Data. You store it on company computers and networks. Employees can access it at home or on the road. You might even have data “in the cloud,” in facilities you don’t own or control. And it’s the lifeblood of your organization. How good is your data loss prevention?
As with most things, insurance should be your second priority. Your first priority should be to take measures to protect your data from damage, loss or theft. When reviewing your organization’s data protection program, involve your IT team and data end users to identify your company’s specific risk exposures.
The questions you’ll want to consider include: Where is data stored? Who has access? Who can make changes? How is it protected? Protections include both physical and intangible protections, such as software and procedures. When evaluating physical protections for your data, look at the setup of your data center. Can anyone access your servers, or is access limited to IT staff? Does your data center have appropriate fire protection/sprinkler devices?
Intangible protections include your procedures as well as software and systems. Organizations can control access to sensitive data through:
- Requiring user permissions and separation of duties. Be sure to document each user’s access to applications and files.
- Encrypting proprietary or personal data.
- Restricting access to data from outside the company’s computer network.
The advent of “cloud computing” can also create questions of control and ownership. Are you sure your data is really yours? Check your contract with any cloud computing vendors to ensure you retain ownership rights to your data and that the vendor will not mine it or use it for its own purposes.
Your contract should also specify how the data will be returned to you if you end the relationship. The contract should spell out how long the vendor has to return data, and should also specify that it must provide data in a format you will be able to use, rather than holding you hostage by returning it in a proprietary format.
Insuring Your Data
The next step is to analyze your current insurance program to understand which risks are covered and which may need additional protection. Coverage for networks and data is sometimes called cyber insurance. It covers your own data and the data of customers, partners and clients that you interact with: in insurance terms, first-party and third-party coverages.
Most commercial property policies have coverage limits for computer hardware and exclude coverage for software and data. Many insurance companies offer optional endorsements that increase hardware limits and add coverage — usually with small sub-limits for:
- Loss of software, programming and data caused by viruses.
- Loss of income and extra expenses due to damaged hardware or software caused by viruses.
- Loss of income due to viral attacks that overload computers and prevent normal business traffic.
- Electronic fraud — reimbursement for money stolen through the computer.
If your first lines of defense are adequate, this coverage might be enough for you.
Many organizations today use, store or access data that belongs to third parties. Whether it’s your customers’ credit card information, a business partner’s mailing list or any other data, you have a responsibility to protect it from theft, loss or breach while it’s in your care.
The standard general liability (GL) policy excludes coverage for property damage to electronic data. You can buy an endorsement that adds a separate sublimit of coverage for loss of electronic data resulting from damage to tangible property. Your errors and omissions policy will probably not cover electronic data loss either, unless it includes specific cyber liability language.
Cyber liability is a big issue in the insurance industry. As the Internet, cloud computing and social media become more important to the way we do business, organizations need to review their liability coverage. The standard commercial general liability policy covers you for libel, slander and copyright infringement arising from your advertising. However, it typically excludes those coverages for companies in the publishing, broadcasting or media industries. Any company that has a website or uses social media could be considered a publisher. Does that mean you need a media liability policy, to protect you from claims of libel, copyright infringement and plagiarism? Many cyber liability policies cover this exposure and more.
Cyber liability coverage can be bought as a freestanding policy or as part of a professional liability policy. Policies vary by insurer, but may contain:
- Privacy liability: Covers losses from failing to protect personal information (i.e., Social Security numbers) and corporate information, as well as costs to repair identity theft and to respond to regulatory agencies.
- Network security liability: Covers losses due to a failure in network security such as unauthorized access, virus transmission or destruction of software and data. May also cover business interruption for third parties impacted by the network security failure.
- Internet media liability: Covers the company’s Web content for infringement, defamation, plagiarism or negligence. May also include coverage for transmission of viruses to your Web visitors.