Small Businesses Confront Big Cyber Risks

September 7, 2009 by and

The theft of personal and private data — from credit card information, to Social Security numbers, to health information, is a thriving global crime — and it is fed by data security breaches that cost companies millions. The number of reported data breaches increased dramatically in 2008, up 47 percent from the prior year, according to the Identity Theft Resource Center. And network security breaches are notoriously under-reported.

With human and financial resources stretched thin, a company is more susceptible to lapses in procedures intended to keep personal and private information secure. Layoffs, furloughs and pay cuts have left many employees disgruntled, and some are willing to pursue desperate measures for profit.

Smaller and privately held companies are especially vulnerable. Hackers know that larger companies are likely to have a cadre of risk management, IT and network security experts guarding against data breaches. Smaller companies often have a fraction of the IT infrastructure and budget. They also don’t have the financial viability to sustain the steadily rising financial impact of data breach incidents.

The High Price of Cyber Risk

The Ponemon Institute’s Fourth Annual U.S. Cost of Data Breach Study showed the cost per data breach incident was $6.65 million in 2008, up from $6.3 million in 2007. That translates to $202 per compromised customer record.

For the e-tailer ringing up just 10 sales a day, that’s $700,000 if a year’s worth of records are breached. For the MRI facility logging 15 scans daily, the cost can exceed $1 million for every year of patient records compromised. And that’s small potatoes when you consider how high costs can go when litigation looms. The Veterans Administration famously settled a case involving a single laptop stolen from an employee’s home. The settlement amount was $20 million; there was no evidence that the thief misused any data from the laptop.

What’s behind these escalating costs? First, a company whose data is breached can face substantial expenses just to notify affected customers. Forty-six states require businesses to alert customers when “personally identifiable information” is compromised. (State-specific notification regulations are available at http://www.beazley.com/databreachmap.)

When customer credit card information is involved, the victimized business may be subject to claims from banks for the cost to issue replacement credit cards to customers, which can run $10 to $20 per card, according to America’s Community Bankers. Typically, businesses targeted in cyber incidents often incur costs for credit monitoring expenses for those whose data is compromised, and hire public relations and crisis management specialists to stem damage to consumer confidence.

Tightening Regulations

State and federal governments now are calling on U.S. companies to do more than ever to protect the information entrusted to them. In the most sweeping state-level development to date, Massachusetts is requiring all businesses that hold personal information on state residents to do everything from developing a data security program, to monitoring employee access to information, to encrypting personal information on laptops.

New federal regulations are taking hold as well. Effective Nov. 1, 2009, the Federal Trade Commission’s Red Flag Rules require financial institutions, health care providers and other businesses extending credit to customers to implement programs supporting early detection of identity theft.

What’s a Small Business to Do?

Prevent and protect is the mantra for any business that holds or maintains personal or private information of any type, whether it be bank account numbers, or medical data. As with any serious business risk, proactive risk management and loss prevention is paramount to avoid losses and mitigate damages. A business owner’s first line of defense includes core risk reduction measures, such as:

  • A comprehensive risk and vulnerability assessment
  • Sound security and privacy policies — from password management and access controls to formal policies prohibiting employees from releasing customer information over the phone
  • Employee training and education on proper data security practices

Incident response planning, encompassing elements such as notification processes, forensics, and the media aspects of an incident

  • Physical IT security, e.g., firewalls and encryption software.

Fortunately, as awareness of cyber threats to smaller, private businesses has grown, so has support for this sector from the insurance community. Cyber insurance programs can serve a dual purpose, supporting a company’s loss prevention and compliance efforts and mitigating the financial impact when a breach occurs. For optimal value and optimal protection, look for coverage that encompasses:

  • Legal liability for: Theft, loss or unauthorized disclosure of personally identifiable information; Failure to comply with state data breach notification laws; and Content the insured publishes on its Web site
  • Fees and penalties arising from failure to comply with privacy policies and/or administer a government-mandated identity theft prevention program
  • Costs to defend regulatory proceedings arising from violations of privacy laws due to a covered theft loss or unauthorized data disclosure
  • Expenses to comply with state notification regulations, plus fees for legal counsel
  • Credit file monitoring for victims
  • Services of computer security experts to authenticate and determine the cause of a security breach incident.

Companies can also look to their insurer and insurance broker to ease the complex burden of managing cyber risks. Insurers are providing small business policyholders with access to information and resources to help mitigate exposure, such as:

  • Tools to assist in assessing risk and implementing risk management procedures, from employee training to incident response plans
  • Expertise in areas such as health care and HIPAA compliance and computer forensics
  • Federal and state compliance information
  • E-alerts on legal, regulatory and other issues surrounding data security and privacy.