Cyber Liability is Our New Reality
By Reid Putnam, Vice President, Property & Casualty —
Whatever your business, you’re in the business of keeping private information private, I tell our Gregory & Appel clients. It’s never been the easiest of tasks, but today, the challenge of preserving the privacy of employee and client information continues to loom larger and larger. An important part of our mission is “closing barn doors” in advance of any bad things happening. When a privacy breach does occur, everybody in your company needs to know exactly how – and with whom – to communicate. Here are the basic items that belong on every data breach to-do-list:
Regulators must be notified.
- On a Federal level, that may involve HIPAA (the Health Insurance Portability and Accountability Act of 1996 established by the U.S. Department of Health and Human Services).
- On a state level, The Office of the Indiana Attorney General enforces the Disclosure of Security Breach law.
Things must be done for employees.
- All affected people need to be notified and a 24/7 call center set up.
- Credit monitoring services should be made available to those people
Things that must be done to protect your company’s reputation:
- Your company may well need to hire PR and marketing experts to help restore its reputation.
Cyber-breaches are a form of “forced entry”, but it’s not always outside hackers doing the “entering”; employee theft all too often plays a role in information-related break-ins. R doesn’t come before I in the dictionary, but in our Gregory & Appel lexicon, risk-mapping comes before insurance. What are the particular exposures your business has – what is the likelihood of a negative financial impact from each one of those exposures? How does your business compare with your peer group (companies in your geographic area or competitors in your field)?
When it comes right down to it, there are only four ways to deal with risk: avoid it, accept it, mitigate it, or transfer it. There are some risks you might choose to simply accept as a cost of doing business. Other risks can be avoided or at least mitigated through internal controls. As an advisor, going through the risk mapping process with a client allows me to match various claim scenarios with insurance solutions.
Despite everyone’s best efforts, however, data breaches can and will happen. When they do (a point that’s crucial for me to get across to each of our business clients), the “fix” will probably involve more than one person and more than one department at your company. Information Technology, Operations, Human Resources, General Counsel – all might play a role.
It takes a village to handle a data breach, but with an action plan and the right coverage in place, your business can weather the storm.