Image may be NSFW.
Clik here to view.
As I write this, the popular business networking site LinkedIn is working with the FBI to identify the source of a compromise of over 6.5 million user passwords. The company is taking a very professional, proactive and systematic approach to both investigating the problem, shoring up their protection and damage control to their brand. Think this sort of thing only REALLY happens to large organizations? Think again.
It is no secret that big and small business runs on the ability to store, process and protect large amounts of data, intellectual property and other sources of valuable information. A firms ability to protect it’s most valuable assets is key to its strategic success and long-term fiscal growth. A company’s liability exposure is highest when client information is concerned.
I find that for small businesses there is an enormous amount of skepticism when it comes to considering coverage for cyber liability. Let’s consider the most basic facts of cyber exposure in this article then consider other factors including subrogation in actual cases in a subsequent article.
What’s the Plan?
For starters, do you have a plan for what to do in the event your company’s data resources are compromised?
Remember that there are negligent and non-negligent means for occurrence. Negligence, let’s say on the part of employees is generally not covered by insurance. Non-negligence includes leaving a laptop behind at the airport. Basically, a company’s owner/owners, IT professionals inside or outside the firm, Software and Hardware companies that support protection services may all feel the wrath of a legal claim.
Let’s take a look at some of the costs associated with a breach of vital client data.
A Breach of our client’s data has Occurred?
- At least 45 states have notification laws, requiring your company to notify all of your customers of the security breach.
- Your costs may include call centers, drafting written alerts, press releases, printing, postage, and advertisements/publications to inform your customers of the security breach.
- With your customers’ personal information exposed, your company will be expected to pay for credit monitoring services for each of them.
- Your company had a duty to secure customer information consequently you could face lawsuits for this breach of duty, resulting in hefty legal fees and years of litigation.
- There have been instances of hackers holding your client information hostage.
- In such cases, your company may have to pay an extortion fee (ransom). I could not find much specific information as to dollar amounts. Wild West mentality anyone?
- Your company will be required to perform a digital forensics analysis to determine how the breach occurred. In addition to the expense of such an analysis new security systems to guard against future instances will have to be installed. Regulatory requirements will have to be met.
- Your company’s daily operations will be interrupted while security breach issues are cleaned up. Lost time equals a loss in earnings.
So What does this mean for your firm?
For starters know that typical commercial property and general liability insurance coverage doesn’t include any of these losses. Without specific coverage you would be held fully responsible for any losses.
In a recent cyber liability case involving a major Massachusetts hospital system, the total cost incurred totaled $475k. Total costs range from $200k for a breach of 1000 records to $1mm or more for breaches involving 5,000 or more records. Another source I reviewed reported the average total cost of a major breach in 2010 was $7.2mm.
Consider the less immediate costs to your ability to acquire and retain a client base. What amount of trust is lost and for how long? With some or all of your clients? How do you plan to recoup these losses through targeted sales and marketing? Or more to the point, where would that money come from after paying for all of your initial losses.
Could your company afford to pay these costs?
A proper approach to determining whether you need cyber liability coverage should start with measuring the size of your exposure (i.e. number of client files on hand, nature of the information, have we mitigated with proper cyber-security, met all state and federal regulation, employee training up to date, etc). The next step is to consider the costs in both legal, regulatory and marketing terms.
If your firm has the cash on hand at any time to deal with a partial or catastrophic loss due to a breach then by all means ROLL THE DICE. For most of us a proper assessment allows us to see why coverage makes sense. For those with the cash on hand, wouldn’t a truly strategic leader want to allocate those funds into far more proactive use in generating revenue for the firm? YOU DECIDE.
Image may be NSFW.
Clik here to view.
Scott Graves is passionate about helping business owners. Tune in to his show ‘The No Boundaries Radio Hour’ with co-Host Dennis Mannone on the No Boundaries Radio Network. Meet him at the crossroads between strategy and innovation at scott@smgravesassociates.com or twitter @smgcreative.