Covering your business for cyber liabilities used to be a concern only for the highest-tech companies, but as times change, so should your policies. With universal business use of the Internet and states increasingly enforcing privacy and security breach notification laws, all employers should look at their policies to insure cyber liability coverage.
Many businesses do not realize how big their technological liabilities are until there is a problem. If a security breach occurs, it can cost companies hundreds of thousands of dollars not only in damages and losses, but also to re-build the brand or business' reputation among customers.
Some experts in the industry estimate that about 90 percent of U.S. businesses have a large need for cyber coverage in their commercial liability policies. The number is high because security breaches extend far beyond the Internet – any company that stores sensitive customer information, whether over the internet or simply on a laptop computer, could be in danger.
Besides adding on to and tweaking existing policies, businesses that want to protect themselves from cyber liability can take other steps. Obviously, carefully following all security laws and regulations is a great start. Also consider putting company policies in place that further protect sensitive information and that could ensure employees are aware of the dangers as well. These would include:
- Internet security policies
- Company e-mail policies
- Policies on employee conduct with personal customer information
- Computer security policies to protect other private data, including internal personnel information
Think of cyber liability coverage as an evolution of traditional liability insurance policies. It is not just for e-businesses anymore, and it has progressed into a risk for almost every company no matter how large or what kind of business it does. Cyber liability can be complicated, so contact me with questions or concerns.
Content © 2009-2010 Zywave, Inc. All rights reserved.
Saturday, April 3, 2010
Friday, April 2, 2010
Data Breach Notification Laws
According to a recent report, almost 340 million records containing "sensitive personal information" have been involved in security breaches since January 2005. Consumers have begun to realize how easily their private and personal information can become vulnerable or accessible. Over the last 5 years, there have been dozens of reports in the media of large corporations and institutions who have had the information of their customers breached in some way. But how many smaller organizations have had a breach that we haven't heard about? Do you know what the law requires if your customer's information is compromised?
There is a federal bill (Data Accountability and Trust Act) that has been passed by the House and is awaiting a vote in Congress. It would require, among other things, that all businesses implement safeguards to protect data, and to notify customers if their personal information is breached. In the meantime most states already have a law requiring notification of security breaches. In general, consumers are to be informed of a breach when their information is lost or compromised, putting them on alert for possible identity theft. The individual laws differ as to what is defined as "personal information" and under what circumstances the notification must be made. Some laws, including those in New York State, require notification to consumers any time there has been a breach of unencrypted data- regardless of whether the company determines there was not a significant risk.
The laws also dictate when and how the notification must be made. A recent study relating to 2009 data security breaches in the US shows an average cost of $204 per customer with a potentially compromised data record. In addition to the cost of notification and remediation, companies who have a breach will be subject to the costs of regulatory investigations, as well as penalties and fines.
There are numerous practical steps you can take to ensure compliance and prevent breaches. Review how your firm safeguards non-public customer and employee data, and implement safeguards and controls using industry best practices. You should also take a look at the organization's data privacy policies and notices, and make changes if necessary. In addition, consider the acquisition of a Privacy Breach and Network Security Liability policy. Although these policies have been available for quite some time, over the last few years both coverage and accessibility have improved significantly. In addition to the expense of notification and remediation following a breach, there is also the potential for suits filed by consumers which will result in defense costs- at a minimum.
In this current regulatory environment, every company is susceptible to these threats and need to take appropriate steps to address them.
This Risk Insights is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice.
There is a federal bill (Data Accountability and Trust Act) that has been passed by the House and is awaiting a vote in Congress. It would require, among other things, that all businesses implement safeguards to protect data, and to notify customers if their personal information is breached. In the meantime most states already have a law requiring notification of security breaches. In general, consumers are to be informed of a breach when their information is lost or compromised, putting them on alert for possible identity theft. The individual laws differ as to what is defined as "personal information" and under what circumstances the notification must be made. Some laws, including those in New York State, require notification to consumers any time there has been a breach of unencrypted data- regardless of whether the company determines there was not a significant risk.
The laws also dictate when and how the notification must be made. A recent study relating to 2009 data security breaches in the US shows an average cost of $204 per customer with a potentially compromised data record. In addition to the cost of notification and remediation, companies who have a breach will be subject to the costs of regulatory investigations, as well as penalties and fines.
There are numerous practical steps you can take to ensure compliance and prevent breaches. Review how your firm safeguards non-public customer and employee data, and implement safeguards and controls using industry best practices. You should also take a look at the organization's data privacy policies and notices, and make changes if necessary. In addition, consider the acquisition of a Privacy Breach and Network Security Liability policy. Although these policies have been available for quite some time, over the last few years both coverage and accessibility have improved significantly. In addition to the expense of notification and remediation following a breach, there is also the potential for suits filed by consumers which will result in defense costs- at a minimum.
In this current regulatory environment, every company is susceptible to these threats and need to take appropriate steps to address them.
This Risk Insights is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice.
Subscribe to:
Comments (Atom)