While the use of the internet increases daily, so does the sophistication level of cyber criminals. These criminals are stealing identities, hacking networks, and infecting computers with malware. Many business owners feel they are too small to be a target. They often do not take appropriate steps to protect their own systems, and the personal information they gather on their employees and customers. The truth is, cyber criminals know that small businesses typically do not invest in data security and systems, which makes them ideal targets.
When we think of a data breach, we often imagine some hacker continents away. Although a hacker may be the culprit, a simple mistake is increasingly becoming the cause of many breaches. Surprisingly, one in three data breaches is the result of human error. Something as simple as misplacing a flash drive with customer’s information on it or losing your laptop at the airport could be one of the costliest mistakes you or an employee can make. When it comes to personal information, lost is the same as stolen.
The statistics are eye-opening. According to The Hartford, 31% of all data breaches are in organizations with fewer than 100 employees. It’s not just the Target’s and Sony’s of the world. Roughly 66% of all data breaches investigated were not discovered for months, or sometimes years. Looking at a study performed by the Ponemon Institute, they found that 72% of those who had a breach were unable to fully restore their company’s data. For some that have a breach, the damage control, legal expenses, and paperwork can be so overwhelming they never recover. Symantec stated that one in 40 small businesses is at risk of becoming the victim of a cyber-crime right now.
Laws vary from state to state, but most states have civil codes that require a business to notify its customers whose unencrypted personal information was acquired, or reasonably believed to have been acquired, by an unauthorized person. To take it a step further, an example from California Civil Code s.1798.29(e) and California Civil Code s.1798.82 states, “Any person or business that is required to issue a security breach notification to more than 500 residents because of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General.”
Unauthorized Access: An international computer hacking group gained access to a small service company’s accounting software and stole banking information from check and credit card data of nearly 1,000 customers. This started a wave of fraudulent purchases around the world.
Cyber Extortion Threat: An information technology company contracted with a software vendor overseas. The vendor left universal “administrator” defaults installed on the company’s server and a “Hacker for Hire” was paid $20,000 to exploit such vulnerability. The hacker advised that if the requested payment was not made he would post the records of millions of registered users on a blog available for all to see. The extortion expenses and extortion monies are expected to exceed $2 million, according to Philadelphia Insurance.
Ransomware Attack: An employee of a car components manufacturing company clicked on a malicious link in an email and malware was downloaded onto the company server, encrypting all information. A message appeared on the employee’s computer demanding $10,000 to be paid by Bitcoin in the next 48 hours in exchange for the decryption key. The company called its insurance company, and they told them not to pay the ransom. Not only does paying the ransom perpetuate criminal activity, but it also highlights a company’s lack of effective and responsible backup procedures. Backups should be stored off-site and off-network. According to Chubb, the total loss was roughly $60,000 between the consulting fees to assess backups, forensic investigation to locate malware, legal consultation fees, incident response manager fees, as well as the costs associated with replacing lost or corrupted data.
Human Error: An HR recruiter for a healthcare organization accidentally attached the wrong file when sending an email to four job applicants. The file included HR demographic data consisting of 43,000 former employee names, addresses, and national ID numbers. Legal services were brought in to manage regulatory implications. Not only were there defense expenses from regulatory investigations, but there were also defense and settlement costs for the employees who had their identities stolen. In addition, there were incident response expenses for notification mailers, monitoring services for individuals who were affected, and legal consultation fees. Chubb paid out nearly $200,000 for human error that seems innocent, but was very costly.
1st Party and 3rd Party
To understand what is covered under various cyber liability/data breach policies, you must know that every carrier has different policy forms. Not only can coverages vary, but the names of the coverages will be different for each carrier. Still, every carrier who writes cyber offers 1st party coverages, where some will also offer 3rd party coverages. Not every carrier offers 3rd party because those claims tend to be the costliest.
Know that 1st party coverage typically pays the expenses that affect your business. Coverages can include, but are not limited to:
- Loss resulting from corruption or damage to your computer programs and data.
- This will provide income reimbursement during the restoration period of your computer system.
- When a loss occurs, there is an expense to mail customer notifications. There may also be regulatory fines and public relations expenses. Think about when a public relations person speaks on a company’s behalf on the evening news.
- This can pay reimbursement for extortion expenses that are a direct result of a credible threat to your computer system.
- When there is a loss of income, interruption, or special expense that is a direct result of an interruption or failure of your computer system that was caused by a cyber terrorist, this can pay the reimbursement for the loss of income.
When looking at 3rd party coverage, understand that this is meant to cover the legal liability you may face when having a breach. Coverages can include, but are not limited to:
- Covers the legal liability for a privacy breach resulting from violations of HIPAA and other privacy protection laws/regulations, whether state, federal or foreign.
- Covers the legal liability for a privacy breach of employees’ personal identifiable information (PII) or protected health information (PHI).
- This may cover claims that arise from things that are on your website. Common allegations are defamation, libel, slander, invasion of privacy, plagiarism, infringement of a copyright or trademark, or domain name infringement.
Restoration Contractors Are Exposed
Companies often do not assess the value of data they have. Restoration firms may have proprietary assets, intellectual property, architectural drawings and specifications, which make you a target for cyber criminals. As with all business, you likely have employee data, which can include names, phone numbers, addresses, bank information, and often social security numbers. It is likely that you have financial information about your clients as well.
Remember what happened with the major breach at Target? An employee of a small HVAC firm was the victim of a phishing attack, which gave hackers access to their system through malware. The cyber criminals used the access to the HVAC firm’s system to connect to Target’s network, which was also connected to Target’s hosted vendor services. Due to this, the hackers stole information from 40 million payment cards, as well as 70 million individuals, by breaching the HVAC firm’s security.
Attacks are typically not targeted; they are opportunistic. Since it can take less than two minutes for your security to be breached, think about all the confidential information or personal identifiable information you hold. I would estimate that 5% or less of the restoration industry carries this coverage. There is only one franchise I know of that requires this coverage, but I expect others will hop on the band wagon in the coming years. It is not expensive. One can add a limited amount of cyber protection to their property policy for a few hundred dollars. Some Employment Practices Liability (EPL) policies may even have an option to include some coverage. To get much broader coverage, ask your agent what a monoline policy would cost.
Depending on where you are at in the country, revenue size, number of jobs performed annually, and number of employees, cyber policies may start around $1,000. With the increasing number of data breaches, this is a small price to pay for the peace of mind to know you have protection.