March 27, 2014 by Matthew Davies
News of the latest cyber breach has become a near daily occurrence. Financial institutions, healthcare organizations, educational institutions, retailers and other commercial enterprises all have been victimized; so have clients, customers and employees, whose privacy may have been violated by a breach.
The incidents that get public attention are just the tip of the iceberg. Many more cases don’t become public knowledge—either because there is no legal requirement to notify affected parties in most provinces in Canada, or because organizations fear reputational damage if they publicly disclose the event. As we continue to rely more and more on digital data records, cyber risk is an exposure that all commercial enterprises should anticipate and plan for—through enhanced policies and procedures, and appropriate insurance coverage.
There are many authoritative surveys on the Internet about the direct cost of cyber losses. It is clear from any of those studies that the frequency, scope and costs of privacy or network security breaches are increasing.
These surveys also demonstrate that no industry is exempt, and there is no monopoly on breaches when it comes to the size of an organization. Even organizations that may not have retail customers face the risk of a data breach and the loss of personally identifiable information (PII) because they have employee records.
Incursions from the outside are definitely a risk. But there’s another threat companies also need to be concerned about. According to The Ponemon Institute’s 2013 Cost of a Data Breach Study, more often than not, human error or system problems (59%) are the culprit in a data breach.
Information is an enterprise-wide asset that needs to be secured with appropriate physical and IT solutions, including protocols that require ongoing monitoring (e.g., antivirus, firewall, penetration testing, intrusion and extrusion detection software) and regular updating as technology and data use evolves. Equally important are clear employment policies that address the vulnerability of a company’s data. Employees need to be trained and monitored to ensure compliance.
Smart phones, high-powered laptops, tablets, and USB flash drives, to name a few personal electronic devices (PEDs), have rapidly changed how we interact. These devices are highly portable, inexpensive and connect easily with internal and external corporate networks. Many corporate policies (if they exist) allow employee-owned PEDs to connect to corporate networks. For instance, an employee inserts a memory stick from home into their company laptop to download some photos, not realizing that a virus has infected the files. The virus migrates into the company’s network and a network security breach is born. The loss of a memory stick can also have significant consequences, as with the well-publicized Elections Ontario breach that involved two missing memory sticks containing 2.4 million records.
While there are many advantages to allowing employees to bring their own electronic devices to work (i.e., a “BYOD” policy), there are also many risks. The line between work and personal use may get blurred, and employees may need to redefine their expectations of privacy. Using a PED for work may expose the company to loss of records when an employee changes jobs and the company does not have a clear right to wipe data from the now former employee’s PED. The 2012 Dimensional Research global survey of IT professionals by Check Point indicated 65% of companies allowed personal devices to connect to their networks, a total that is growing; 47% said PEDs stored customer information and 71% said PEDs increased their risk of security incidents. In a study by Kroll Advisory Solutions, the 2012 HIMSS Analytics Report: The Security of Patient Data (April 2012), 22% of respondents reporting a breach in the health care sector attributed the event to lost or stolen PEDs, up from 11% in 2010.
Another trend underlying cyber breaches is the increasing reliance on cloud-based services. Using Internet-based software or storage options offers great economic advantages; but again there are risks that need to be addressed. When data is stored on the Cloud, executives can never be completely certain that the data is safe at a third-party site since it is out of their control. When considering using a cloud provider, ask: What are the cloud provider’s security measures? If the cloud provider changes ownership, do you know where your data is stored? If the cloud provider suffers a business interruption, will your data or software be accessible, or will your business operations also be interrupted?
The regulatory environment around data protection is also changing. Some privacy regulators in Canada have (sometimes limited) legislative powers to impose fines or penalties against targets of their investigations. All Canadian privacy regulators also have what is, perhaps, the more important ability, to publicly shame organizations that they find have lacked reasonable controls to prevent or contain a breach.
According to Adam Kardash of Heenan Blaikie, whose law practice is centred on privacy issues, when Canadian regulators investigate a privacy breach they will require the affected organization to produce evidence that it had a security incident protocol, an information security governance program, that it was monitoring staff to ensure compliance with that program, and that the staff were regularly given awareness training so that they understood their responsibilities to protect PII. A negative finding from a Privacy Commissioner investigation could increase the impact of any reputational damage to the organization and may affect liability exposure arising from the event.
As data breaches have grown in number, the costs associated with a breach have risen, too. The costs of a data breach can be crippling, especially for small to mid-sized companies that may lack the financial backstop to pay for the expenses associated with a breach. While the restoration of security is paramount, it may only be a first step and part of the cost of an occurrence to an enterprise.
Certainly remedial work has to be done on servers and data files. Notifications might also have to be made to those affected, such as employees or customers. For example, if a company is required to notify 5,000 individuals whose PII is stolen or lost, and provide 10% of those people with monitoring services, the costs to the company might approach as much as $40,000 to $50,000.
The interruption of routine business and possible legal actions by customersfor their costs can also add to the expense and pain of a breach. A breach may cause reputational damage, which could require the company to hire public relations professionals or other consultants to help mitigate the damage. There may also be soft costs, such as the loss of employee productivity and management focus as individuals address the breach and the loss of prospective business due to consumer confidence issues.
Effective IT techniques can help reduce the risk of a data incident, and these need to be constantly reviewed and updated to address changing technologies and threats. Companies should seek to work with their internal IT experts, as well as experienced external experts, to implement these safeguards (i.e., firewalls, virus detection software).
Readiness is key to mitigating the risk of a data breach and the ensuing damage. Amongst other recommendations, PwC, in their study Defending Yesterday, suggests companies should consider establishing:
Since it is often not a matter of “if” a data breach will occur but “when,” companies may also want to consider implementing some type of risk transfer through cyber insurance.
Subject to the terms, conditions and exclusions found in traditional insurance products, such as a general liability (GL) or an errors and omissions (E&O) liability policy, there may be coverage for third-party liability exposures arising out of a privacy breach. Under commercial property insurance, there may be gaps in the business interruption coverage grant when a cyber attack causes a denial of service that adversely impacts an organization’s operations. Unless first-party direct cost coverage (e.g., the cost to notify affected persons) is specifically added by endorsement to a GL or E&O policy, then there is no expense coverage found in many base policy forms of such traditional insurance products.
Cyber insurance is designed to respond to direct costs incurred on a first-party basis following a breach, as well as to third-party liability claims arising from that situation. That can include a business interruption and extra expense response to a cyber attack, which in and of itself may be a very influential reason to buy cyber insurance.
Brokers need to understand their clients’ vulnerabilities and reliance on data to assess the need for a separate cyber policy. In some instances, a company’s impetus for considering a cyber policy may stem from a new customer contract that insists on this coverage. But brokers should also be aware that a client may have new risks, such as a BYOD policy, that also need to be considered.
If there is any doubt about the risk of a data breach, a quick Google search for “privacy breach Canada” can yield more than seven million hits. Companies need to be prepared. This exposure may continue to grow as our appetite for data relating to employees and customers grows and as devices that can access that data proliferate.
Copyright 2014 Rogers Publishing Ltd. This article first appeared in the February 2014 edition of Canadian Insurance Top Broker magazine
This story was originally published by Canadian Insurance Top Broker.