When it comes to insurance, most people think about protecting physical objects from loss or harm, but there’s something else—something vital—that your small business needs to put under lock and key: your data.
“But Data Breach and other types of cyber crime only happen to giant firms like Dairy Queen and Target. I don’t have the kind of records the bad guys want. Plus, who would even think to target little ol’ me?”
Every day, insurance professionals hear comments like this from their clients. But the truth is, data breach and cyber ransom issues effect an ever-increasing number of small businesses (that is, firms under 100 employees) in the United States. Often, these victims are “Mom & Pop” operations with under 20 employees. In fact, small businesses are actually the perfect target for cyber criminals.
Small businesses often have little to no data records or cyber intrusion protection, not because they’re irresponsible, but because no one has made them aware of the risk until it is too late. There are a number of data and cyber related catastrophes that can occur, but we are going to focus on two in this post: Cyber Ransom and Data Breach/Theft of Records.
Cyber Ransom is an increasing menace to the small business community. Here is a scenario that shows the risk:
Johnny Doe comes into the office on a Monday morning. He fires up his system and realizes that some very strange things are happening as he loads up his company software/management system/intranet environment/etc. Next, his coworker Susie Que experiences the same thing. One by one, as the firm’s four employees boot up their systems, they are being taken hostage. By the time Olivia Owner arrives and is made aware of the system errors, it’s too late. In fact, she’s already received an email stating that all of her client records have been encrypted, but if she’ll wire $100,000 to an off-shore account, the password will be sent. Otherwise, the data is unrecoverable.
Is it possible that a data encryption expert might be able to beat the ransomware program? Sure, but these services can come with a six-figure price tag (an amount most small business owners can’t pay). Simply Google “Cyber Ransom” or “Ransomware” for the latest news on this growing scam that often happens to those who adamantly insisted it couldn’t happen to them.
Being a victim of a Data Breach is even scarier, as more than 75% of data breach incidents are caused by disgruntled employees. Here’s another scenario to show you how easily this can happen:Obnoxious Oliver gets fired for insulting too many clients. Before anyone realizes it, he’s emailed himself a wealth of company records. To make matters worse, he also walks out with a laptop that has company data on it. Then, he struts across the street to Starbucks, hops on the Wi-Fi, and is selling his now-former employer’s customers’ credit card numbers on the black market. The worst part is, he probably won’t get caught. Any investigations will find his old firm to be the source of the breach.
If Oliver’s ex-employer were Florida Information Privacy Act (FIPA) or State Data Privacy law compliant, they would be covered. But unfortunately, they’re not (not many businesses are). The average cost of forensics, statutorily required notification, and identity monitoring is an estimated $250,000 for small businesses. Under that type of financial pressure, the firm in our scenario goes under.
Protecting Your Business
So how do you protect your small business from a cyber ransom or data breach? The answer is “best practices.” In today’s e-commerce environment, businesses have to carry the burden of protecting their customers’ data for them. A business can create a “Safe Harbor,” as demonstrated by case law, by taking all reasonable measures to safeguard customer data and remain privacy law compliant. This often means encrypting all personally identifiable data, installing a network firewall, performing routine network monitoring, having a written policy for changing all passwords at regular intervals, having a written Data Breach/Cyber Intrusion response plan, and more. It may sound dramatic, but it has never been a better time to be an Information Technology security vendor. Every business needs one.
Here are some first steps, so you can sleep easy at night:
- Hire an IT firm or designate a qualified employee to conduct regular threat assessments, network monitoring, and keep all firewall and anti-threat software up-to-date.
- Immediately stop using any unencrypted databases, communications resources (such as email), or other means of storage or conveyance of any protected data.
- Train your entire firm on data security.
- Implement a written Data Breach/Cyber Intrusion disaster response and recovery plan. You’ll probably need a third-party vendor to craft the best plan for your individual needs and state law compliance.
- Consult an attorney who is well-versed in Data Breach/Cyber Intrusion matters and compliance.
- Do not rely solely on this article for what to do to be prepared, legally compliant, and a best practices business. This article is just intended to make you aware of some of the risks and give a brief and incomplete oversight of some of the steps towards solutions.
If your business is located in Florida, make yourself familiar with FIPA laws so you’ll know whether your business is compliant and protected. And lastly, call your local Independent Insurance Agent to inquire if a Data Breach/Cyber Liability insurance product is right for you and/or to make sure your existing coverage is enough.