Protecting your data Featured

7:00pm EDT January 26, 2010

Not long ago, cyber liability insurance was unheard of, but today, it has become critical to any company dealing with personal data that could be used to commit identity theft.

Jonathan Theders, president of Clark Theders Insurance Agency Inc., says that the word ‘cyber’ doesn’t necessarily have to mean computer-related, as the insurance has evolved to include data privacy and network security risk.

“Cyber risk or breach of data can be loosely thought of as anything that can create a vulnerability to the theft of information that jeopardizes a company’s mission, fulfills its clients’ needs or maintains some measure of trust,” Theders says.

Smart Business spoke with Theders about how companies can use cyber liability insurance to protect their customers’ data and protect themselves from lawsuits.

How has cyber liability coverage evolved?

Here’s an example: Let’s say my laptop was stolen out of my car, and it has all sorts of personal information on it. Chances are, the thief just wanted the laptop and not the personal data inside, but what was on that computer? It could be Social Security numbers or credit card information. If that data is stolen, you have a duty owed to protect that data.

The coverage has evolved from solely computer-related data to data in all forms. It could be paper versions; it could be electronic. It started out as a requirement of HIPAA, in which people were required to keep personal information confidential with a heightened level of security.

Five years ago, some people were very electronically driven, but the majority of business wasn’t. Everything was filed on paper. If I wanted to steal information, I’d have to walk out of an office with stacks of paper and files.

Now I could walk in with a thumb drive that you would never know I had and I could extract thousands of records without your knowledge. It’s made data theft a whole lot easier if that data’s not protected the proper way.

What types of threats to data are there?

When you think of cyber threats, you think of a brainiac sitting in a bedroom hacking into computer systems. That concern will always be there, but there can also be the frustrated rogue employee, the one who is thinking about leaving, who wants to gather this information to use it at their next job or who just really wants to hurt the company before leaving. Or the person may want to sell that information because it has value to somebody else.

It doesn’t always have to be this third-party hacker off in the distance; it could be one of your own employees who has legal, granted access to that data. The insurance coverage should pick up not just third-party but first-party and employee actions, as well.

How do you get coverage to protect your company’s data?

To secure insurance coverage, you have to do an assessment of your computer systems. It forces you to look at the areas in which your systems can be penetrated. That makes you a better company because you’re forced to fill in the gaps of potential penetration.

Not everybody has to have an assessment, but any business that is dealing with and holding customer information can have an exposure. In certain businesses, people feel very comfortable with the controls in place and may not need to do a physical assessment. But if the underwriters feel you could have a significant loss, they would require their insurance company to do an assessment of your systems. They use an in-depth questionnaire that tries to find holes in that particular network.

Or you can hire a third-party company, not just to assess your system but to try to hack it and break the system to try to find those potential holes before someone who wants to cause the business harm finds them.

How can data coverage protect you from litigation?

Think of the example of the laptop stolen out of a car. Part of the coverage would be a year or two of credit monitoring for the people who may be affected. Chances are that none of their records will ever have credit problems, but you have a duty to protect that credit information.

If data is stolen and it is used in a harmful way to the person — they have loans taken out in their name or credit card bills run up and it has affected their credit scores, leading to collectors hounding them — the indemnity would not only make those people whole, but it would give them expenses toward fixing their credit. Most insurance also includes a partnership with a PR firm that can help you regain the faith of your customers.

Also, forensic computer specialists can be hired to determine what was lost. If there was litigation or a class-action suit or someone was adversely affected because his or her identity was stolen and used by someone else, the coverage would pay third-party indemnity.

There can also be regulatory defense fees, so if you have broken some rule of HIPAA or some governmental body and they fine you, the coverage can potentially pick up the fines related to that.

One of the things that matured in the last few years is ransom demands. If someone stole your data and held it for ransom, you can also purchase insurance that would pay that ransom.

Jonathan Theders, CPIA, is the president of Clark Theders Insurance Agency Inc. Reach him at (513) 779-2800 or jtheders@ctia.com.