Data security issues: Cyber liability insurance policies and your small business - by Spencer Macalaster and Robert Rosenzweig

Spencer Macalaster, Risk Strategies Co.

October is National Cyber Security Month. Each day, a new company is added to the list of clients affected by the massive data breach. Hackers responsible for these types of security breaches can hold companies ransom or worse destroy their reputational credit. Massachusetts has taken the lead in requiring companies to provide comprehensive data security to all personal information stored on a server. In addition to Massachusetts laws, regulations in 47 states, the District of Columbia, Puerto Rico, and the Virgin Islands require that individuals (customers, employees, citizens, students, etc.) be notified in the event their personal data has been lost, stolen or compromised. The most recent data breaches introduces a new twist to a company’s cyber liability exposure and potential for exposure under Federal and State Privacy Laws.

According to datalossdb.org there have been over 1,000 breaches in 2015 alone which resulted in millions of individual personal identity information (PII) records being released. Computer hacking, stolen laptops and fraud scams were the primary culprits leading to the release of PII. Although the damages associated with unlawful disclosure of private information are normally not large on an individual basis, collectively they can be massive, and defendants commonly join together in class action lawsuits. Settlements can include monetary damages as well as the cost of credit monitoring services and ID theft coverage. In addition, companies can incur millions of dollars in expenses to secure compromised networks, assess damages, and notify customers.

Robert Rosenzweig - Risk Strategies

Protection on any corporate database will never be 100% secure.  Steve Wong, vice president at Clearsight Networks, points out that “as quickly as security measures, such as firewalls, are developed the cyber thieves are creating ways to breach those security measures”. Internet security protection is a continual process that cannot be solved entirely by technical means. As an individual there are many steps you can take to enhance your personal protection. Don’t respond to emails or phone calls requesting your personal information. Use unique usernames and strong passwords for any online account. Make sure you have the most up to date security software installed on your computers. Cyber threats are now recognized as one of the biggest threats to business and individuals and are a matter of national security.

Cyber-crime is highly lucrative and provides huge financial incentives to the criminals who can derive large payouts from the personal data stolen. According to the Ponemon Institute’s 2014 Cost of Data Breach Study the average cost of a breach is $3.5 million, a 15% increase over 2103. To provide a financial backstop to data security technology, “Cyber Liability” insurance has been introduced. Traditional insurance products, including property, general liability and professional liability, do not address cyber risks. As with most special types of risks, it takes a specialty insurance product to address the exposure. Cyber Liability policies have been expanding in coverage to include privacy notification expenses. The bottom line is all companies are exposed to data security breaches. The financial consequences can be enormous, but most companies have relied almost exclusively on technological solutions to manage the risk. The insurance marketplace has designed sophisticated products, higher policy limits, and competitive pricing. There is a growing awareness at many companies that data security should not be exclusively an IT issue, making these products a standard part of a company’s risk management strategies.

Spencer Macalaster is the executive vice president and Robert Rosenzweig is vice president/ national cyber risk practice leader for Risk Strategies Company, Boston.