CNGA Looseleaf Dec 2018 Jan 2019

21 colorad o nga.org LooseLeaf December 2018/January 2019 Cyber Liability Insurance is Critical for Small Businesses SAFETY CORNER In June, Colorado Governor John Hickenlooper signed House Bill 18-1128, “Protections for Consumer Data Privacy.” This new Colorado law contains the nation’s most stringent notification requirements for businesses in the case of a data breach of customer information. Businesses now only have 30 days in which they must notify their customers if their information has been compromised or hacked. This 30-day notification window does not provide for any specific exemptions, and is the shortest of any state. The cost for mandatory notification, credit monitoring, and credit repair for individuals impacted by a breach could be crippling to a business as legislatively mandated. The average total cost of a breach is $2.2 million for incidents with fewer than 10,000 compromised records, according to a 2018 study sponsored by IBM Security and independently conducted by the Ponemon Institute. Let’s back up a bit. What exactly does a data breach entail? What does it mean? A data breach is a security incident in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an unauthorized individual. Data breaches may involve financial information such as credit card or bank details, personal health information, trade secrets of corporations, or intellectual property. Any business that uses technology or collects data is at risk of a cyber-attack, and the results can be catastrophic—and extremely costly. So, what can you do to protect yourself and your business financially before a cyber-attack of this nature occurs? Businesses today can protect themselves and their clients from unwanted risks with the right insurance and coverage. Every business and organization needs to be prepared with cyber liability insurance to manage and mitigate cyber risk. Without securing a dedicated cyber policy, most businesses likely do not have adequate insurance coverage for a data breach. Cyber insurance can be essential in helping your company recover after a data breach, with costs that can include business disruption, revenue loss, equipment damages, legal fees, public relations expenses, forensic analysis, and costs associated with legally mandated notifications. The following are other types of coverage that cyber insurance can provide. Lost Data Companies are responsible for their online data, no matter where it is stored. Whether it is stored on your property, in an offsite data warehouse or in the cloud by a third-party technology company, you may be held liable if any personally identifiable information (PII) or protected health information (PHI) gets exposed. To help protect your company’s data, cyber professionals recommend you understand where all your private or confidential information is stored. Create and test policies and procedures concerning the collection and storage of data, and have a document retention procedure in place to ensure you avoid keeping data you do not need. If a breach does occur, a cyber policy can cover breach notifications and remediation expenses, subject to the applicable retention. It also can cover defense expenses such as responding to and cooperating with regulatory investigators. Lost Devices Today’s mobile workforce means that laptops and other mobile devices often leave the workplace premises and may be stolen or compromised, potentially exposing private or confidential data. While you cannot completely prevent theft or loss, your organization can take steps to protect and limit the amount of data on each device, such as implementing procedures for using effective passwords and mandating periodic changes. Avoid storing any private or confidential data on laptops. Or, if necessary, store only encrypted data or access it via a secure connection to a server. If a breach does occur, a cyber policy can include Network and Information Security Liability coverage, which provides protection for failure to prevent unauthorized access to, or use of, data containing private or confidential information of others. The costs for a single lost laptop can include more than just the cost of the device, such as legal costs, investigation, and miscellaneous expenses. Notification Requirements As mentioned above, notifying customers of a breach and other post- breach responses, which are mandated by law, can come at a devastating cost. As part of a cyber policy, the carrier would refer the customer to a law firm to serve as counsel and breach coach, and help reimburse those costs, subject to the applicable retention. An incident breach response vendor would also be recommended to handle customer notifications, in keeping with state laws when personal information is compromised. Forensics Computer forensics teams can determine the extent of a breach and whether private customer information may have been compromised. Some cyber policies will reimburse the insured, subject to applicable retention, for computer forensic experts. The policy also could provide coverage for potential business loss and extra expenses that may occur during the period of business restoration. Cyber liability policy customers have access to risk management services, cyber security experts, and other resources to help prevent a data breach. Having cyber insurance can help prepare your company to respond effectively in the critical hours and days following a data breach. With the passage of this bill, time is more critical than ever in handling a devastating data breach. By Sara Hoffman RSS Insurance Services

RkJQdWJsaXNoZXIy Nzc3ODM=