By the end of 2009, 45 states, the District of Columbia, and two U.S. territories had enacted laws requiring notification of security breaches involving personal information. New York’s law is typical. It requires businesses that own or license computer data that includes private information to disclose any security breach of the system to any state resident whose private information the business believes was accessed without authorization. The businesses must provide the notice by mail, phone or e-mail as soon as possible after discovering the breach, inform the state government of the notices, and inform consumer reporting agencies if the breach affected more than 5,000 residents.
Notifying the victims is only one part of the costs businesses that suffer security breaches can expect. They might face lawsuits from the victims, fines from regulators, and serious harm to their reputations. Lockton International has estimated the cost of a security breach to be $15 per person affected. Lockton issued a paper in 2010 that discussed several ways that businesses can avoid cyber attacks and handle those that do occur, including:
- Assemble a multifunctional team to identify cyber risks and develop plans for preventing attacks. The team should include individuals responsible for legal compliance, risk management or insurance, information technology, procurement of vendors, and operations.
- Comply with applicable federal and state laws and regulations, including HIPAA (which applies to security of private health information) and the Gramm-Leach-Bliley Act (which applies to private financial information.)
- Manage vendors that have a high risk of data security breaches, including payroll companies, credit card processors, and accountants. Require them to meet legal and industry standards, obtain insurance against security breaches, and indemnify the business from related losses.
- Manage the people as well as the system. Train and educate employees on system security, monitor them for poor security practices and possible malicious acts, and verify that they have not installed unauthorized software that would increase vulnerabilities in the system.
- Regularly test the system and repair security problems. Perform internal tests, external system penetration tests, scans for viruses and other malware, and evaluate work processes.
- Encrypt private data on the network, while it is being e-mailed or transferred another way, and while it is on laptops, smart phones, and other mobile devices.
- The team should develop a plan for effectively responding to security breaches.
As more businesses become aware of their exposure to data losses, insurance companies are beginning to offer specialized policies to cover these incidents. An electronic data liability policy covers a business’s liability for damages resulting from accidents, negligent acts, errors or omissions, or a series of these, leading to a loss of electronic data. Coverage applies to claims made during the policy period for losses occurring on or after a date specified in the policy. Another policy offered by specialty insurers covers a business’s lost income and extra expenses resulting from harm to its reputation after a security breach.
Most businesses and organizations today have some exposure to loss from cyber risks. Just as they try to prevent fires, car accidents, and workplace injuries, businesses must make preventing data security breaches a standard part of their operations. Speak with our professional insurance agents about the insurance you might need when breaches occur. With proper loss control and the right insurance, a business can survive a cyber attack.