When people trust you with their personal information, they expect you to protect it. When something goes wrong and their data gets lost, stolen or compromised, they get angry. According to the Ponemon Institute’s 2014 Cost of Data Breach Study, companies suffering a material data breach in 2013 lost an average of $3.2 million in business. This comes in addition to the cost of remediating a data breach.
Both physical and electronic data can be compromised, but electronic breaches have higher loss potential. An electronic data breach can occur when:
- Unauthorized users gain access to electronic documents containing personal identifying information (PII) via sharing of passwords, leaving work station unlocked/unattended, etc.
- PII is posted, in any format, onto the world wide web without authorization.
- A laptop or smartphone containing PII is lost or stolen.
- Someone steals data from a laptop or other device connected to an unsecured wireless network.
So…what can you do to protect your organization from data breaches? Here’s three step data management plan:
Step 1: Protect
Ponemon found that organizations with a strong security plan lowered data breach costs by as much as $21 per record. To implement a data protection program, involve your IT team and data end users to identify specific risk exposures.
Consider the following: Where is data stored? Who has access? Who can make changes? How is it protected? Protections include both physical and intangible protections, such as software and procedures. When evaluating physical protections for your data, look at the setup of your data center. Can anyone access your servers, or is access limited to IT staff?
Organizations can control access to sensitive data by:
- Requiring user permissions and separation of duties. Be sure to document each user’s access to applications and files.
- Encrypting proprietary or personal data.
- Restricting access to data from outside the company’s computer network.
Cloud computing creates new security exposures. Before entering into a cloud computing arrangement, check your vendor’s security protocols. Will any ownership/access issues arise? Check your contract with any cloud computing vendors to ensure you retain ownership of your data and that the vendor will not mine it or use it for its own purposes.
Step 2: Plan
The Ponemon survey found businesses with a formal incident response plan lowered costs of responding to a data breach by $17 per record. Having procedures in place can help you quickly collect and preserve data and gather evidence about the incident as soon as it’s reported.
You’ll need to determine whose records have been compromised and how you are going to notify them. On the federal level, the Health Insurance Portability and Accountability Act (HIPAA) protects an individual’s health information. No federal law at this point requires organizations to notify individuals when other personal information is breached, however.
Currently, 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have laws requiring private or government entities to notify individuals when their personally identifiable information is breached. These laws vary and may apply to different types of organizations. They may also have different definitions of “personal information” that trigger a notification requirement. For information on your state’s requirements, see the website of the National Conference of State Legislatures, http://www.ncsl.org.
Involve your public relations staff or counsel as soon as you learn of the breach. Inform your customers and the public sooner rather than later to look proactive. Be honest in reporting how the breach occurred, what you are doing to prevent similar incidents, and what other security measures you are taking.
According to the California attorney general, nearly one in four recipients of breach notices in the U.S. became a victim of identity theft in 2012, more than four times the rate of the general population. For that reason, many organizations offer victims of a data breach a year’s worth of identity theft protection.
Step 3: Insure
The standard general liability (GL) policy excludes coverage for loss or damage to electronic data. You can buy an endorsement that adds a separate sublimit of coverage for loss of electronic data only due to damage to tangible property.
To protect your organization from breach of data due to theft or negligence, you’ll need cyber liability coverage. You can buy this coverage as a freestanding policy or as part of a professional liability policy. Policies vary by insurer, but may cover:
- Privacy claims: Losses from failing to protect personal information (i.e., Social Security numbers) and corporate information, as well as costs to repair identity theft and to respond to regulatory agencies.
- Security losses: Losses due to a failure in network security, such as unauthorized access, virus transmission or destruction of software and data.
- Web or online liability: Losses caused by infringement, defamation, plagiarism or negligence arising from the organization’s web site or social media. Policies might exclude this coverage for publishing or media-related businesses; you might have to obtain a separate publisher’s or media liability policy.
*Source: 2014 Cost of Data Breach Study: United States. Ponemon Institute, May 2014. http://ponemon.org
What Are Your Odds?
A survey by PricewaterhouseCoopers LLP found that information security breach incidents increased 48 percent this year, to 42.8 million, or the equivalent of 177,339 incoming attackers per day.
The Ponemon Institute’s study found that malicious or criminal attacks caused 44 percent of data breaches, the highest cause. Human error caused 31 percent, while system glitches accounted for 24 percent. Security breach risks vary by industry and business size: calculate your organization’s odds of experiencing a data breach at: http://databreachcalculator.com.