Even the best security may not prevent data loss. What you do after a systems breach is just as important as preventing cyber theft.
The Marketing departments of hundreds of data security vendors ensure that the threat of cyber criminals hacking your company’s IT systems is well known – as they should. And certainly, your company should be aware of that threat and take proactive measures to prevent the theft of your customers’ and employees’ personal information. However, merely securing your data from hackers is not sufficient to completely protect your company from liability for data loss.
The fact is more data is lost inadvertently by companies or through employee thefts than is stolen by cyber thieves. And, despite your company’s best efforts to prevent such losses, accidents still happen. To fully protect your company from the resulting liability should your data be lost, you need 1) an action plan for responding to the loss, and 2) data breach liability insurance.
Real Examples of Data Loss
Consider these real-world cases of companies losing data. We won’t mention names to spare these companies the unwelcome publicity.
- A prestigious law firm is burglarized by a disgruntled client who steals the hard drives from every computer in the building. Despite their significant investment in data security systems, including encryption, a strong firewall, and rigorous password protection policies, every bit of data was lost.
- During an office remodel, construction workers removed and disposed of old file cabinets that contained obsolete data drives holding personal customer and employee information. While there was no reason to suspect that their data had been compromised, the company still had to expend significant effort to retrieve the cabinets from a local landfill lest that data fall into the wrong hands.
- Common criminals posing as employees of a company that recycled hospital X-ray film to extract the valuable silver used in its manufacture stole from dozens of hospitals across multiple states. The problem: patients’ names and personal information were printed on the X-rays. There was no reason to suspect the thieves were after that information, but the hospitals could not take that risk and were forced to notify patients of the data loss and reimburse their costs to ensure their data was still secure.
- A doctor rode a motorcycle to work and had his briefcase fall open during the ride one day without his knowledge. Upon arriving at the office, he discovered that hundreds of patient files had been strewn in the street behind him as he made the 3-mile ride.
- A company had taken extraordinary steps to prevent data loss – access was only allowed from secure terminals that were constantly monitored by CCTV. However, a devious employee compromised the system with the most basic tactics – she simply hovered behind employees using the terminals and memorized the personal data as it appeared on the screens.
What Can You Learn From These Mistakes?
As unique or random as these examples may seem, inadvertent data loss and insider thefts are not rare. As long as valuable data is contained on pieces of paper, removable storage devices, X-rays, and other such physical items, even the best data security systems can fail. And, when they fail, regardless of the reasons and regardless of whether the data can be recovered, your company is responsible and can be held liable under various federal and state laws and regulations, as well as in civil actions instigated by the employees, customers or patients whose data was lost.
Your company has the burden of recovering the data, or making every reasonable effort to do so, and for notifying every person who may have been harmed. It doesn’t matter that the loss was an accident, or that no harm was done. Even if you had no idea that the data was lost or stolen, or cannot identify the specific data lost, you are still liable for all damages.
Data Breach Insurance is a Good Investment
Insurance can protect your company from the costs and liabilities of data loss. Data breach insurance includes two components: a typical liability coverage to compensate your company’s losses and damages paid to the victims, and a services component that provides IT forensic experts, specialized investigative and legal assistance, PR consulting, and notification services. The policy should be designed with broad coverages and sufficient limits to fully protect your company from all potential costs.
If your company stores personal information on clients or employees, you should consider data breach insurance. The insurance professionals at Nahai Insurance Services have the expertise to craft a policy the meets the unique needs of any company. Contact your Nahai representative to learn more about data breach liability insurance.