Each day, a new company is added to the list of clients affected by data breaches. Hackers responsible for these types of security breaches can hold companies ransom or worse destroy their reputational credit. Massachusetts has taken the lead in requiring companies to provide comprehensive data security to all personal information stored on a server. In addition to Massachusetts laws, regulations in 44 states, the District of Columbia, Puerto Rico, and the Virgin Islands require that individuals (customers, employees, citizens, students, etc.) be notified in the event their personal data has been lost, stolen or compromised. The most recent data breaches introduce new twists to a company's cyber liability exposure and potential for exposure under Federal and State Privacy Laws.
According to www.datalossdb.org there have been over 1,000 breaches in 2015 alone which resulted in millions individual personal identity information (PII) released. Computer hacking, stolen laptops and fraud scams were the primary culprits leading to the release of these PII's. Although the damages associated with unlawful disclosure of private information are normally not large on an individual basis, collectively they can be massive, and defendants commonly join together in class action lawsuits. Settlements can include monetary damages as well as the cost of credit monitoring services and ID theft coverage. In addition, companies can incur millions of dollars in expenses to secure compromised networks, assess damages, and notify customers.
Protection on any corporate database will never be 100% secure.Steve Wong, vice president at Clearsight Networks, points out that "as quickly as security measures, such as firewalls, are developed the cyber thieves are creating ways to breach those security measures". Internet security protection is a continual process that cannot be solved entirely by technical means.
To provide a financial backstop to data security technology, "Cyber Liability" insurance has been introduced. Traditional insurance products, including property, general liability and professional liability, do not address cyber risks. As with most special types of risks, it takes a specialty insurance product to address the exposure. Cyber Liability policies have been expanding in coverage to include privacy notification expenses. The bottom line is all companies are exposed to electronic data security breaches. The financial consequences can be enormous, but most companies have relied almost exclusively on technological solutions to manage the risk. The insurance marketplace has designed sophisticated products, higher policy limits, and competitive pricing. There is a growing awareness at many companies that data security should not be exclusively an IT issue, making these products a standard part of a company's risk management strategies.
Spencer Macalaster is executive VP and real estate practice leader with Risk Strategies Co., Boston.