News & Media
- Boston Celtics
- Develpment of new practice facility, Boston, MA
- The Hoffman Companies
- Financing and purchase of 60 Temple Place, Boston, MA
- Massachusetts Clean Energy Technology Center
- Series A Preferred Stock Investment in 7AC Technologies, Inc.
Protect Your Business From Data Breaches and Cyber Liabilities
July 14, 2014
Every day businesses become more and more reliant on computer technologies, systems, and records. At the same time, incidents of data breaches and cyber-attacks have risen dramatically, exposing companies to increasing risks, costs, and liabilities. Organizations must assess their existing risk management programs and ask whether they are prepared for a breach. In most cases, the answer is no.
While there is no one-size-fits-all solution to this growing problem, businesses should proactively manage their risk on the front end by implementing a well-thought-out internal response plan and engaging in a comprehensive review of current insurance coverage. For many companies, purchasing separate cyber liability insurance may be essential, as traditional commercial policies are unlikely to cover losses resulting from data breaches.
A data breach is an actual or suspected unauthorized disclosure of an individual’s name and financial or medical information. There are three main causes of a data breach: (1) malicious hacking or cyber-attacks, (2) system glitches, and (3) human errors (such as emailing the wrong person or losing a computer). The public perception is that only large companies are at risk. However, small-to-medium sized businesses are also vulnerable. According to the Massachusetts Attorney General’s Office, the number of reported data breaches in Massachusetts more than tripled between 2008 (384 breaches) and 2013 (1,174 breaches). Organizations experiencing those breaches range from the largest in Massachusetts to small businesses with only one or two employees.
In the event of a data breach, businesses face a number of major costs and risks. According to Ponemon Institute’s 2014 Cost of Data Breach Study, the average cost in the United States for each lost or stolen record is $188, while the average number of comprised records per breach is 29,087. The initial cost stems from the expense of investigating and remediating the breach, which often requires the assistance of outside computer forensic consultants. When a breach is discovered there is also a legal obligation, in Massachusetts and virtually every other state, to promptly notify all individuals whose information was obtained, as well as certain governmental agencies, such as the Attorney General’s Office. Companies may also encounter reputational damage, negative publicity, and loss of customers, the cost of which is difficult to quantify. In addition to these first-party liabilities, there is also risk of third-party liability in the event of a lawsuit brought by the individuals whose personal information was compromised.
To protect your business, it is extremely important to manage these cyber risks proactively before it is too late. The first step should be to review internal practices and procedures and plan for how to respond when a breach occurs. Management should work with personnel in IT, finance, human resources, as well as legal counsel to understand how the company’s specific line of business impacts its cyber risks and the potential losses it may sustain in the event of a data breach. Retail and healthcare, for example, tend to have greater cyber risk because they typically maintain sensitive financial and medical information with high value to hackers.
Once the company has identified its risk profile, the adequacy of network safeguards, such as anti-virus software, should be reviewed and updated to account for technological advances. A written response plan should also be developed so that if a breach occurs the company can quickly diagnose the issue, regain security, and get the business back on track.
While implementing these security reinforcements will help protect against cyber risks, insurance is an equally important consideration. Recently, a federal judge in New York ruled that losses resulting from a hacking incident were not covered by a commercial general liability (CGL) policy. Insurers have taken it one step further. As of May 2014, the Insurance Services Office (ISO) rolled out mandatory CGL policy endorsements broadly excluding data-related losses as well as those arising from disclosures of confidential or personal information.
Insurers are now offering alternative coverage for cyber liabilities through separate stand-alone insurance policies or as endorsements to existing policies. The coverage varies among insurers and can be tailored to the particular risk profile of the company. In general, these policies are designed to cover most of the first-party and third-party losses discussed above that may result from a data breach. Businesses at risk of a breach should take a close look at the products available on the market and consider whether those products can help them in their cyber risk management plans.
If you have any questions or need additional information regarding this topic, please contact Rosanna Sattler at firstname.lastname@example.org.
Client Advisory is provided for information purposes only, and does not constitute legal advice. According to Mass. SJC Rule 3:07, this material may be considered advertising. ©2014 Posternak Blankstein & Lund LLP. All rights reserved.