need to urgently consider cyber protection.
What are the particular dangers for mid-sized businesses?
Mid-sized business owners need to take steps now to create self awareness of their data. What data do you store? How many files do you have and what information is contained in those? Where and how is it stored? Do those files have back ups and who has access to the data? What controls are in place? Is the data kept on portable devices? As employers go through these questions, they start to get an understanding of what data they have and whether they could be subject to a significant breach.
Employers may believe that if they don’t do business over the Internet, there’s nothing to worry about. However, cyber liability laws cover data, not the way that data is obtained.
How can employers safeguard their businesses and prioritize the protection they put in place?
You need an assessment process to recognize potential breaches. You also can seek expert help in establishing formal polices and procedures while ensuring that portable devices are not loaded with information that would trigger a breach if lost or stolen.
However, the first basic step should be encrypting the data. Encryption is cheap, readily available and usually easy to install. It also provides a great defense.
When prioritizing protection, use a knowledgeable broker and a detailed analysis of risk to review which insurance coverage is available and at what price as an integral part of your cyber liability business strategy. At that point, you’ll need to put in place testing, an audit and a timetable to re-evaluate your exposure. The laws, the technology and the science are changing too rapidly to just buy an insurance policy and leave it alone.
What risk drivers cause business owners to obtain cyber liability coverage?
Usually it takes an event, such as a missing laptop or a disgruntled employee, to get the owner to focus on what just happened and what could have just happened. At that point, they start to think about risks and how to transfer them to an underwriter. More important, they start to consider the steps they need to take to ensure that if this event happens again, they have eliminated or significantly reduced risk.
Cyber liability insurance is at approximately 15 percent of the market and growing. Larger health care providers, credit card companies, social network providers and banks have been the first big purchasers of the coverage.
What do employers need to know about their cyber liability coverage?
You need to understand the amount of limits; how much coverage is in first-party and third-party benefits; whether the legal expense is inside or outside the limits, and does that portion of the policy have limits; and whether your lawyers, accountants and crisis management teams are acceptable to the underwriter. If you are dealing with a knowledgeable broker, these will be part of the due diligence and product design.
Although some 16 million confidential records were exposed through more than 662 security breaches in 2010, according to the Identity Theft Resource Center, if you consider your liabilities carefully you could minimize your risk of joining that number.
James Misselwitz, CPCU, is a vice president for ECBM. Reach him at (888) 313-3226, ext. 1278, or email@example.com.
Insights Risk Management is brought to you by ECBM Insurance Brokers and Consultants
When Nokia implemented a mobile marketing campaign to customers in Australia, they did not take into account their users’ privacy from a legal or brand standpoint. The company’s tips for getting the most out of a phone qualified as spam-texting, and instead of boosting business, Nokia was fined $58,000 fine earlier this year and has suffered reduced sales in the region.
“There are laws going into place now more and more around what you can do in mobile marketing,” says J. Robert Kamal, president, CEO and founder of Kohorts IT, a mobile marketing services company headquartered in Brighton, Mich. “ And the biggest common pitfall we’ve seen is companies trying to do this on their own without any experience at all.”
Businesses are increasingly looking to mobile marketing campaigns as mobile usage continues to rise. In fact, mobile Internet access will surpass traditional PC access by 2013, according to Gartner Research.
But in order to take advantage of this new era of marketing, it is increasingly important for businesses to focus on compliance with privacy standards – those set by governments and by customer expectations.
Account for privacy laws
One of the most common mistakes companies make is to create national or even global mobile marketing campaigns based on the assumptions of their local laws, Kamal says. Identify the privacy laws for all regions your campaign will penetrate.
Privacy laws, including the proposed US Mobile Privacy Act, commonly focus on: what data you will be collecting via mobile devices, who will have access to it and what it will be used for.
“If you collect data on a marketing campaign that you did legitimately for one purpose with a customer, and then you took the data from that customer and sold it to another company, that’s a problem,” Kamal says.
In addition to maintaining users’ privacy, you need to respect it in your marketing techniques.
“Engaging in spamming on mobile devices, thinking that because they’re your current customer, it’s not really spamming, is not necessarily the case,” Kamal says. “Those laws differ from country to country.”
Know your brand
In addition to legal issues, spamming can damage your brand image. Think about how you want to portray your business to customers.
“Is your brand a high-quality, sort of expensive brand? If it is, a spam marketing campaign or a campaign that does not respect privacy might actually damage that brand image that you spent so much time building.” Kamal says. “Look at spammers as a sign of a lowbrow marketing campaign.”
Take time to “purpose build” your campaign, as opposed to developing and implementing a mobile marketing program as quickly as possible. Consider a mobile services company to help you do so if you’re new to the process.
“Put a little thought into who your target audience is, what would be effective to actually run the campaign and (what your) intended results are,” Kamal says. “That reduces the risks and a lot of heartache with the client.”
Target your approach
Considering those factors allows you to target your approach in order to market to people with a high redemption rate. Using demand-draw or opt-in methods attract a relevant audience, as opposed to forcing marketing on random prospects.
“You can probably find a list somewhere that might have some relevance to what you’re marketing, but in the end, you’re going to have a high failure rate with just sort of a spam marketing program,” Kamal says.
Users who find the information irrelevant can easily block future messages from your company, as well as all automated messages.
“It’s hard for users to disseminate the difference between a fraud message and a legitimate marketing message unless you are taking into account the user’s privacy,” Kamal says. “Marketing that shows up on someone’s mobile device that they weren’t expecting doesn’t have a high return.”
Utilize social media
Mobile marketing and social media are inherently tied, as mobile devices are now driving most social media, Kamal says. By combining social media and mobile techniques in your marketing campaign, you can more successfully foster demand-draw.
“Set up a contest on social media that maybe draws demand and gets your message across,” Kamal says. “Then people actually ask for your offering. … Those campaigns tend to have a much, much higher redemption rate than campaigns where you just spam users.”
Social media also gives you access to a wealth of information on people’s wants and needs, which you can use to identify prospects.
“You can send back a response to their (post about selling a car) on social media saying, ‘Hey, we have this offer. We’ll buy your car at Blue Book price … as part of a promotion,’” Kamal says. “Then you can embed in the message back – let’s say it’s Twitter – ‘Just text this message to get your coupon code and show up at the dealer and you’ll get your reward.’
“Customers look at … those kind of marketing campaigns as actually useful. Because at the end of the day, if you were gong to buy a car anyway or trade in a car anyway, if you could get $500 off just for going to one dealer versus the next, you wouldn’t see that as an inconvenience. Nor is it an invasion of your privacy.”
How to reach: KoHorts IT, 810-355-1400 or http://kohorts-it.com