YouTube, Facebook, and Twitter have become prevalent and the risks involved for the workplace are often not taken into account.
Here are a few threats that can be overlooked:
1. Your Friends List
“Social media” can be very helpful when making contact with customers, finding jobs, corresponding with potential clients, etc. But dangers lurk when all the people in your friends list have access to your comments. Ranting and raving about your boss and forgetting that he/she is listed as “your friend” can lead to obvious problems.
2. Employers Fail To Set Internet Usage Policy
Many companies are using blogs and social networking to their advantage; however, they can also become a liability risk. It is vital that policies are in place for how and when employees can use the Internet and that personal data is secured.
3. Hackers Look For Any Open Door
Any employee using these sites while on the job exposes the organization to phishing, being hit by spam, and malware attacks. One result shows that a quarter of all businesses have been affected by “social media” use in the workplace.
4. Providers Fail to Take Appropriate Safety Measures
Lawsuits are beginning to target the social media companies for privacy issues along with user-generated content. Several classmates set up a private group on Facebook. Now Facebook has been named in a lawsuit for over allegedly defamatory content contained in the private group’s comments.
5. Ignorance Is Your Loss
An even bigger danger is to ignore the social media frenzy. In doing so Companies lose the newest, most poplar opportunity to stay in touch with their markets, their clients, and build customer relationships. Just be wise in how your company uses social media.
Source: Patricia Vonwinkle Risk and Insurance
Tracey Vispoli, Chubb’s Cybersecurity Product Manager, refers to the rise in cyber liability claims, by stating, “It’s a frequency issue as well as severity”. Remedies for data breach now cost $202 per record.
According to Vispoli, more than half of the companies with less than 1,000 employees have experienced an online data breach. Thus showing that the need for cyber liability coverage is not limited to large technology and multi-national corporations.
With increased legal activity, attorneys are inserting the need to carry Cyber Liability into contract requirements.
Clients are also realizing the importance for cyber liability especially with expansions of federal regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and Red Flag rules.
Policy Forms should address how carriers deal with the defense of regulatory matters. For the cost to defend the insured against investigation, some carriers will provide full policy limit. Others will have a sublimit and some forms may only cover costs if there is a civil suit.
Michael Carr, director of Information Technology and Cyber Liability at Markel Shand, refutes the common belief that the majority of data breaches covered by cyber liability policies occur on public Internet space. Carr states that most claims occur on companies’ networks where their client’s personal data is stored. A common misconception among many agents and insurers is that a client does not need cyber liability coverage if their business is not involved in e-commerce.
Paper records should be another concern as Carr states: “An awful lot of confidential information is still stored on paper. Businesses have the same duty to protect that as electronic forms. Many but not all (coverage) forms extend to paper records.”
Source: Big I E Newsletter, September 2009
New regulations are increasing at a rapid rate and it is vital that business owners and Chief Information Officers (CIO) become familiar with current regulations and compliance dates.
State Notification Laws require businesses to notify customers or patients in a timely matter of any data breach that might affect them. Each state has its own requirements and failure to notify per such state’s notification law could lead to fines and penalties.
The Hi-Tech Act which is part of the 2009 American Recovery and Reinvestment Act, creates a federal notification requirement for the breach of Protected Health Information. The HITECH Act also provides incentives for physicians to put into practice “meaningful use” of an Electronic Health Record system.
Red Flags Rule applies to “financial institutions” and “creditors” with “covered accounts,” per the regulation. This rule was created in November 2007 as an addition to the Fair Credit Reporting Act.
The Massachusetts Office of Consumer Affairs & Business Regulation issued a regulation known as Massachusetts 201 CMR 17.00 in September of 2008. This regulation was intended to protect the unauthorized disclosure of personal information for Massachusetts’s residents. The importance of this wide sweeping law applies to any person or business that has personal information on a resident of Massachusetts. Penalties for non-compliance may be subject to a $5,000 civil penalty for each violation of each person affected.
So what’s next? H.R. 2221, the Data Accountability and Trust Act was recently passed by the House subcommittee on Commerce, Trade, and Consumer Protection which would require businesses to notify customers when outside parties gain access to sensitive information due to a security breach.
Cyber liability or security and privacy insurance has been developed by insurance carriers to provide coverage for these exposures. First Party Coverages include business income and extra expense; crisis management expenses, cyber extortion; credit monitoring expenses and notification costs. Third Party Coverages include network security and privacy liability; internet and media liability; and regulatory defense coverage (including penalties and fines).
Finally, remember that there is no standard policy form in the marketplace. Each policy form will require extensive review and analysis by a Cyber Insurance Specialist.
Source: David Perkins, September 7, 2009 www.insurancejournal.com
Cyber attack on U.S. and South Korean government agencies, companies and institutions have been called the “most aggressive in recent memory”.
Attackers use “botnets” or networks of “zombie” personal computers, which they have infected with a virus. Denial of service comes in to play when the controlled computers are instructed to contact target websites on a repeated basis until such target websites are overwhelmed.
More sophisticated e commerce websites protect against these attacks by using special software that detects and shuts down suspicious traffic.
Protect your computers! Viruses often attack and there are no apparent signs that your computer has been contaminated. Software is available to identify and flag dubious traffic flow. Many companies offer a free scan, so make sure you update your antivirus software and run regular scans. Also, potentially affected businesses should purchase Cyber Liability insurance to protect against this risk.
Source: http://www.msnbc.msn.com/id/31803381/ns/technology_and_science-security/
Tech Insurance Frequently Asked Questions:
If I give you my information, why can’t you give me my Professional Liability quote over the phone?
The answer is simple- We want to make sure that we are not wasting your time or ours by having to clear up misunderstandings or perhaps missing some information. Although it seems simple that you can just give us the information over the phone, our online system thoroughly goes through the questions in a few simple steps to make sure we have every thing that we in order to get you the best quote possible. Many of our carriers will not accept an application that has been filled out by anyone other than the insured.
By saving time on the phone, we are able to save the company as well as the insureds money in the long run by providing you with the best coverage at the most reasonable rates.
Do you know how much of your organization’s data is getting into cyberspace? Daily vital information about your company and your employees is seeping out and probably into the wrong hands.
There are laws in place in more that 40 states that are requiring companies to notify customers if their data may have been compromised. Not only is damage done to the company’s reputation, but also in some states, if a company neglects to inform an individual of possible identity infringement, then they may face civil liability, regulatory and legal cost.
Founder and executive chairman of the board, Timothy Sullivan of Fidelis Security Systems has developed a risk management method that moves the focus from “intrusion” to “extrusion” prevention. Sullivan states that the way companies handle the personal data of their clients and employees are of utmost importance.
Fidelis Security System’s XPS is the only one that runs at such high speeds to thwart unauthorized transfer of sensitive data on all network channels according to Sullivan. The system provides content security to all e-mails, file transfers, and peer communications. Evidence of extrusions can be obtained to enforce laws that control privacy and financial data integrity, states Sullivan.
“Ninety-eight percent of computer investment today involves trying to prevent people from getting into a system. We believe some of that money would be well spent in trying to keep information from getting out.”
Source: Rough Notes Magazine, April 2009, Greg Davis http://www.roughnotes.com
The standard General Liability policy covers “personal injury” and “advertising injury” unless the insured is in the business of advertising, broadcasting, publishing, or telecasting. For this reason, there is no coverage for IT firms that are in the business of designing websites, determining content, providing content, or providing internet access.
Why do tech firms need coverage for “personal injury”? First of all “personal injury” coverage may be needed to protect a tech firm against an allegation of slander, libel, or oral or written publication that violates a person’s right of privacy. It is not too difficult to see how a tech firm could get sued under these circumstances.
In addition, coverage may also needed for “advertising injury” in the event of an allegation of the taking of another’s idea in your advertisement or infringement of copyright, trade dress, or slogan in your advertisement.
The key word is “advertisement”. There is no coverage for infringement of copyright, trade mark, trade dress, or slogan unless they occur in your advertisement.
An exclusion in the policy form eliminates coverage for injury arising out of electronic chat rooms or bulletin boards that the insured hosts, owns, or excercises control over. In addition, there is another exclusion arising out of the unauthorized use of another’s name or product in your email address, domain name, meta tag, or similar tactic used to mislead the potential customers of another.
It is obvious that the standard General Liability form does not adequately protect tech companies or IT professionals against these imporant exposures. As a result, coverage can be sought as part of a Professional Liability or Errors & Omissions policy form.
These policies can add back essential coverages such as for those tech firms in the business of advertising or publishing, violation of a person’s right of privacy or undue publicity, intellectual property infringements, etc.
It is strongly recommended that tech companies or IT professionals deal with a tech insurance specialist to make sure that their coverage needs are addressed.
Outside hackers, whether domestic or part of criminal gangs in Eastern Europe and Asia, get most of the media attention.
However, inside jobs by a company’s own employees account for 70% of all security incidents that result in losses according to some sources. This is know as authorized access for unauthorized use.
Employees, independent contractors, or employees of independent contractors who are disgruntled with management may steal confidential information such as credit card numbers, bank account information, or proprietary information such as trade secrets.
Most Cyber Liabilty policies only cover unauthorized access by outsiders. Make sure that your policy also covers authorized access for unauthorized reasons.
Source: Do You Need Coverage For Cyber Risks?, The John Liner Letter, Vol. 43, No. 7, June 2006
The following risk management controls can help companies avoid cyber losses due to viruses, hackers, trojan horses, malware, denail of service, extortion, errors & ommissions in delivering tech services, intellectual property violations, etc.:
* firewalls
* encryption
* password protection
* network security reviews
* disaster recovery services
* forensic services in response to security breaches
* emergency loss containment
* employee handbook provisions on internet and email security
* hacker vulnerability assessments
* review of your content and use terms by intellectual property attorney
Sources:
With Computers Under Siege Cyber Insurance Rides To The Rescue
Do You Need Coverage For Cyber Risks?, The John Liner Letter, Vol. 43, No. 7, June 2006
When analyzing a Cyber Liability policy for adequacy, the following specific risks may or not be covered:
* Errors & Omissions resulting in pue economic damages (needed for accounts that perform Cyber releated professional services for a fee for others)
* Personal injury such as libel (usually excluded under General Liability for accounts with Cyber exposure)
* Advertising injury such as inaccurate statement about a competitor (usually excluded under General Liability for accounts with Cyber exposure)
* Copyright infringement
* Trade or service mark infringement
* Patent infringement (difficult to obtain on Cyber Liability policy, may need to buy stand alone policy to insure this risk)
* Computer viruses, trojan horses, malware
* Unauthorized access by outsiders to confidential data
* Authorized access by insiders for illegal purposes
* Breach of security
* Loss of use
* Business interruption
Businesses should discuss the exposure to each of the above risks with their risk manager or insurance agent and decide which ones are necessary to be included in the coverage form. Don’t assume that all of these risks are covered without a specfic coverage grant in the policy language. Since Cyber Liability coverage forms are not standardized like may other policy forms, coverages tend to vary greatly from one carrier to the next.
Source: With Computers Under Seige, Cyber Insurance Rides To The Rescue
