Lurking Cyber Risks
A family-run crafts store opens in a strip mall and, after much hard work and long hours, begins to flourish. The store takes credit cards, contracting with a merchant bank to handle the logistics. The tech savvy teenager of the family soon launches a Web site to give the store an Internet presence.
Mom learns to track the money with a popular bookkeeping program, and Dad handles inventory with a database.
A company like this small shop may think that cyber risks have nothing to do with its business, particularly if technology plays very little role in its operations.
In today’s world, however, commerce is tightly tied to electronic transactions, and even the simplest storefront often decides it is smart to post a Web site. In both cases, a company can be exposed to risk that is not covered by general liability insurance.
Agents and brokers who are aware of cyber risk liabilities can build their role as a trusted advisor to differentiate themselves with both prospective and current customers. By understanding the issues surrounding protection of private information and infringement of intellectual property rights, agents can offer expertise that sets them apart from their competitors.
The Privacy Issue
The disclosure of private information — credit card numbers, birth dates, Social Security numbers and other identifying data — has become a major concern for consumers, businesses and government regulators. A few statistics can be shared with customers to indicate why:
Identity theft in 2005 resulted in corporate and consumer losses of $56 billion, according to a paper presented at the June 2008 Workshop on the Economics of Information Security.
The same workshop presentation noted that 30 percent of known identity theft cases began with a corporate data breach.
The Privacy Rights Clearinghouse, which keeps a running tally of all known data breaches in the United States, estimates that almost 237 million private records had been compromised over a three-year period ending in August 2008.
The average cost for a company to deal with a data breach was $6.3 million in 2007, with an average cost of $197 per compromised customer record, according to the Ponemon Institute’s annual study of data breach costs.
In 87 percent of data breach cases, loss of data could have been avoided if reasonable security controls were in place, according to a 2008 Data Breach Investigations Report on more than 500 cases.
While people most often associate data breaches with malicious attacks on computer systems, a much more common source of problems is the loss or theft of a laptop or portable hard drive. Data theft can come from inside, such as a disgruntled employee downloading records to a portable device and taking them home, or from external sources such as thieves or hackers.
One newly emerging source of data breaches is employee participation in file-sharing sites. In an example that made headlines in July 2008, Supreme Court Justice Stephen Breyer was among those whose data was exposed when an employee of an investment firm signed up on a file-sharing network. The month before, 1,000 patients at Walter Reed Army Medical Center had their medical records and Social Security numbers exposed in a peer-to-peer data breach. And a Seattle man was sentenced to 51 months in prison in March for using file-sharing networks to collect information on 50 people and opening fraudulent credit lines in their names.
In response to statistics and incidents like those above, the federal government and — at last count by the National Conference of State Legislatures — 44 states have enacted legislation to regulate how data must be protected and what steps companies must take when data breaches are discovered. Because states have taken individual action, there is no one template for how to comply with requirements, but in general companies must alert customers when their confidential information has been exposed to others.
In addition, companies may be affected by different laws, depending on their industry classification. For example, those who are connected to medical fields may be subject to the provisions of HIPAA (Health Insurance Portability and Accountability Act). Also, different industries may have issues that make data protection more difficult. Universities, for example, create open environments where students, professors and others have extensive access to systems, making it more difficult to segregate sensitive data effectively.
Complying with state laws can be costly since they often involve required mailings to individual customers, as well as an offer of identity theft prevention services for some length of time. In addition, a company can suffer a number of other costs that may be less noticeable but are still very real: legal, investigative and administrative costs, possible customer defections, reputation management and more.
Three Solutions to Data Breach Issue
An agent can offer customers two good solutions and one fall-back position to address the threat of data breaches.
The first solution is to stop data breaches by implementing loss-control initiatives. These include steps such as using strong firewalls, encrypting information, and keeping current on security patches for all applications and operating systems. Protocols should be established for those who have access to sensitive information, whether it can be transferred to portable devices and who is responsible for monitoring security. Employees should be trained to follow the protocols.
The second solution is to make sure coverage is in place when the loss-control initiatives fail to protect data. Coverage at a minimum should include network security coverage covering failure to prevent unauthorized access to or use of electronic data containing private information and reimbursement for the cost of notifying customers and complying with state and federal data breach laws. Policies also can be expanded to cover expenses of crisis management services.
The third, fall-back position? Hoping that a data breach won’t happen — and then being sorry when it is too late. An agent can help a customer understand why this is a costly gamble by pointing to statistics and the examples above.
The Intellectual Property Issue
Another issue that often catches small businesses unaware is the protection of intellectual property, especially the inadvertent violation of copyrights or trademarks without permission of the owner. This can come up when Web sites are populated with music, photos or software that the Web designer is able to pick up from the Internet. It can also occur when a business makes a brochure with business logos of others (such as vendors or suppliers), clip art or generic photos found on the Internet.
One example is a company that hired a creative team to put together a Web site that would attract new customers. The company loved what the team did, but wondered who they had asked about using a major rock group’s song for background music. The reply: They hadn’t asked anyone because they knew how to clip the song from a site — and were completely unaware that they had to get permission.
The important advice for agents to give customers is that just because something is accessible or downloadable does not mean the author or creator has given permission for its use. Using something that one does not own or have rights to use can prompt a reaction as simple as a lawyer’s letter asking that the material be removed (which may be costly when it comes to redoing brochures) or costly litigation.
Missteps can be serious matters. The solutions for protecting small businesses from these risks include: always get permission from the creator of work that is being used; have all Web content reviewed by legal resources for potential violations of intellectual property rights of others prior to posting the content on the Web; and consider purchasing a policy that specifically covers violations of intellectual property rights such as copyright, trademark, and trade dress, which is commonly referred to as communications and media liability coverage in today’s market.
The Agent as a Trusted Expert
A business that does not have a huge data center or a sophisticated Web site may not stop to think about its cyber exposures. By explaining the risks and potential liability, and by customizing examples so they are relevant to the specific business, an agent can begin to build the role of trusted expert. Then by identifying any gaps in coverage for the customer that only has a general liability policy, the agent can offer solutions from a smorgasbord of policies, including cyber risk and communications and media liability.
Every day brings new stories about confidential information that has been exposed. And in a YouTube world, it is tempting to borrow whatever video or music clips would make a business stand out with a creative Web site.
An agent who reminds customers of the perils involved and the solutions at hand can move from being simply a salesman to a valued partner in protecting their business.
- Insurer, Contractors Allege Staged Injury Claims Scheme Under New York Scaffold Law
- Gunmaker Sig Sauer Must Pay $11 Million Over Pistol That Fired Accidentally
- Class Action Lawsuit on AI-Related Discrimination Reaches Final Settlement
- Miami Insurance Agent Pleads Guilty to Keeping $6M in Premium Finance Loans