Data security breaches are now a frequent fixture in the news. The Panama Papers scandal is just the latest example of the damage that can be caused by a data breach. According to the experts, it is not just IF a data breach will occur but WHEN.
In recent years, large-scale data breaches have hit Home Depot, Target, Neiman Marcus, Sony, Amazon, Ashley Madison, numerous healthcare companies, and the Federal Government. However, every business—big or small—is vulnerable to cybersecurity threats. The average data breach costs $5.4 million and takes 24 days to resolve, but as many as 70% of cyber-attacks are said to go undetected.
The National Institute of Standards and Technology defines cybersecurity as “the process of protecting information by preventing, detecting, and responding to attacks.” As part of cybersecurity, businesses should consider management of internal and external threats and vulnerabilities to protect information assets and the supporting infrastructure from technology-based attacks.
How do data breaches occur?
Consider the following scenario. ABC Collections Company specializes in medical collections and collects for hospitals and other medical providers nationwide. Due to a minor mistake, the entire database of ABC’s personal health information (known as PHI) is accessible to hackers and anyone else on the Internet for a four month period of time. What is the potential for exposure to ABC?
Large-scale data breaches are the digital equivalent of carefully planned heists. The perpetrator researches the target institution and assesses what valuable information can be stolen. The hacker then gains access to the network by exploiting security weaknesses through phishing, malware, etc. Targeted data is copied, extracted from the target network, and finally exported to the hacker. The final phase of the breach is data release, when the hacker posts the stolen information on the dark web or ransoms the company. Data release is usually the first time a company becomes aware of the breach—after it has occurred. To combat cybersecurity threats, companies must implement a comprehensive cybersecurity plan that focuses on preventing and responding to a data breach.
Now assume ABC has insurance in place that it believes will cover the damages caused by the data breach. Even if ABC is correct, does the insurance cover the cost of noticing the millions of consumers of the potential breach? Does it cover the cost of business interruption to the company while the company is required to devote valuable resources to the required investigation that follows a breach? These represent only a sample of the issues companies should consider when evaluating available insurance covering data breaches.
Cybersecurity Best Practices
The best way to mitigate cybersecurity threats is to plan as if the organization will be hacked. Develop a cybersecurity plan to mitigate the risk of a data breach and reduce damages if disaster strikes. In response to the growth in volume and sophistication of cyber threats, the Securities and Exchange Commission and the Federal Financial Institutions Examination Council (FFIEC) have created various tools – available at https://www.sec.gov/spotlight/cybersecurity.shtml and https://www.ffiec.gov/cybersecurity.htm – to aid financial institutions and their third-party service providers in identifying, assessing and mitigating cybersecurity threats. While many of these strategies are designed for financial institutions, they are useful for other businesses as well.
Companies should begin by identifying their critical assets that need additional safeguards. Obtain an independent assessment of your company’s risks and vulnerabilities. Execute a risk mitigation plan. Install and manage intrusion prevention and detection systems, and test these systems constantly. Create and exercise a Cyber Incident Response Plan (CIRP) to ensure proper action is taken in the event of a breach, including notice of breach to stakeholders in compliance with state notice laws. And on the topic of state laws, become familiar with the data breach notice requirements of the states in which you conduct business or where your customers may reside. These laws have particular requirements companies must satisfy when a data breach occurs and they impose substantial penalties for non-compliance.
Cyber Liability and Insurance
As discussed in the above example, companies should consider all sources of cyber liability, including information security and privacy liability, notification costs, public relations and investigative costs, loss of revenue, and personal injury. Take inventory of all insurance policies— general loss, directors’ and officers’ liability, errors and omissions, criminal, all risk property, and cyber policies—and evaluate whether additional coverage is prudent to align cyber insurance with assessed risks. If your company’s insurance contact is not conversant in cyber liability insurance issues, the costs to your company can be astronomical. If your insurance company denies your claim and you have to litigate that issue, the litigation costs alone may exceed six figures. For an example of what can happen should your insurance carrier try to deny coverage, see The Travelers Indemnity Company Of America v. Portal Healthcare Solutions, L.L.C. , NO. 14-1944 (4th Cir. April 11, 2016) (unpublished) (affirming Travelers Indem. Co. of Am. v. Portal Healthcare Sols, L.L.C., 35 F. Supp. 3d 765 (E.D. Va. 2014).
In conclusion, this is an ever expanding and quite new area of the law; as always, stay tuned.
 Cost of Data Breach Study: Global Analysis, Ponemon Institute, June 2013. http://www.symantec.com/about/news/release/article.jsp?prid=20130605_01&om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2013Jun_worldwide_CostofaDataBreach
Keith Wier recently joined the law firm of MauriceWutscher, LLP and runs th
e Texas office for the firm. Mr. Wier is now based in Austin and will continue his representation in the financial services industry. He regularly assists debt collectors, debt buyers, original creditors and attorneys with both compliance and litigation issues. Keith can be reached firstname.lastname@example.org.