The COVID-19 pandemic has forced a technological revolution, with many companies switching their workforce to remote solutions for the first time and now recalling those same workers back to offices as cities move to reopen. While working remotely has had significant benefits, it has also presented new and different risks to company data security. Now as some employees are returning to the office (though others remain at home), this transition also presents challenges. Some of the most basic things to consider include:
- Do your employees work from their own personal devices?
- Are your employees or contractors using public Wi-Fi to connect to your business network?
- Are your employees or contractors storing work data on their cell phones, iPads, USB sticks, and other personal devices?
- Are your employees or contractors using their personal e-mail accounts to transfer business documents to themselves and others?
- Does your business have corporate policies in place regarding telework?
- Does your business provide adequate data security training to your employees?
Remote work presents significant opportunity for bad actors to attack unsecured systems. Employees working from home are more likely to make mistakes, click on email links that they should not, and be more relaxed about data-security and privacy issues. We have previously written about measures that companies can take to protect themselves from cyber-security threats while employees work from home,[1] but if the worst should happen, cyber insurance can ease the burden associated with a data breach.
1.What is cyber insurance?
Cyber insurance policies generally provide a mixture of first-party and third-party coverages. First-party coverages protect an insured for loss to the insured’s own property; whereas, third-party coverages protect an insured for losses sustained as a result of demands and/or lawsuits made by third-parties. One of the most important forms of cyber insurance coverage protects your business from liability for data breaches involving individual personal information. Individual personal information typically includes Social Security numbers, credit card numbers, passport numbers, driver’s license numbers, user names, passwords, health records, and other information protected from disclosure by state and/or federal law. The Ponemon Institute estimates that the average cost of a data breach in the United State is $242 per lost record.[2] These costs include direct costs like computer forensics, attorney fees, notification to affected persons, and credit monitoring services, as well as indirect costs from lost business, business interruption, and reputational damage. Therefore, cyber insurance can be extremely valuable in the event of a data breach.
2.What is typically covered by cyber insurance?
It depends on the policy that you buy and the specific terms of that policy. Unlike automotive insurance, which is fairly standard and has form policies that have existed for many years, cyber insurance is currently far from uniform. There are many different forms of cyber insurance and coverage “enhancements” available in the insurance marketplace. Therefore, there is no “one-size-fits-all approach” to buying cyber insurance and it is wise to consult an experienced broker or lawyer and purchase a policy that best suits your company’s risks. Depending on the policy you select, common coverages can include the following:
- Data breach investigation costs, including computer forensics experts and attorney fees associated with investigating and repairing the damage from the breach.
- Business losses caused by business downtime, business interruption, data loss recovery, and reputational damage.
- Notification costs and costs of providing free credit monitoring to individuals who were affected by the data breach.
- IT system failures and data destruction.
- Money paid in response to extortion (i.e., a ransomware attack) and brokerage fees for the purchase and transfer of bitcoin.
- Legal expenses for attorney guidance in responding to a breach, as well as litigation expenses associated with the release of confidential information or intellectual property, shareholder suits, suits by affected individuals, regulatory investigations, and other legal expenses.
3.I have Commercial General Liability (“CGL”) insurance policy already. Isn’t that enough?
Trying to find coverage for the consequences of a cyber incident under a CGL policy is a huge gamble. Many CGL policies expressly exclude cyber liabilities from coverage, and a number of courts have found that CGL policies do not cover cyber incidents. Therefore, you should not rely on your CGL policy for cyber coverage. Instead, it is best to talk to your insurance broker or an experienced attorney who can review your policy and identify the scope of your coverage.
4.I’m not a Fortune 500 company. Do I really need this?
Like most insurance, you’re buying peace of mind that you will hopefully never have to use. Unfortunately, the number of cyber incidents continues to rise each year and hackers are becoming more sophisticated. Hackers target big and small companies alike, with approximately 43% of cyber-attacks aimed at small businesses.[3] Smaller companies are often considered an “easy target” because they are less likely to have a sophisticated security infrastructure, are less likely to have data backups, and are more likely to pay ransomware demands.
5.I have a robust, state of the art IT security system. Shouldn’t that be enough?
Strong IT security systems can certainly help, but they are not invincible. Significant time, money, and effort are expended by hackers to crack these “ironclad” systems, and they have moments of success in those efforts. Much of data security is reactionary, meaning that systems are built up and made secure only after a hacker has found a vulnerability that can be exploited.
Further, while a healthy IT department and resources provide safeguards, they do not remove the risks associated with human error. More than half of all data incidents are caused by human mistakes, like clicking on links in phishing emails or providing confidential information in response to a phishing email request. There are also employees who intentionally send out confidential information to unauthorized persons because they are disgruntled or have been offered money to do so. A robust IT system also cannot guard against all physical breaches, such as theft and accidental loss of equipment. Therefore, your IT infrastructure likely will not protect you from all types of breaches.
6.Okay, fine, you convinced me. Anything else I should know?
When a data incident is discovered or suspected, it is critical to act quickly and competently. Privacy attorneys can help guide the process, and retaining a privacy attorney increases your chances of cloaking the most sensitive areas of your investigation under a privilege. If you would prefer to work with your current law firm and have those attorney’s fees covered by insurance, a streamlined way to set up that arrangement is through an endorsement to choose your own counsel. Negotiation of that endorsement would happen before you buy the policy. Note that the insurance provider is unlikely to agree to the endorsement unless the preferred attorney is experienced in data privacy law and breach management.
******************************************************************************************************************************************************************************************************************
[1] Jessica Engler, “Cybersecurity Considerations for an Increasingly Remote Workforce”, Louisiana Law Blog, Kean Miller LLP (Apr. 6, 2020) (https://www.louisianalawblog.com/covid-19/cybersecurity-considerations-for-an-increasingly-remote-workforce/).
[2] “2019 Cost of a Data Breach Report”, IBM.com (https://www.ibm.com/security/data-breach)
[3] Scott Steinberg, “Cyberattacks now cost companies $200,000 on average, putting many out of business”, CNBC (Oct. 13, 2019) (https://www.cnbc.com/2019/10/13/cyberattacks-cost-small-companies-200k-putting-many-out-of-business.html).