Let’s take a moment to talk about one of the most feared issues facing the businesses, government and medical industries of our world today: a data breach.
It seems like every day we hear a news story regarding the theft of some database of a major retailer, credit card company, hospital or health insurer and even the federal government. But what, really, is a data breach?
Margaret Rouse of WhatIs.com defines a data breach as an incident in which sensitive, protected or confidential data has been viewed or stolen or used by an individual unauthorized to do so. These breaches may involve personal identifiable information such as social security numbers, addresses and driver’s license numbers. They can also include personal health information and medical records. The taking of intellectual business property and trade secrets would also be considered a data breach.
Whichever of these occurs, they all have one thing in common: They are never good and are usually costly.
The most common form of a data breach is an attack by a cyberhacker, which often comes from a phishing email that was clicked on by an employee. The hacker intends to break into a corporate or government network to steal sensitive data. But not all breaches are of the dramatic “black hat” legend we sometimes hear about and see in movies and TV shows. For example, if a hospital, retail or other company employee is not authorized to read certain data but looks at it over the shoulder of someone working on a computer or reading a file, this would also be considered a breach.
There are a number of industry guidelines and government regulations in place to ensure compliance of the handling of personal and sensitive information. The most common of these is the health care industries’ Health Insurance Portability and Accountability Act (HIPAA), which defines who can view your health records. Anyone who has seen a doctor or been to a clinic or hospital has no doubt signed a HIPAA form.
A lot of us may not be aware, but in the corporate world there is also something known as the Payment Card Industry Data Security Standard (PCI DSS), which dictates who may handle and use things such as credit card numbers, PINs and bank account numbers in conjunction with a person’s identity. If a company’s employee who is not otherwise authorized to use any of the information listed above were to do so and their action causes a breach resulting in a theft, then that corporation or organization could face fines and/or civil or criminal prosecution.
It’s a good idea to teach employees about phishing emails and how to avoid them. It might be as simple as looking for misspelled words and sentences where the syntax is off, or just noticing when you hover over the email address that it’s not what it appears to be. There are also programs that your IT department can install to help block some phishing emails.
It is almost inevitable that most companies keep some kind of sensitive or personal data in their files. This information is needed to process orders, service, payroll, billing, payment services, etc. However, if this data were to fall into the wrong hands, it could cause a lot of damage — the loss or your customers’ trust and business, as well as that of your employees and vendors, not to mention the cost of the security breach and possible civil litigation.
Especially during the pandemic times, when there is such an increase in telework, teledoc and tele-learning, potential exposure is at an all-time high. In order to help businesses protect their data from harmful breaches, the Federal Trade Commission has developed a guide with five key principles for protecting personal information:
TAKE STOCK — Know what personal information you have in your files and on your computers. Any effective data security plan starts with assessing what information you have, where it is and who has access to it. This would involve taking inventory of all computers, laptops, mobile devices, flash drives, disks and any other equipment that stores sensitive data. Talk to your respective company departments and staff and put together a complete picture of who sends sensitive information, how your business receives this information, what kind of information is being collected at each entry point, where this information is to be kept and who can and should have access to this information. It is also pertinent to check to see if there are any laws in your area with regard to data security.
SCALE DOWN — Keep only what you need for your business. If there is not a legitimate need to store this sensitive data, then don’t keep it. You should only hang on to this information for as long as it is necessary to conduct your business. Things like social security numbers should only be in areas that involve taxes and benefits and should not be used for things like employee ID numbers. Don’t keep credit card information if it is no longer needed after a sale or payment. Develop a records retention policy for what information will be kept and for how long.
LOCK IT — Protect the information that you need to keep. Many data compromises happen the old-fashioned way, with lost or stolen paper documents. Develop a security program for all sensitive paper documents, CDs, Zip drives, etc. Keep these under lock and key and keep control of who has keys and the number of keys available. Institute a workstation security policy for when employees are not at their station, log-on and log-off procedures, as well as a clear desk policy. Any sensitive data that is in transit either by carrier or via the internet should have encryption codes or PIN access. There are many other methods that can be implemented, such as restricting software download ability and a secure password management control.
PITCH IT — Properly dispose of what you no longer need. What looks like a sack of trash to you can be a gold mine for an identity thief. Leaving credit card receipts, papers or CDs with personal information in a dumpster facilitates fraud and exposes consumers to the risk of identity theft. Effectively dispose of paper records by shredding, burning or pulverizing them before discarding. Make shredders readily available throughout the workplace, including next to the copier. If available in your area, contract with a licensed document removal company to dispose of your paper documents securely. When disposing of computers and portable electronic devices, make sure the data is wiped clean using data erasing software.
PLAN AHEAD — Create a plan for responding to security incidents. Even though you have taken the steps necessary to protect your sensitive data, breaches can still happen. Have a plan to respond. Designate a senior member of your staff to coordinate and implement this plan. If computers are compromised, disconnect them from your network. Investigate where and how to close off the area of vulnerability. Have a list of whom should be notified regarding the incident both in and outside your organization. You may need to notify consumers, law enforcement, insurance carriers, credit bureaus and other businesses that may be affected. Many states and the federal bank regulatory agencies have laws or guidelines addressing data breaches. You may also want to consult your legal counsel.
The Federal Trade Commission is available to help prevent fraudulent, deceptive and unfair business practices and provide the marketplace with information to help consumers spot, stop and avoid these actions. For more detailed information on the steps listed above, contact FTC.gov or call, toll-free, 1-877-FTC-HELP. The information is valuable, but it’s free.
Explore all your options for cyber and network data liability risk, because even with the best intentions, plans and programs implemented, you may still experience a data breach.
One way to provide protection for your business when this does occur is to have a Network Data and Security Liability insurance policy in place. If your business uses the internet, then it is exposed to a cyber-risk that most likely is not covered under your current commercial insurance policy. In fact, typical general liability policies often do not cover activities associated with website publishing or network security. If that is not enough to convince someone to put this coverage in place then consider the following: The average cost per record of a data breach is approximately $180-$200 per record.
How many customers do you have if there was a breach, and how much insurance have you purchased for cyber exposures? According to a national survey, many businesses do not have the tools or procedures like the ones described early in this article in place to detect identity theft or a response plan to deal with the loss. Most victims do not even know that their data has been compromised until it’s too late. Statistics show that 86% of the breaches were discovered by a third party and that 92% of breaches were from external sources — 80% of these from overseas and 58% from organized crime sources.
There are also regulatory requirements currently in place that apply to most businesses and organizations. Data breach notification laws are in effect in most states, and they require the notification of customers in the event of a data breach. The Red Flag Rule now being enforced by the FTC requires organizations to have identity theft protection programs in place or be subject to penalties and or fines.
The compliance costs to notify customers as well as the risk of incurred fines and penalties can and will drive up your costs and could be even worse. So don’t leave your business unprotected. Telcom, in partnership with our insurance vendors Great American and Travelers, have insurance policies that can put protection in place for your business and your customers. Please contact your account executive or Telcom at TIG@telcominsgrp.com for more information on how to put this important coverage in place.