The true story of a firm that said, “This will never happen to us.”
Sometimes you get the feeling; you know the one. Something is wrong, but you can't put your finger on it.
Your first call of the day was from one of your biggest clients, asking if you had added a charge to her company’s credit card. You told her no and dismissed it. Just a few minutes later, your office manager told you about two similar calls he received.
Then you are visited by a local detective, and she delivers the bad news. There has been an information breach, and she has traced it back to your business.
You immediately call your IT guy. He tells you that he used the most up-to-date security protocols and the same security software used by “the big guys” like Zappos, Target, Neiman Marcus and Citigroups' Epsilon Email Marketing. He assures you that he will check, but he is sure all is well. After about five minutes, he returns the call. Your system was indeed breached, and all your files were copied last week even though there is no visible evidence of a hack now.
He reads you the terms of the agreement you signed holding him harmless. As you hang up, your mind starts to race. What happened? Was it negligence? Perhaps a lost laptop, smartphone or flash drive?
Could it have been one of your employees? Someone you fired? Maybe a temp? You recall seeing a temporary employee using a flash drive. What was he doing with a flash drive?
You panic as you reach into your pocket; you sigh in relief when you find that your personal flash drive is still on your key ring. But have you ever given those keys to employees, a friend who borrowed your car or a valet who parked it? Maybe it wasn't your firm at all; maybe it was a business associate or vendor. Your payroll service has access to your files, as does your accountant. But how do you prove anything? Where do you go? What do you do?
From this point on, without a good information breach policy, the costs are all your responsibility. You must now pick up the phone and call your own attorney. Once the niceties are over, you hear the familiar beep, telling you that from now on, you are on the clock. It is possible that your attorney will inform you that this is a bit out of his realm too, and refer you to another lawyer who specializes in information breaches — who likely charges a higher rate.
It is possible that your firm did not cause the breach, but to find that out, you must now hire someone to perform a forensic cyber audit. The good news is that since you are acting quickly, the cost of the investigation (according to Zurich Insurance 2012 study) will only be $175 per record. If you wait a week or more the cost will be closer to $300 per record.
Now for the tough part. You must now notify your clients, past and current, depending on your state. That notification can cost you from $1 to $50 per client. If the breach was large enough and you have a massive client base, you may have to employ a call center to take calls to explain the situation.
Finally, when you think you have the situation contained, a reporter from your local newspaper is on the phone, telling you he is about to run a story about a massive information breach that your office has suffered. After your, “No comment,” you decide to find a public relations firm to handle the press and other fallout.
Recently, the most notable recent information breaches in the Unites States took place at Target, Neiman Marcus, JP Morgan and Citigroup. And according to Property Casualty 360, the threats reach far beyond big retailers.
The formation of information breach/cyber security policies is fairly new, but the epidemic of information breaches all over the world has hurried their development. Policy sophistication ranges from an endorsement you can add to your business owner's policy to a standalone policy that helps protect the world's financial center.
The endorsements that many insurance companies offer as add-ons to package policies are merely bags of money available to you should your company's confidential information be breached.The issue left is what to do with the money, should you need it. The more sophisticated products will offer you additional benefits, including public relations support.
First, your firm should do a cyber-risk analysis. There are many insurance agents who will evaluate your firm's odds for a breach and provide an estimate of the potential costs should one occur.
Next, you should evaluate your firm’s strengths and your jurisdiction. If you have a large firm and if its talents include public and media relations, you can probably opt for one of the less pricey policies.
Smaller firms with fewer personnel are rarely geared toward media and PR. As such, smaller firms may want to select a policy that can provide both money and expertise to deal with cyber security problems.
Breach coverage today stands about where pollution insurance policies stood in the 1970s. Until there are more uniform law and penalties, it will be difficult to evaluate the best coverage options.
Jurisdiction will play a huge part in coverage selection. Currently, there is no consensus. Each state has a different definition of "personal information," and each has its own ideas of what penalties should be, what action should be taken, and — very important for an insurance policy — what officially triggers an information breach. Baker Hostetler LLC offers and excellent guide and reference material on these points for your state.
Many carriers now offer insurance products for breach protection. Some who came in early (between 1983 and 1985) completely miss the mark, offering “property” protection for vandalized websites and coverage to rebuild and repair, ignoring the liability exposure.
CNA, The Hartford and Beazley (at Lloyds) are the most notable options. Beazley has started to target individual businesses and specific industries. Currently, the company offers a product for doctors', dentists' and other medical facilities. This product meets the needs for both information breaches and any HIPPA violations.
Estimate your cyber exposure and possible risk with a professional evaluation. A good information breach insurance policy, tailor-made for your firm, could have helped you in this damaging hypothetical situation.