Security threats are becoming more and more prevalent. An alarming percentage of all consumers (greater than 50%) have experienced a cybercrime, with approximately one in three falling victim in the past year alone1. In 2020, the FBI received more than 2,000 internet crime complaints per day2, and those organizations impacted by ransomware more than doubled in the first half of 20213. The need to protect yourself and your customers from the threat of cyber criminals has never been greater; One accidental click can make all the difference.
A major push from consumer advocacy groups and law makers is forcing businesses to provide retribution to customers whose data is in their care. From simple phone numbers to detailed medical records, any identifying information that has been breached is now subject to civil lawsuits. California and New York have changed their laws in favor of the consumer, making it customary to provide two years of credit monitoring for any person impacted by a data breach. Let’s face it, most of us have already experienced some form of data breach. I have.
I am not a lawyer, but I am aware of some of the regulations relating to cyber security and data management. For example, the New York State SHIELD Act reads: “Disclosure of the breach must be made in the most expedient time possible.” The law requires businesses to inform multiple agencies, including the Attorney General’s office, New York Department of State, and the New York State Police. Furthermore, if 5,000 or more New York customers are affected, the three nationwide credit bureaus must also be notified. “Under the SHIELD Act, the Attorney General may seek injunctive relief, restitution, and penalties against any business entity for violating the law.” At the time of writing this article, failure to provide timely notification may result in New York court imposing civil penalties of up to $20 per instance of failed notification (not to exceed $250,000). If the affected business fails to maintain reasonable safeguards of customer data, the court may impose a civil penalty of up to $5,000 per violation. Consult an attorney and/or a knowledgeable broker familiar with the rules, penalties and requirements for coverage in your business’ operating area.
There are several steps you can take to reduce the threat from a cyber-attack and data breaches. Usually, the insurance company will provide a questionnaire to understand your data protection practices and associated risks. Using these questions as a guide, you can take action (if necessary) to fortify your physical and digital protection systems and procedures. This will make your data environment more secure and may even lower your insurance costs. Below are some areas that insurance companies may inquire about:
1. Enforce password management practices (i.e. change passwords every 90 days)
2. Enable and enforce multi-factor authentication (MFA/2FA)
3. Utilize anti-virus/anti-malware software
4. Implement a patch management process
5. Train employees on phishing and social engineering detection
6. Use a well-defined backup procedure and protect backups with MFA and encryption
7. Encrypt data during storage and transit
8. Have a formal business continuity plan and/or disaster recovery plan
9. Use of a formal incident response plan for any type of intrusion or breach
10. Enable a SPAM filter for email
11. Ensure access is limited to critical data (both physical and digital forms)
12. Document a formal privacy policy and review it yearly (at a minimum)
When working on your data security and procedures, it helps to adhere to some well-accepted guidelines and practices. Depending on the industry and market you operate in, this will determine the regulations to be followed. Below is a short list of some of the regulatory groups and standards they require members to implement:
When purchasing cyber liability insurance, it is important to consider the extent of coverage, including outages or unauthorized use of corporate services and systems. For example, a customer had their phone system hacked, resulting in over $6,000 in long distance calls over one weekend. Although this qualified as a breach of the company’s internal phone system, the insurance carrier did not cover this event and the customer was left to pay for the thief’s charges.
If you need assistance with review of your security procedures, or wish to discuss any of these topics, please do not hesitate to contact CMC Dataworks.
1. Taken from 2021 Norton Cyber Safety Insights Report (https://now.symassets.com/content/dam/norton/campaign/NortonReport/2021/2021_NortonLifeLock_Cyber_Safety_Insights_Report_Global_Results.pdf)
2. 2020 FBI Internet Crime Report (https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf)
3. Check Point Blog article (https://blog.checkpoint.com/2021/05/12/the-new-ransomware-threat-triple-extortion/)