Are you aware that businesses must be able to notify all parties that were affected by a breach, communicate effectively the scope of the possible damage, and provide credit monitoring assistance and identity restoration case management to those affected by the breach. In addition, they may also face legal defense and settlement costs in the event an action is brought against them because of a breach.
You may believe you don’t have this exposure. If you are like most small business owners, (an estimated 78% per a recent Harris Poll on behalf of Nationwide insurance) you don’t have a cyber attack response plan. The same Harris Poll survey found that 54% of small business owners were victim to at least one type of attack: virus, phishing or malware. Other exposures include hacking, unauthorized access to customer or company info, software, data breach and ransomeware. The U.S. Small Business Administration claims that small employers are becoming an increasingly attractive target because they not only have valuable customer data but provide access to larger networks and lack the personnel to provide cyber security. Even if you outsource or have dedicated IT staff, it cannot protect you from lost or stolen devices or internal threats. How you respond to and survive a breach depends upon whether you have given this exposure much thought and, if you have cyber coverage, how broad that coverage is.
Take time to develop a response plan-just like an emergency response plan, knowing what to expect and how to respond before an emergency ensures better outcomes for all involved. Develop policies for your practice which address mobile computing, personal devise use(BYOD), sensitive information handling and basic security of protected information. Do NOT wait for a data breach to happen. Inventory all of your stored PII (Personal Identifiable Information) and know what a “worst-case” breach scenario could look like. Should a hacker get into your system, all of your files (HR, clients, healthcare, communications, etc.) could be compromised at the same time and you won’t have the advantage of calmness and time to respond.
Questions will need to be answered in the event of a breach such as:
- How many records were exposed?
- What type of data was exposed?
- Is this the organization’s first breach?
- Was the data stored in a centralized system/location?
- Is Fraud expected?
- Is a class action lawsuit expected?
Common costs Incurred with a data breach include Incident Investigation costs,notification/crisis management costs, regulatory fines & penalties and class action lawsuit costs.
Consider the cost for notification for example. How many notices would you need to send (potential victims), how many different versions of the notification letter and the cost for both printing and postage of the notification. How will you handle in bound calls once notification has gone out? Customer questions could tie up a considerable amount of staff time and a source of considerable disruption for your practice.
If you are considering the use of Cloud Computing for all or part of your business operations, you should carefully review the contractual language prior to entering into any agreement. Many contracts have not been updated to reflect new technology and the impact of cloud computing on current data security/privacy laws.
- Who owns your data once it resides in the Cloud?
- Does your Cloud provider guarantee the security and privacy of your data?
- Will you be alerted if there is a breach of your customer data inside the Cloud?
- Will you have the right to investigate the breach?
- Who will notify your customers of a breach incident?
Everyone purchasing cloud services will need to address its unique requirements in the contracting process, and each contract should be the result of due diligence and a negotiated transaction.
If you have breach: notify your broker or your insurance company Claims Representative as soon as possible. You should be sure to have your staff gather and document facts surrounding the incident-if you have an IT person, they would be instrumental in working with the insurance company. Network security event logs are often vital in helping verify the date, time and machine involved in an incident. If you have a cyber liability policy, this will trigger coverage and your carrier will step in to direct and assist. If you have any coverage under your business owners policy, the carrier will again step in to direct and assist per the policy language. If you do not have coverage, you will need to spearhead the recovery and notification process with the assistance of specialists in this area; a privacy attorney or breach response professional.
As wonderful as technology is, it exposes those who use it to new and emerging perils. Awareness and mitigation of the inherent risks associated with our connected world are critical to any well rounded risk management program. Be sure to ask your team at Professional Insurance Programs about cyber solutions for your practice.