According to a Business Insurance poll of business owners and risk managers, cyber security and data privacy have taken the lead as the most concerning business risk, over natural disasters, corporate liability, and changing legislation or regulation.
Why has this concern risen to the top? The publicity associated with Target, Home Depot, Stop & Shop and Blue Cross Blue Shield’s recent hacks comes to mind, however, this is not the only factor generating so much concern. Estimates indicate there are an average of three data breaches per day for small business owners alone, and these numbers are only indicative of the companies that report data breaches.
To avoid a data breach, it’s important to understand that any business can be at risk for the following types of data breaches.
- Social engineering, such as phishing
- Outright intrusion (hack)
- Distributed denial of service (DDoS) and extortion.
- Email hacking, viruses and malware
- Employees making simple mistakes such as losing a laptop or accidentally sending information to the wrong address (paper or electronic)
- Malicious or disgruntled employees
- Electronic theft and loss of system resources
- Third party breaches, such as a trusted vendor or a cloud breach
Regulatory issues -Why pay attention?
In addition to the Federal laws dealing with privacy such as HIPAA and HITECH, 47 states have passed privacy legislation.
The laws dictate what protocols a business must have in place prior to a breach; encryption requirements; how and when notification must be made to affected parties; and other requirements such as offering credit monitoring to the affected individuals.
These laws also define what is considered personally identifiable information - something that is constantly changing due to legislation or legal interpretation. Personally identifiable information generally includes names, addresses, social security numbers, driver’s license numbers, bank and credit card information, and health insurance information. It can also include online user names, passwords and email addresses.
Many small businesses do not have sophisticated IT services, so breaches go undetected putting business at risk for their “Failure to Detect.” Many businesses are unaware of potential requirements as outlined above.
Rhode Island’s newly strengthened Identity Theft Protection Act took effect on June 28, 2016. Obligations placed on businesses by the Rhode Island law include strong email encryption, safely destroying personal information as soon as it is no longer needed to provide the services requested by the customer, and notification within 45 days to anyone whose personal information may have been compromised. Businesses must also be able to justify the information collected and stored. Contracts with vendors, customers and service providers are under new scrutiny and internal policies and procedures must be documented and shared with all employees.
Any business that collects customer information has liability, whether that information is stored on a server, in the cloud, or in paper files.
Any organization that has customers or employees who live in any of the 47 states with privacy statutes is required to adhere to the state law where the individual resides.
Any business that accepts credit cards has an additional contractual liability with the payment card vendor. This contractual liability can create additional liability.
The cost of a data breach could put a small business out of business. According to claim studies by Net.Diligence the average cost of a breach for businesses in the “mom & pop” category could be $250,000 or more. In the healthcare field, costs are even greater.
What costs are associated with the risks?
- Forensic expense
- Notification expense
- Legal expense
- Customers’ credit monitoring
- Regulatory fines and penalties
- Crisis management services
- Repair or replacement of servers and software
- Loss of business income to contain damage, stop attacks and implement workarounds
What can be done to manage and transfer the risks?
Manage the risks by setting strict procedures to protect confidential information. Train all employees to understand what constitutes protected data and to follow procedure when handling private data. Establish protocols to protect data by limiting access to sensitive data and shredding sensitive information once it is no longer needed. Engage legal counsel to make sure your vendor contracts are updated to meet the privacy and confidentiality standards.
Most importantly, transfer the risk by purchasing cyber liability insurance. A comprehensive policy will provide the full spectrum of breach services such as forensic expenses to determine the extent of the breach; notification to regulatory bodies; notification to affected individuals; credit monitoring for affected individuals; regulatory fines and penalties; liability insurance; and first party loss, such as damage to your equipment, your loss of business income and your public relations crisis management expenses. The cost of the insurance acts as a retainer for professionals to step in and manage the breach. The insurance is priced according to the size of your operation and can be a surprisingly affordable, worthwhile investment.