Every Business Needs to Take Cyberliability Seriously
It is likely that your company has an obligation to protect the data and the financial information of its customers, clients and/or employees. This may be harder than ever. Most data is now stored electronically and involves some form of network and data connection. Work is conducted electronically over a network and stored remotely in the cloud.
Many smaller businesses find themselves vulnerable to cyberthieves, often because they have limited budgets for data security and few or no technology experts on staff. Marcey Rader shared some password protection strategies last week, but this week will focus on the costs of a hacking incident and some other protection techniques for the small business.
Costs of a hacking incident or inadvertent disclosure can include:
forensic expenses to figure out what happened, how, and what was taken;
installing more robust data protection security;
paying credit monitoring fees for affected customers;
hiring a public relations firm to deal with the fall out;
perhaps dealing with business interruption from downed technology.
There also may be regulatory fees or fines, legal fees and court costs.
Liability for loss or disclosure of customer or employee data is not typically covered under a corporate insurance policy. Some existing business insurance policies that offer general liability, and directors and officers liability, may provide a measure of coverage for those areas, but significant gaps may exist if you are trying to recover from a hacking incident that revealed private information. A traditional CGL policy often covers “personal and advertising injury,” which is typically defined as injuries arising out of the oral or written publication of material that violates a person’s right of privacy.
There has been at least one recent case, however, that denied coverage under this clause where the data breach was not a negligent act by the insured, but a deliberate hacker attack. Companies with HIPAA obligations, companies that store credit card information or email addresses and passwords for customers or online retailers especially should review their insurance coverage’s against a hacking or an inadvertent release of private information.
If the general business insurance policies are not adequate for the risks, consider specific cyber liability policies that cover their costs for dealing with a disclosure and also for defending suits from customers or other third parties.
Situations to talk with your insurance agent should include:
Loss or disclosure of personally identifiable employee and customer/client information.
Failure to prevent the entrance or spread of a virus/hacker attack.
Libel, slander and copyright infringement from your website content.
Expenses to respond to a threat to harm or release your data as well as cover ransom payments if necessary (extorition).
In addition, some basic security measures may make your company less vulnerable, such as firewalls and strong passwords that are frequently changed. If employees bring their own devices that connect to the Company networks, those devices need security as well. Employees need to be trained not to have the same passwords for different programs and not to leave passwords on sticky notes under their keyboards.
Think about what information you collect and how you store it. If you've ever worked with me, you know I don't keep credit card information or social security numbers after I use them. I don't ever have an electronic copy of tthis type of information and I shred my hard copy when I am done.