Decoding the Five Myths about Security and Data Breaches

Dena Cusick, Technology, Privacy, and Network Risk Practice Leader, Wells Fargo

Dena Cusick, Technology, Privacy, and Network Risk Practice Leader, Wells Fargo

One of the most important jobs of an agent is educating clients on the risks they face and helping them understand how these risks are evolving. Data privacy is a rapidly evolving area with many misconceptions. Being aware of these misconceptions (myths) puts the agent at an advantage as they can explain, in relatable terms, why their client needs to be focusing on this issue.

"It’s critical to have a ready-to-use incident response plan, an on-call forensics expert, and a privacy attorney on retainer"

Security and data breaches don’t favor one organization or industry over another, and are taking place every day. Companies should consider the “how” of a breach (as opposed to the “who”) to evaluate their exposure to a similar event. Over the past two years, retail organizations have been targeted heavily due to the volume of information in their care, custody, and control, including credit card information, confidential information for loyalty programs, and employee data. No company is immune – if you rely on technology to run your business or you store customer or employee data, you are exposed to network and privacy risk.

Until recently, many thought data and network security risk were trivial compared to other threats such as theft, slip and falls, and workplace violence. But with the compromising of data and computer systems occurring at much greater frequency, it’s one risk you don’t want to underestimate. Reputational harm stemming from a poorly managed breach can be catastrophic.

Consider the recent breach on the nation’s second-largest health insurer affecting more than 80 million customers and employees. Many believe healthcare providers are soft targets due to a lack of technology, but a data security approach that focuses on technology at the expense of people and processes will not be effective.

Five myths you can’t afford to believe

1. Network security and data privacy is only a problem for large companies.

Data privacy and network security is a concern for organizations of any size. Rogue employees, data thieves, and unscrupulous business associates are looking for opportunities to take advantage of any weakness or mistake. Additionally, human error by negligent or careless staff accounts for a surprising number of breaches around the country. The costs incurred as a result of a data or security incident can be crushing, and small businesses are not immune.

2. We can afford to self-insure the risk.

With greater demands on limited budgets, many organizations spend less on discretionary items, such as certain lines of insurance. They wrongly believe that, if something happens, they can afford to cover the costs. The average cost of an insured breach in 2013 was $733,000, according to the NetDiligence Annual Claims study. While these costs can be insured, incident response expenses alone, including legal, forensic investigation, notification, monitoring, and public relations expense add up very quickly.

3. Insurance coverage is expensive and hard to get.

This perception was true ten years ago, but is not true today. Increased capacity in the market, claims experience, and a larger pool of buyers have made network security and privacy liability insurance coverage more cost effective and easier to obtain. Even with the recent proliferation of retail breaches, the insurance is more affordable and accessible than ever.

4. Our general liability policy will cover us.

General liability insurance typically covers bodily injury and property damage. The courts have consistently ruled that data is not property and is considered intangible. If you don’t carry specialized coverage for financial injury arising from a failure of security or a failure to protect confidential information, you’re probably exposed.

5. We have vendors who handle our sensitive information and credit card transactions; if they have a breach, it’s their problem, not ours.

This is not generally true. The data owner (the person or entity collecting the data) is ultimately responsible for what happens to that data. Therefore, a breach at a trusted contractor still triggers your notification obligations— this risk can’t be transferred to that vendor partner.

It is essential for organizations to adopt policies and procedures addressing information security, along with a concrete, comprehensive plan for incident response. Consider these questions to create “peace of mind”:

• Planning. What will you do if a potential issue is identified?

• Data identification. Do you know what data you have and where it resides?

• Education. Have you adequately educated your employees about their responsibility to protect private information?

• Access. Have you implemented standard procedures for the access to and use of private data? Have you limited access to data to a need-to-know basis?

• Contracts. Do you have procedures managing your contracts with third parties including indemnification and insurance?

• Encryption. Do you follow encryption standards? Do you restrict and/or encrypt data that is stored on mobile devices including backup tapes? What about data at rest?

• Online information. Do you have a written policy regarding the dissemination of personal information on your public and social media sites?

• Financial impact. Do you have adequate reserves or insurance protection to manage the financial impact of a breach?

• Monitoring. How often do you monitor networks, websites, and databases to detect potential issues? How often do you monitor your vendors? Once a year is not enough.

Readiness is the most important step. Businesses can’t afford to “figure things out” after a breach occurs. It’s critical to have a ready-to-use incident response plan, an on-call forensics expert, and a privacy attorney on retainer. Then, when a potential issue is identified, an organization is ready to mitigate the effects of the breach and deter any potential litigation.

From a small burger joint in California to a local dental clinic in Washington, these data breaches are occurring. Organizations of any size need to be prepared for them as they are learning by watching the bigger breaches play out in the public eye. Transferring the risk brings not only financial security but also, in many cases, loss control services. Many carriers are offering value-add services with their insurance products that make the insured a better risk. It’s a win-win.

Check out: Top Fraud And Breach Protection Companies

Weekly Brief

Read Also

Claims Processing and Management

Claims Processing and Management

Andrew Leeds, Vice President of Claims, Plymouth Rock Home Assurance Corporation
A Modern Policy Admin Platform Keeping Cost and Customer Experience in Mind

A Modern Policy Admin Platform Keeping Cost and Customer Experience in Mind

Chris Eberly, VP, Life IT, Lincoln Financial Group
Solutions for Financing and Reimbursement of Gene Therapies

Solutions for Financing and Reimbursement of Gene Therapies

Blanca Diaz, Vice President Claims, Risk Strategies Company
Risk-It's Lurking Around The COVID Corner

Risk-It's Lurking Around The COVID Corner

Amanda Aponte, FCAS, MAAA, Vice President & Chief Risk Officer, SFM Mutual Insurance Company
Reinvention is a Must not a Desire

Reinvention is a Must not a Desire

Marta Magnuszewska, Senior Director (VP) of Claims Analytics, Markel
Machine intelligence in insurance: insights for end-to-end enterprise transformation

Machine intelligence in insurance: insights for end-to-end enterprise transformation

Yannick Even, Global Analytics Business Partner, Swiss Re Jonathan Anchen, Research & Engagement APAC, Swiss Re