Who would have thought anybody would take the time to hack dating site Ashley Madison? But hackers, who have too much time on their hands, can make anyone a target — and release a firestorm in the process.
“If your organization stores personally identifying information, you can’t ignore this exposure,” says Karl Henley, vice president at SeibertKeck Insurance Agency.
Even if you don’t keep customer information or fall under the Health Insurance Portability and Accountability Act, you still have electronic employee files.
“The big one people overlook is their own employees because they always have their personal information,” Henley says. “You have their Social Security number and their bank account numbers for direct deposit.”
In addition, Internet privacy and security coverage, which is becoming broader, goes beyond protecting yourself from someone hacking your website. If companies make the right moves upfront, they can cover lost or stolen portable devices — and protect information from falling into the wrong hands.
Smart Business spoke with Henley about your privacy and security exposures and how to eliminate or minimize them.
What do employers need to know about Internet privacy and security risk?
This needs to be a discussion, in order to determine what your exposures are. Everyone can be a target, including manufacturers who send and receive plans and specs that are protected as proprietary.
Once you understand your exposure, you need to figure out if you can eliminate it. If not, then can it be transferred to another party, such as a payroll company? If you’re transferring the risk, don’t forget that the third-party needs to indemnify you in the agreement for a breach that is caused by them.
If you can’t make a third party responsible, then you need to insure for it. But take time to understand what you’re actually buying, beyond the words ‘cyber’ or ‘Internet.’ There is no standard policy in this space right now. For example, Internet liability coverage is personal advertising injury insurance for electronic media, which just protects against infringement and unauthorized use of advertising material, copyright, slogan, trademark, etc., through the Internet. It has nothing to do with protecting against breaches.
How can companies make sure that their portable devices are covered?
It’s becoming more common for hackers to gain access to your information through portable devices, such as laptops, tablets, removable storage and smartphones. This is partly because more organizations are using cloud-based computing where portable devices have greater access to protected information. At the same time, your employees may be saving their passwords on the device or even using an app that creates a list of passwords.
You can buy an Internet privacy and security policy that includes as a covered cause of loss a lost or stolen laptop or portable device, either as part of the standard policy or as an endorsement. But in order for those devices to fit into the definition of a covered cause of loss, the device has to be password protected and the regulated data has to be encrypted.
A good insurance agent will help you become compliant when you buy the insurance policy. Your internal portable device policy needs to set standards for storing and changing passwords. Your encryption service or platform needs to meet the insurance company’s requirements, and every carrier is different. For instance, standard Apple encryption might qualify but you could need an internal policy that states all mobile devices are Apple and required to be passcode or fingerprint protected.
Make sure you ask your insurance agent if he or she has sample policies with best practices, in order to streamline adopting a compliant internal policy.
Typically when you have a breach, it’s because somebody wasn’t following the rules. But if you don’t set the rules upfront and provide ongoing training and awareness, your claim may be denied — even if you’ve already taken the proactive step of insuring for the risk.
Insights Business Insurance is brought to you by SeibertKeck