I came across an eye opening article from Chartis Insurance Company about real claims scenarios of payments made by their Executive Liability policy form. Most of the payements are over $1,000,000 and involve data breach caused by hackers and rogue employees.
Read Article: Security & Privacy Claims Marketing Sheet
Source: Chartis Insurance Company, Security & Privacy Claims Scenarios, September 2010
YouTube, Facebook, and Twitter have become prevalent and the risks involved for the workplace are often not taken into account.
Here are a few threats that can be overlooked:
1. Your Friends List
“Social media” can be very helpful when making contact with customers, finding jobs, corresponding with potential clients, etc. But dangers lurk when all the people in your friends list have access to your comments. Ranting and raving about your boss and forgetting that he/she is listed as “your friend” can lead to obvious problems.
2. Employers Fail To Set Internet Usage Policy
Many companies are using blogs and social networking to their advantage; however, they can also become a liability risk. It is vital that policies are in place for how and when employees can use the Internet and that personal data is secured.
3. Hackers Look For Any Open Door
Any employee using these sites while on the job exposes the organization to phishing, being hit by spam, and malware attacks. One result shows that a quarter of all businesses have been affected by “social media” use in the workplace.
4. Providers Fail to Take Appropriate Safety Measures
Lawsuits are beginning to target the social media companies for privacy issues along with user-generated content. Several classmates set up a private group on Facebook. Now Facebook has been named in a lawsuit for over allegedly defamatory content contained in the private group’s comments.
5. Ignorance Is Your Loss
An even bigger danger is to ignore the social media frenzy. In doing so Companies lose the newest, most poplar opportunity to stay in touch with their markets, their clients, and build customer relationships. Just be wise in how your company uses social media.
Source: Patricia Vonwinkle Risk and Insurance
Tracey Vispoli, Chubb’s Cybersecurity Product Manager, refers to the rise in cyber liability claims, by stating, “It’s a frequency issue as well as severity”. Remedies for data breach now cost $202 per record.
According to Vispoli, more than half of the companies with less than 1,000 employees have experienced an online data breach. Thus showing that the need for cyber liability coverage is not limited to large technology and multi-national corporations.
With increased legal activity, attorneys are inserting the need to carry Cyber Liability into contract requirements.
Clients are also realizing the importance for cyber liability especially with expansions of federal regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and Red Flag rules.
Policy Forms should address how carriers deal with the defense of regulatory matters. For the cost to defend the insured against investigation, some carriers will provide full policy limit. Others will have a sublimit and some forms may only cover costs if there is a civil suit.
Michael Carr, director of Information Technology and Cyber Liability at Markel Shand, refutes the common belief that the majority of data breaches covered by cyber liability policies occur on public Internet space. Carr states that most claims occur on companies’ networks where their client’s personal data is stored. A common misconception among many agents and insurers is that a client does not need cyber liability coverage if their business is not involved in e-commerce.
Paper records should be another concern as Carr states: “An awful lot of confidential information is still stored on paper. Businesses have the same duty to protect that as electronic forms. Many but not all (coverage) forms extend to paper records.”
Source: Big I E Newsletter, September 2009
“Many employees disable the encryption solutions on their laptops, putting their employers at risk for data breaches, according to a study by Absolute Software Corp. and The Ponemon Institute.”
The study specifies “Corporate America” is being affected by the behavior of employees who destabilize data protection. This behavior is resulting in encryption not being enough to protect laptops and other mobile devices that have sensitive information stored on them. The number one source of data loss is from lost or stolen laptops. When a laptop has been stolen, 3 out of 4 companies will incur a data breach.
Necessary safety measures are not being taken by business owners to secure their laptops. Some business managers even deactivate their laptops’ encryption making themselves and their clients more vulnerable to identity theft. Additional layers of security can be utilized to identify data that has been accessed, even delete sensitive information remotely, and find a lost or stolen laptop. Employers can not afford to rely on the behavior of their employees nor encryption technology to provide the data protection they need according to this study.
Source: Absolute/Ponemon
http://www.insurancejournal.com/news/national/2009/04/27/99982.htm
“The latest U.S. Cost of a Data Breach Study… indicates a significant increase in not only the out of pocket cost of data breach incidents, but also the cost of lost business created by the turnover of customers due to the breach.”
At $202 per comprised customer, U.S. companies have felt the brunt of data breaches. Companies that have suffered the most from data breaches are healthcare and financial services type businesses.
In 2008, the average cost for these incidents was $6.65 million. And the most damaging effect is lost business averaging $4.59 million or $139 per record compromised.
Surprisingly, 49% of companies who responded to a current study stated that most breaches actually came from the theft or loss of paper documents, not electronic generated documents.
Source: S. H. Smith & Company, Inc.
The Commonwealth of Massachusetts has extended by at least four months a deadline for businesses to electronically encrypt digital records of their customers’ personal information.
The law follows a several years-long string of high profile data breaches by both private and government entities, the majority of which involved the theft of portable devices, such as laptops.
Source: Insurance Journal 11-20-08
Over the past two and a half years, there have been over 225 million reported consumer data breaches. This year alone, there have been more than 30 million reported security breaches of consumer data. No one knows the actual numbers since it is suspected that most security breaches are unreported.
Most tech firms and regular businesses with exposure don’t have insurance to cover this exensive peril. Liability for the following categories of expenses are common in these breaches of security:
*Class action lawsuits
*Regulatory fines, fees, penalties
*Statutory notification expenses
Tech companies that collect confidential information or assist clients that do the same must make sure that their Professional Liability / Errors & Omissions policy is specially endorsed to respond to breach of security lawsuits. Non tech companies with exposure must make sure that their Cyber Liability policy does the same.
Source: S.H. Smith & Company, Inc. E Bulletin, 10-19-08
