According to a poll of business owners and risk managers, cybersecurity and data privacy are the most concerning business risks, over natural disasters, corporate liability and changing legislation or regulation.
Estimates indicate an average of three data breaches per day for small businesses alone.
To avoid a data breach, it’s important to understand any business can be at risk for the following:
n Social engineering, such as phishing.
n Outright intrusion (hack).
n Distributed denial of service, extortion.
n Email hacking, viruses, malware.
n Employees making simple mistakes, losing a laptop or accidentally sending information to the wrong address.
n Malicious or disgruntled employees.
n Electronic theft, loss of system resources.
n Third-party breaches, such as a trusted vendor or cloud breach.
n Regulatory issues – Why pay attention?
In addition to federal laws dealing with privacy, such as HIPAA and HITECH, 47 states have passed privacy legislation.
The laws dictate what protocols a business must have in place prior to a breach; encryption requirements; and how and when notification must be made to affected parties.
Rhode Island’s newly strengthened Identity Theft Protection Act took effect June 28. Obligations placed on businesses include strong email encryption, safely destroying personal information as soon as it is no longer needed and notification within 45 days to anyone whose personal information may have been compromised. Businesses must also be able to justify the information collected and stored. Contracts with vendors, customers and service providers are under new scrutiny and internal policies and procedures must be documented and shared with all employees.
Any business that collects customer information has liability.
n What costs are associated with the risks?
n Forensic expense.
n Notification expense.
n Legal expense.
n Customers’ credit monitoring.
n Regulatory fines and penalties.
n Crisis management services.
n Repair or replacement of servers, software.
n Loss of business income to contain damage, stop attacks and implement work-arounds.
n What can be done to manage and transfer the risks?
Set strict procedures to protect confidential information. Train all employees to understand what constitutes protected data and to follow procedure when handling private data. Limit access to sensitive data and shred sensitive information when no longer needed. Engage legal counsel to ensure vendor contracts are updated to meet privacy and confidentiality standards.
Most importantly, transfer risk by purchasing cyber liability insurance. A comprehensive policy will provide the full spectrum of breach services; notification to regulatory bodies; notification to affected individuals; credit monitoring for affected individuals; regulatory fines and penalties; liability insurance; and first-party loss, such as damage to equipment, loss of business income and public relations crisis management expenses. •
Susan Leeming is vice president of Risk Strategies Co.