With the ever growing use of tablets and smartphones in the workplace the risk of exposing more and more businesses to liability for sensitive data being compromised if these devices are lost, stolen, or hacked. How can your company protect itself against this threat – and how much authority do you have over an employee’s personal device if it’s also used for work-related activities?
What’s more, because these gizmos are small and portable, it’s easy to misplace them. (The federal Transportation Safety Administration recently leased a warehouse just to store those misplaced or left behind at airports.)
Another emerging risk linked to these devices is a “bring your own” policy that many companies have adopted as a way to save costs by having employees spend their own money on smartphones and tablets that are constantly evolving and updated. This approach raises questions about separating company data from personal information on the device. For example, when an employee leaves, does a business have the authority to wipe the information from his or her smartphone? According to some authorities, if an employee connects a personal device to a company network, the company has inherited responsibility for the data stored on it.
To deal with this risk, you need to provide every employee who uses these devices with training, updated annually, on how to respond in case of loss or theft. To minimize potential liability for lawsuits by customers and clients, make sure that the individual responsible for the mishap informs management immediately. The compromised information might include everything from sensitive data (financial or medical) contacts, photos, call history, personal notes – you name it.
You can also use insurance to protect yourself against losses from data breaches. A policy will provide Liability coverage that deals with legal costs and third-party expertise (such as forensics firms to analyze a breach and call centers to provide information and public relations. Coverage might also include services such as access to tools to estimate costs, a checklist for your planned response to a data breach, and access to experts who can answer questions and review your company’s policies and procedures.
For more information, feel free to give us a call. (877)994-6787
By the end of 2009, 45 states, the District of Columbia, and two U.S. territories had enacted laws requiring notification of security breaches involving personal information. New York’s law is typical. It requires businesses that own or license computer data that includes private information to disclose any security breach of the system to any state resident whose private information the business believes was accessed without authorization. The businesses must provide the notice by mail, phone or e-mail as soon as possible after discovering the breach, inform the state government of the notices, and inform consumer reporting agencies if the breach affected more than 5,000 residents.
Notifying the victims is only one part of the costs businesses that suffer security breaches can expect. They might face lawsuits from the victims, fines from regulators, and serious harm to their reputations. Lockton International has estimated the cost of a security breach to be $15 per person affected. Lockton issued a paper in 2010 that discussed several ways that businesses can avoid cyber attacks and handle those that do occur, including:
- 1. Assemble a multifunctional team to identify cyber risks and develop plans for preventing attacks. The team should include individuals responsible for legal compliance, risk management or insurance, information technology, procurement of vendors, and operations.
- 2. Comply with applicable federal and state laws and regulations, including HIPAA (which applies to security of private health information) and the Gramm-Leach-Bliley Act (which applies to private financial information.)
- 3. Manage vendors that have a high risk of data security breaches, including payroll companies, credit card processors, and accountants. Require them to meet legal and industry standards, obtain insurance against security breaches, and indemnify the business from related losses.
- 4. Manage the people as well as the system. Train and educate employees on system security, monitor them for poor security practices and possible malicious acts, and verify that they have not installed unauthorized software that would increase vulnerabilities in the system.
- 5. Regularly test the system and repair security problems. Perform internal tests, external system penetration tests, scans for viruses and other malware, and evaluate work processes.
- 6. Encrypt private data on the network, while it is being e-mailed or transferred another way, and while it is on laptops, smart phones, and other mobile devices.
- 7. The team should develop a plan for effectively responding to security breaches.
As more businesses become aware of their exposure to data losses, insurance companies are beginning to offer specialized policies to cover these incidents. An electronic data liability policy covers a business’s liability for damages resulting from accidents, negligent acts, errors or omissions, or a series of these, leading to a loss of electronic data. Coverage applies to claims made during the policy period for losses occurring on or after a date specified in the policy. Another policy offered by specialty insurers covers a business’s lost income and extra expenses resulting from harm to its reputation after a security breach.
Most businesses and organizations today have some exposure to loss from cyber risks. Just as they try to prevent fires, car accidents, and workplace injuries, businesses must make preventing data security breaches a standard part of their operations. Speak with our professional Protection Coaches about the insurance you might need when breaches occur. With proper loss control and the right insurance, a business can survive a cyber attack.
Here are 4 Easy ways to reach our Total Protection team if you have any questions or would like to review any protection:
1. Call 877-994-6787 or 951-600-5751
2. Fax 951-677-6265
3. Email firstname.lastname@example.org
4. Visit us on the web – www.SIAonline.com