Expanding data security risks require new strategies for small, mid-sized businesses
When insurers launched cyber security policies more than a decade ago, the early policies were designed primarily for larger companies with exposures related to e-commerce, such as system hackers, stolen passwords, denial of service attacks and computer viruses.
Today, with more laws protecting personal data, as well as the rise of mobile computing and related technologies, the focus of cyber security policies has expanded to broader privacy-based exposures.
According to Greg Leffard, vice president of professional liability at The Hartford, as more companies of all sizes are collecting, transmitting and storing information electronically, data content has grown exponentially -- from electronic medical records to paperless offices, credit card data to employee files.
"The exposure of compromised data and its impact on companies is continually evolving," Leffard said. "While the need for coverage is not new, it is much different today, due in large part to more stringent laws protecting consumer and employee data, the rise of mobile devices, which are highly vulnerable to data theft, and more sophisticated hackers trying to obtain valuable private data."
While this type of breach can typically involve someone hacking into a database, it could just as easily involve an employee stealing a customer's credit card and scanning the data for use in a potential identity theft.
Large companies still face significant risks, but with technology leveling the playing field, small and mid-sized companies also need to be more focused on potential data breach scenarios and how to protect themselves.
"Regardless of size, businesses need to consider the amount and types of data they are collecting, storing and transmitting," said Leffard.
ASSESSING THE RISK
The challenge for many smaller businesses is that they often do not have the internal data security resources to manage such risks, explained Stuart Kohn, assistant vice president, E&O and cyber liability product manager at The Hartford.
"Concern over data breaches and the protection of privacy is being driven by federal and state-specific legislation involving the obligations of a company," Kohn said. "Smaller companies, in particular, may not even be aware that their data is vulnerable, which can be dangerous in today's world."
"If personal, confidential information is compromised -- which can include customer or employee data -- a company has an obligation to inform those individuals who have been affected," said Kohn.
Certain types of information are considered particularly sensitive in the event of a data breach. These can include social security numbers, medical or healthcare information or data, drivers' license numbers or state identification numbers, as well as financial account information that would permit access to that account.
"Companies handling these types of data need to ensure they are complying with applicable laws and regulations," said Kohn.
RESPONDING TO A BREACH
Taking this into account, businesses -- in a variety of industry segments -- need to understand their potential risk and ensure they have adequate protection. This includes having the right insurance coverage in place, as well as access to breach response services, which can help minimize the potential impact of a data breach, should one occur.
"While there is still potential for third-party liability claims, for many, the focus today is on first-party expenses due to the enactment of data privacy laws in the majority of states," said Jerry O'Dwyer, assistant vice president of professional liability for The Hartford. He noted that this shift has resulted in the escalation of post-breach costs, such as notification and credit monitoring expenses, and costs related to forensic analysis and crisis management services.
The direct and indirect cost of a data breach can vary widely depending on an organization's preparedness and handling of the breach.
"A serious data breach can cause significant financial loss to a company," said O'Dwyer. "However, an organization that is able to act quickly with the appropriate response to a data breach is in a better position to limit its exposure to a third-party liability claim."
As part of The Hartford's portfolio of data security coverage, the company recently enhanced its Data Privacy and Network Security Liability Policy, which is offered as a stand-alone policy and is geared for businesses in a broad range of industries.
"We designed this policy to help protect businesses from a broad range of third-party liability and first-party risks associated with data privacy and network security, including hackers, malicious software, rogue employees and unauthorized use," said O'Dwyer.
"Virtually every business has at least some risk of a data breach," O'Dwyer added. "And what they don't know can hurt them, so it is important to work with agents and brokers who can help assess their risk and determine the appropriate coverage for these exposures."
While data protection policies, procedures and training can help reduce the likelihood of a data breach, no company can be completely certain that its customer, patient or employee data could never be at risk. For this reason, it is important for companies to also have appropriate data breach insurance coverage in place.
(The above piece is part of our continuing Perspectives series designed to highlight key products and services to our readers. This paid-for Perspective was written and edited by Risk & Insurance®
on behalf of our marketing partner. Additional Perspectives can be found on our Web site at www.riskandinsurance.com/.)
December 14, 2012
Copyright 2012© LRP Publications