Protecting Your Clients’ Business and Personal Information

Posted February 04, 2014

Whether your business is a Fortune 500 company or a one-man show, data security needs to be a top priority. Small and medium-sized businesses are becoming more frequent victims of data breaches, whether through their own negligence or the efforts of a malicious attack.

Unfortunately, it often takes the loss of hundreds of thousands of client records, and the ensuing costs associated, to make organizations recognize the importance of data security. The potential of losing the financial or personal information of just one customer should be enough to re-evaluate data policies and procedures in order to prevent such incidents. Don’t let your business be a victim. Take a proactive approach to data security by properly securing your data and protecting your exposure.

What’s at Risk

In the unfortunate event that your organization experiences a data breach, there are a number of costs your business could incur. The cost of investigating and fixing the cause of the security breach can vary greatly depending on whether the incident was caused by employee error or a hard-to-detect flaw in your organization’s security measures.

The cost of notifying those whose information was compromised can also range in cost. State laws dictate how quickly those affected need to be notified and what civil or criminal penalties your business can experience if you fail to promptly notify the people involved. Furthermore, your organization may need to provide credit watches for the victims of the data breach to prevent identity theft and could experience litigation brought against you. However, the loss of your client’s trust and the resulting loss of business could affect your organization the most.

Considering all factors, research conducted by the Ponemon Institute estimates the cost of a data security breach to be around $214 per compromised record. In total, the cost of a single data breach incident averages around $7.2 million.

Red Flags Rule

In 2008, the Federal Trade Commission (FTC) created and implemented the Red Flags Rule. The rule applies to certain businesses, requiring them to have a written identity theft prevention program in place. The rule was enacted to address the large number of identity theft incidents that happen in the United States due to data security breaches.

The two types of businesses required to abide by the Red Flags Rule are financial institutions and creditors. Financial institutions include banks, savings and loan associations, credit unions and any other business that directly or indirectly holds customer transaction accounts. The FTC’s definition of creditor includes:

  • Businesses and organizations that regularly provide goods or services first and then collect payment from customers later.
  • Businesses and organizations that regularly grant loans, arrange for loans or the extension of credits, or make credit decisions.
  • Business and organizations who regularly participate in the decision to extend, renew or continue credit, including setting the terms of credit.
  • This broad definition of creditor includes many technology-based companies.

The Red Flags Rule requires that financial institutions and creditors with covered accounts have a written identity theft prevention program. The FTC defines covered accounts as consumer accounts designed to permit multiple payments or transactions and any other account that presents a foreseeable risk of identity theft. A satisfactory written identity theft prevention program should:

  • Identify red flag activity (patterns, practices and specific forms of activity) that indicate possible identity theft.
  • Integrate red flag detection in business practices.
  • Define the appropriate response to take to prevent and mitigate identity theft if a red flag is detected.
  • Be periodically reviewed and updated to reflect changes in risks from identity theft.

Financial institution and creditors without applicable covered accounts are not required to have a written identity theft prevention program in place, but they are required to periodically evaluate their business to determine if they have developed or acquired any covered accounts.

Plan for Prevention

Risk management analysis and planning is still the best way to mitigate exposures, whether they are physical or digital. Even if your company is not one that falls under the FTC’s definition of a financial institution or creditor, having a written identity theft prevention program is an excellent way to address the potential threat of data breaches leading to identity theft.

For effective data security risk management, the technical, legal, compliance and risk management teams of your organization need to work together effectively. Your organization should be aware of and in compliance with all regulations pertaining to data security in each area that your company does business. Technical operations team members need to be continuously evaluating, monitoring and testing data security measures and procedures to stay one step ahead. Seriously consider the amount of risk your company has taken on and what risk you can transfer through technology-related policies, including cyber liability and technology professional liability coverage.

Contact Horst Insurance for more information on data security and protecting your technological risk.

This Risk Insights is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice.