For individuals it can be argued that there is now a third certainty of life along with death and taxes and that is Identity Theft. Even if there is some credibility in that statement, the new third certainty for business owners is Data Breach. We are all familiar with the high profile cases such as Target, Home Depot and Chase Bank whose customers’ personal data was compromised. This past March a federal judge approved a 10 million dollar offer by Target to settle a class action law suit for the approximate 40 million people who had their personal data including credit card information exposed in the hack. But small business owners need to be aware that they are even at a greater risk for data breach and the consequences can be fatal to the business. Approximately 60% of small businesses dissolve within 6 months of a cyber attack. It is highly unlikely that the small business owner has anyone dedicated to information security and their computer frameworks are far less resilient to an attempted hack than that of a Fortune 500 company. The personal data at a small business is low hanging fruit to a hacker and chances are it wouldn’t take the likes of Edward Snowden to access personal information stored in the data base of your average main street business. It could just as easily be hacked by a misguided teenager in his basement in between a game of Halo 5 and a Red Bull. And from within the business a rogue employee with direct access to other employees’ and customers’ personal information, the once low hanging fruit is now lying on the ground.
Forty seven states including PA have active data breach notification laws which require an entity to notify their customers and other parties about the breach and take other steps to remediate injuries caused by the breach. Despite the escalating number of data breach incidents an enormous gap exists between the awareness of the threat and the need of the business owner to be prepared for when it happens. A recent study by Nationwide Insurance Company found that almost 8 in 10 small business owners do not have a cyber attack incident response plan. Yet 63% admitted to being hit by at least one kind of cyber attack such as phishing attempts, viruses or hacking. It is important to recognize though that protecting a business’s personal data is not just an IT issue. It is a company issue. Risk Management of data breach heavily relies on a secure computer network but it must also incorporate employee policies and procedures beyond the scope of automation. From paper file storage to document shredding to sharing personal information with 3rd party vendors, all possible scenarios of misappropriation of data must be contemplated.
As the back end of the risk management plan for data breach the insurance options to cover a breach event are now more abundant than ever. Many carriers are now offering data breach insurance policies and endorsements to address the ever surging risk. Coverage is available for the first party losses of the business including response expenses, legal and forensic services, monitoring expenses and crisis management. Third party coverage is also available for defense costs, civil awards, settlements and judgments the insured becomes legally obligated to pay as a result of the breach. It is not uncommon for insurance carriers to outsource claim handling to companies who specialize in data breach resolution services. Those services involve coordinating statutory compliance requirements and include credit and fraud monitoring for the victims. In the absence of insurance the business owner would have the burden of implementing those very costly and time consuming remedies themselves. The coverage available to protect against a catastrophic data breach event is evolving almost as quickly as technology itself. Be mindful that the insurance industry has adopted the term “Cyber Insurance” to cover a broad scope of exposures such as data breach, internet media liability, cyber extortion and network security. However a particular carrier’s cyber policy may or not include coverage specifically for data breach. Business owners should sit down with their agents to get help navigating the myriad of insurance protection available to them. Data compromise is an inherent risk to small businesses and a response plan which includes the proper insurance coverage is no longer optional.