Cyber / Internet Liability
Posted August 06, 2014
Author – Linda Bell, Account Executive, Horst Insurance
Posted – August 6, 2014
The Internet’s development has created a virtual wonderland of possibilities for everyone. We can “Google” anything we want to know and find an instant answer. We can buy almost everything we need while relaxing on the sofa. We can stay in touch with our friends without picking up the telephone. But, this technological wonderland has also created a completely new “web” of possible lawsuits and liability exposures. Unless you have purchased specific insurance to address internet issues, your insurance policies are not protecting your business.
Today, almost every business and business-wannabe has a website. Websites are established with the best of intentions – they are a source of advertising, business reference, and many function as a point of sale. The instant a website goes online, that business becomes a publisher with all the possibilities for lawsuits that newspapers, magazines, etc. have had for years.
What few businesses understand is that their business or personal websites face lawsuits that are without legal precedent. These potential suits are evolving, evasive, and complex. With the rapid dissemination of information, it is easy to access and inadvertently use information belonging to others and equally easy for the owners of that information to find you and bring suit. Imagine any of the following happening to you:
Copyright Infringement – You find some clip art that you like; add it to your website; the company or individual owning the copyright sues you for copyright infringement.
Invasion of Privacy – You list a customer on your website as a reference; that customer takes his business elsewhere; you did not remove his name and he now brings suit for unauthorized use of his name and invasion of privacy.
Trademark Infringement – You design a logo for your business; post it on your website; a business in California alleges that it is too similar to its logo and you are sued for Trademark Infringement.
In addition, many businesses have their clients’ personal data such as Social Security Numbers, bank accounts, credit card numbers, etc. on their computers resulting in the very real possibility of a data security breach. Many companies think they are not targets for this type of crime. However, hackers do not care where they obtain their information. Any company with computers is a target.
Pennsylvania law makes the business holding the personal data responsible for notifying each person of the security breach and that their personal data has been compromised. A breach can result from:
Misplaced Laptop – A traveling employee can leave it in the airport or it could be stolen from their car. Airport Lost and Found Departments are full of misplaced laptops. An airport employee could easily confiscate a laptop and its information.
An Employee – Over half of data breaches are intentionally done by company insiders. In addition, there is always the “oops factor” – an employee puts together a spreadsheet with the names, addresses, and bank account numbers for his billing department. He attaches the spreadsheet to an e-mail; instead of inserting the name of the billing manager, he inserts the contact list of a professional organization of which he is an officer. This data information has now been sent to persons outside his business and is a data breach.
Overseas Criminal – The data thief could live on the opposite side of the world. To steal your physical property, the criminal must be at your place of business. A hacker can operate anywhere and organized rings are operating around the world.
The cost of security breaches is increasing and can be significant. Many companies don’t consider the loss of confidence in their firm that would result from a data breach. Following are breach costs per record or for each person that must be notified:
|Public Relations Communication||1%||$2|
|Legal Services – Defense||15%||$29|
|Identity Protection Services||2%||$4|
|Audit & Consulting Services||13%||$24|
|Legal Services – Compliance||2%||$4|
|Free or Discounted Services||1%||$2|
|Lost Customer Business||42%||$83|
|Customer Acquisition Cost||10%||$18|
Chubb & Son, a division of Federal Insurance Co.
Your company’s “cyber fortress” must be strong and complete. You need firewalls, virus protection, authentication, vulnerability scans, intrusion detection, policy administration, and active content filtering. However, just like a fire alarm and sprinkler system does not guarantee that your building will not burn, these do not guarantee that a cyber criminal will not be able to get into your system. Your fortress will not protect against employee or vendor negligence, rogue or criminal employees or outsourcers.
You need insurance to help pay for the additional costs generated by your cyber breach and you need a formal, written incidence response plan. This plan should:
- Address actions to take when there is a breach of confidential information or a denial of service.
- List specific third parties that will provide support services.
- Be routinely tested, reviewed, and updated to identify any weaknesses in your plan.
In summary, anyone with presence on the internet can be sued. Anyone with data on the web can have that data stolen. Pennsylvania law requires businesses to individually notify their clients of any data breach. Ask yourself if you have the proper protection for this potential costly incident. Firewalls, etc. are not guaranteed. You need a “cyber fortress”, incidence response plan, and proper insurance.