Canning Breaches

Liability risk arising from information security violations is on the radar screen of many commercial insurance providers.

Despite the widespread use of the term “cyber,” some of the critical risk mitigation tactics have little – if anything – to do with computer technology.

In a recent report, ABI Research predicts the global market for cyber insurance will reach US$10 billion by 2020, driven by the “escalating costs associated with cyber breaches and attacks, pushing risk management strategies to increasingly transfer risks to providers.”

A computer connected to the Internet “is also connected to millions of other connected computers,” which can allow hackers to connect to a specific computer, warns the United States Computer Emergency Response Team (CERT), which has some simple computer security recommendations. These include installing firewalls, keeping all software (including operating systems and anti-virus) up-to-date and not installing software unless it is deemed necessary.

One question a risk manager might ask is whether or not CERT’s recommended practices are applied to every single computer in his or her organization.

One firm affected by an IT security breach was Home Depot. That incident affected millions of credit and debit cards accounts of customers.

So do risk managers need to become experts on computer hacking?

While it is prudent for any organization to have an employee or contractor with IT security expertise, it is noteworthy that not all privacy risk stems from a lack of technology prowess.

Two year ago, federal employees lost a portable hard drive containing personal information on about 583,000 Canada Student Loan borrowers. This was not a technology failure per se, because if it was a paper with confidential data that had been lost, the government would still have been faced with the same problem.

These types of privacy breaches can pose a bigger problem, with the passage June 18 of Bill S-4, the Digital Privacy Act. That law essentially requires organizations to tell individuals if personal information was lost or stolen, if there is a potential for harm.

On top of that, organizations “must retain records of data breaches of any kind,” Privacy Commissioner Daniel Therrien told a House of Commons committee earlier this year. “We will be able to review their records to determine whether or not appropriate breach notification has occurred,” Therrien said.

In addition to the cost of data breach notification, companies can face lawsuits for “intrusion upon seclusion,” which was recognized, in 2012, as a tort by the Court of Appeal for Ontario.

In intrusion upon seclusion lawsuits, damages of $10,000 to $20,000, per individual, can be awarded for mental anguish, even in cases where there is no economic loss, Katie Andruchow, national cyber expert for Aon Reed Stenhouse Inc., told attendees at a recent

seminar hosted by the Canada chapter of the Professional Liability Underwriting Society (PLUS).

More than half of the breach notices that American International Group Inc. receives, in North America, have to do with “operational failure, not technology failure,” said David Price, AIG Canada’s financial lines leader, at the PLUS seminar.

“The technology works fine,” Price noted. “It’s the practice of a senior executive not following protocol. It’s the CEO writing his password on his computer. It’s people leaving briefcases on planes, trains and automobiles.”

There are some simple questions risk managers could ask. How much time is dedicated, during the new employee orientation

process, to train every new worker on the organization’s information security rules? Does everyone know exactly what data must be kept

secure? When employees take work outside of the office, who is checking to ensure that confidential information is adequately protected? Getting answers will not eliminate cyber risk, but it is certainly a good start.