Poorly managed breach destroys reputation
By Becky Pearson
Security and data breaches don’t favor one organization or industry over another and are taking place every day. Companies should consider the “how” of a breach — as opposed to the “who” — to evaluate their exposure to a similar event.
Retail operations remain a target to hackers due to the volume of information in their systems, including credit card information, confidential information for loyalty programs, and employee data. The victims of these attacks are an organization’s most valued assets: their employees and customers.
Until recently, many thought data risk was trivial compared to other threats such as theft, slip and falls, and workplace violence. But with data compromise occurring at much greater frequency, it’s one risk you don’t want to underestimate. Reputational harm stemming from a poorly managed data breach can be catastrophic.
Five myths you can’t afford to believe
1. Data theft is not a problem for me — my company is too small. Data privacy is a concern for organizations of any size. Rogue employees, data thieves, and unscrupulous business associates are looking for opportunities to take advantage of any weakness or mistake. Additionally, human error by negligent or careless staff account for a surprising number of data breaches around the country.
2. We can afford to self-insure the risk. As the economy continues to recover, companies are still closely watching discretionary spending, including certain lines of insurance coverage.
Many organizations wrongly believe that if something happens to their data, they can afford to cover the costs. According to a recent Ponemon Institute study, the average cost for a small breach of 1,000 records could easily exceed $200,000 — a sum that many companies cannot easily absorb.
Remember, the majority of funds to respond to a breach need to be liquid. Breach vendors typically look for payment before or at the time service is rendered, and payment for postage is required when the letter is mailed, not 30 days later.
3. Coverage is expensive and hard to get. This perception was true five years ago but is not true today. Competition, claims experience and a larger pool of buyers have made network security and privacy liability coverage more cost-effective and easier to obtain.
Even with the recent proliferation of retail breaches, the market remains relatively stable. Some carriers, however, are more cautious when reviewing risks with a large volume of credit card data.
4. Our general liability policy will cover us. General-liability insurance covers bodily injury and property damage as well as advertising injury and personal injury. The courts have consistently stated that data are not property because they are intangible. The perils associated with advertising injury and personal injury are very specific.
While a properly worded lawsuit could trigger coverage, the main expenses from a data-privacy event are the breach response- and notification-related costs. There is little chance of these costs being covered under a general-liability policy.
5. We have vendors who handle our sensitive information and credit card transactions; if they have a breach, it’s their problem not ours. This is not generally true. The data owner — the person or entity collecting the data — is ultimately responsible for what happens to that data.
Thus, a breach at a trusted business vendor could still lead to your obligation to provide notification and a decision whether to offer credit monitoring. Your contracts may require indemnification by your vendor, but if the breach is large enough, indemnification might not be enough to cover the costs or your vendor could file for bankruptcy.
More importantly, do you want critical correspondence to customers and/or employees handled by someone other than you?
Eight steps toward peace of mind
It is essential for organizations to adopt policies and procedures addressing information security, along with a concrete, comprehensive plan for incident response. Consider these questions to create “peace of mind”:
- Plan — What will you do if a potential issue is identified?
- Educate — Have you adequately educated your employees about their responsibility to protect private information?
- Access –Have you implemented standard procedures for access to and use of private data? Is access to data limited to a “need-to-know” basis?
- Contracts — Do you have procedures for managing your contracts with third parties? Do they address indemnification and insurance?
- Encrypt — Do you follow encryption standards? Do you restrict and/or encrypt data that is stored on mobile devices, including thumb drives and backup tapes? What about data at rest?
- Online – Do you have a written policy regarding the dissemination of personal information on public and social media sites?
- Financial impact — Do you have adequate reserves or an appropriate insurance policy to manage the financial impact of a breach?
- Monitor — How often do you monitor networks, websites and databases to detect potential issues?
Readiness is the crucial step. Organizations can’t afford to figure things out after a breach occurs. It’s much more cost-effective to have a ready-to-use incident-response plan, an on-call forensics expert and a privacy attorney on retainer. Then, when a potential issue is identified, your organization can act to mitigate the effects of a breach, deter any potential litigation and respond to inquiries from regulators.
Employers should also look for insurance partners who can help them identify financial risks and develop customized solutions to better protect their organization.
Becky Pearson is a technology privacy and network risk practice leader for Wells Fargo Insurance. She has 11 years of experience providing consultative services, market negotiations, policy analysis and placement, policy administration, and claims advocacy services to support her customers and advise on data risk. She can be reached at 415-541-7177 or email@example.com.
Copyright © 1988–2014 North Bay Business Journal
View the policy for linking to website content.