Shopping Cart
Login
Cyber Liability-Your Exposure May Be Greater Than You Think
November 19, 2009
By: Mark Green and Mike Roman
It’s hard to go a week without seeing a headline about a stolen laptop or the loss of private data. In fact, most of us have likely received a letter stating that ‘your personal information may have been compromised, and your credit card company will be issuing you a new card, or your bank will be assigning a new account number to prevent the theft of your identity’. The number of data breaches at businesses, government agencies, and educational institutions in the U.S. jumped by nearly 50 percent in 2008 compared with 2007, according to the Identity Theft Resource Center.
The reality of our digital world is that non-public personal information is being stored and transferred in quantities never before realized. A University of California, Berkeley report stated that more data has been aggregated and stored in the last three years than in the entire history of mankind. Even if your company does not operate within the information technology arena, the fact is that you have an exposure to loss associated with information theft.
If you maintain records on your employees, you are the custodian of private information and are responsible for its security. If your business accepts credit cards or on-line purchases, you have even more exposure. If your company has outside vendors, lenders or customers that access accounts or portals through your network, you may have a serious loss exposure. Even if you only maintain private information in print or hard copy, you still have critical liability exposure.
If you have a breach in security and the private information of any third parties is compromised, several things can and will happen. More than likely, state or federal law will require you to notify each and every person who may have been affected by the breach. This may require mailing statements, sending emails, or other methods of notifying those exposed. Depending on the number of records compromised, the postage bill alone could add up quickly. Currently only six states in the U.S. do not have a consumer notification law (Alabama being one of those six).
Let’s assume that you are based in Alabama, and most of the private data you maintain is on consumers within the state. While technically there is no state law requiring you to notify consumers that their information has potentially been compromised, many courts have held companies to the standard of the most comprehensive state laws (California Database Protection Act of 2003 – SB 1386 and AB 1950).
Next, depending on the severity and scope of the breach, the Federal Trade Commission (FTC) may come to visit, inspect and evaluate your controls, and may even fine you. Further, the FTC may require that you hire an independent IT auditing firm to evaluate your controls every other year. This can also prove to be quite costly. HIPAA, FACTA and G-L-B laws are some of the tools the FTC uses to enforce consumer protection and increased corporate responsibility.
Finally, and arguably your most serious exposure, is the threat of a lawsuit from the very consumers or employees whose records you failed to protect. This often evolves into a class action lawsuit which can drain your balance sheet of hundreds of thousands if not millions of dollars. The 2007 TJ Maxx data breach resulted in a $196 million provision on their income statement resulting from the class action lawsuits.
As we have seen, protecting sensitive personal information is an issue for every company that deals with employee or customer data. Any breach of data that has been entrusted to an organization can bring irreparable damage to its reputation, its business and its balance sheet. So, where does a company, a CFO or a risk manager start? Sound risk management principles and analysis is a good place.
First, you can try to avoid the exposure. Companies must take a hard look at the amount and kind of data being collected and stored. Pure avoidance is likely impossible for any company operating in today’s environment of tight margins and ‘doing more with less’. But, with a concentrated effort to minimize personal information, at least some of the exposure can be avoided.
Second, you can try to mitigate the exposure by improving your IT and physical security. Companies must constantly evaluate and update their internal and external controls as the threats evolve. While mitigation of the exposure is often more successful than other methods, it is also the most expensive and often not achievable at the levels required.
Finally, you can transfer your risk to an insurance company in return for paying them an annual premium for a given limit of first and third party liability coverage. Coverage and pricing for Privacy & Security policies can vary greatly with each type of risk. No two policies are the same. It is extremely important to have a specialist in this area thoroughly analyze your risk and review the coverage offered. Quite often the policy may not address crucial exposures without being endorsed properly.
A well-tailored Privacy and Security policy will, generally speaking, cover your company against third party lawsuits for your failure to protect confidential information. Some policies will also provide first party coverage. This can include funds to pay for the notification of consumers, credit monitoring services, and crisis management / public relations resources.
The companies demonstrating best in breed practices will incorporate all three risk management techniques mentioned above. Those that rely solely on avoidance and mitigation often find themselves faced with the ugly reality of massive defense and settlement costs after a breach they decided could never happen to them. Despite the best external and internal security measures, the motivation and ease of cyber crime continues to grow and outpace the methods employed to stop it.