In wake of recent data breaches Decoding the myths about security, data breaches for N.J. companies

Listen to this article

Security and data breaches don’t favor one organization or industry over another, and are taking place every day. Companies should consider the “how” of a breach (as opposed to the “who”) to evaluate their exposure to a similar event.

Over the past two years, retail organizations have been targeted heavily due to the volume of information in their care, custody and control, including credit card information, confidential information for loyalty programs, and employee data.  No company is immune — if you rely on technology to run your business or you store customer or employee data, you are exposed to network and privacy risk.

Until recently, many thought data and network security risk were trivial compared to other threats such as theft, slip and falls, and workplace violence. But with the compromising of data and computer systems occurring at much greater frequency, it’s one risk you don’t want to underestimate. Reputational harm stemming from a poorly managed breach can be catastrophic.

Five myths you can’t afford to believe:

1. Network security and data privacy is only a problem for large companies.  Data privacy and network security is a concern for organizations of any size. Rogue employees, data thieves, and unscrupulous business associates are looking for opportunities to take advantage of any weakness or mistake.  Additionally, human error by negligent or careless staff account for a surprising number of breaches around the country.  The costs incurred as a result of a data or security incident can be crushing, and small businesses are not immune.
2. We can afford to self-insure the risk. With greater demands on limited budgets, many organizations knowingly go bare.  They wrongly believe that, if something happens, they can afford to cover the costs.  The average cost of an insured breach in 2012 was $956,000 according to the NetDiligence Annual Claims study.  While these costs can be insured, incident response expenses alone, including legal, forensic investigation, notification, monitoring and public relations expense add up very quickly. 
3. Insurance coverage is expensive and hard to get. This perception was true ten years ago, but is not true today. Increased capacity in the market,  claims experience, and a larger pool of buyers have made network security and privacy liability insurance coverage more cost effective and easier to obtain.  Even with the recent proliferation of retail breaches, the insurance is more affordable and accessible than ever.
4. Our general liability policy will cover us. General liability insurance typically covers bodily injury and property damage.  The courts have consistently ruled that data is not property and is considered intangible.  If you don’t carry specialized coverage for financial injury arising from a failure of security or a failure to protect confidential information, you’re probably exposed. 
5. We have vendors who handle our sensitive information and credit card transactions; if they have a breach, it’s their problem, not ours. This is not generally true. The data owner (the person or entity collecting the data) is ultimately responsible for what happens to that data. Therefore, a breach at a trusted contractor still triggers your notification obligations — this risk can’t be transferred to that vendor partner.

Click here to read more Industry Insights

Managing breaches in New Jersey

There are 47 states and several U.S. territories that have enacted security breach notification legislation in response to recent breach events. In New Jersey, a breach is defined as an unauthorized access to electronic files, media or data with personal information (PI) that compromises security, confidentiality or integrity of PI unless investigation finds misuse of PI is not reasonably possible (must retain documentation in writing for five years).[1] New Jersey’s definition of PI goes beyond an individual’s name, social security and account numbers to also include a username or email address in conjunction with a password or security question/answer that permits access to an online account. It also includes dissociated data that if linked, would constitute PI if link were accessed.

Following discovery of an incident and an investigation that confirms the misuse of PI was reasonably possible, the first points of contact are the Division of State Police in the Department of Law & Public Safety. New Jersey law then requires a business or state agency to notify any New Jersey resident who’s PI is reasonably believed to have been acquired in the most expedient time possible and without undue delay. For incidents affecting more than 1,000 residents, the state’s Consumer Reporting Agency is another party to include in the notification list.    

Readiness is the most important step. Businesses can’t afford to “figure things out” after a breach occurs. It’s critical to have a ready-to-use incident response plan, an on-call forensics expert and a privacy attorney on retainer. Then, when a potential issue is identified, an organization is ready to mitigate the effects of the breach and deter any potential litigation.

Creating “Peace of Mind”

It is essential for organizations to adopt policies and procedures addressing information security, along with a concrete, comprehensive plan for incident response. Consider these questions to create “peace of mind”:

• Plan – What will you do if a potential issue is identified?
• Educate – Have you adequately educated your employees about their responsibility to protect private information?
• Access –Have you implemented standard procedures for access to and use of private data? Is access to data limited to a “need to know” basis?
• Contracts – Do you have procedures for managing your contracts with third parties? Do they address indemnification and insurance?
• Encrypt – Do you follow encryption standards? Do you restrict and/or encrypt data that is stored on mobile devices, including thumb drives and backup tapes?  What about data at rest?
• Online–Do you have a written policy regarding the dissemination of personal information on public and social media sites?
• Financial impact – Do you have adequate reserves or an appropriate insurance policy to manage the financial impact of a breach?
• Monitor – How often do you monitor networks, websites, and databases to detect potential issues?

Meredith Schnur is the Technology Privacy and Network Risk practice leader for Wells Fargo Insurance. She has 20 years of experience providing consultative services, market negotiations, policy analysis and placement, policy administration, and claims advocacy services in the areas of professional and technology errors & omissions, network security and privacy risk. She can be reached at (973)437-2344 or [email protected].  License #0D08408.

ALSO ON THE NJBIZ “INDUSTRY INSIGHTS” BLOG:

New Jersey’s alimony reform and business owners

Your company’s technology has been breached — Now what?

“New” Military Park transforming a Newark neighborhood