Gone are the days when intrusion detection software and anti-virus software were enough to allow you to be confident that your company’s data was safe. Earlier this year, more than 75,000 computer systems at nearly 2,500 companies worldwide were hacked in one of the most expansive and sophisticated runs by cyber criminals to date. News broke earlier this year of alleged hacking attacks originating from China against Google. The internet giant alleges that hackers stole “intellectual property” and attempted to break into the e-mail accounts of human rights activists focused on China.
The sophistication of the perpetrators behind these and similar incidents has propelled the data security issue beyond the IT realm into the boardroom. Directors and officers must now make it their business to understand what information their com-pany holds, where it is located and how it is protected. Boards need to analyze the potential impact a breach could have on the organization, be part of the effort to design and implement a far-reaching program to prevent breaches and prepare the organization to respond properly if one occurs.
Navigating the Regulatory Environment
Responding to regulatory changes can be among the most complex pieces of the puzzle. Numerous federal and state regulations pertaining to data privacy and security have been enacted and more are in the pipeline. For companies that don’t keep pace with the fast-moving regulatory environment, it’s a minefield of rules that could erupt in fines, penalties—and substantial liability for your organization and its management. A sampling of recent regulatory standards follows:
- The Health Information Technology for Economic and Clinical Health Act
A provision to the economic stimulus bill, the HITECH Act expands the privacy and security regulations of the Health Insurance Portability and Accountability Act (HIPAA) beyond the healthcare industry and health insurers to any business performing activities involving Protected Healthcare Information
- Payment Card Industry Data Security Standard
Created by credit card associations to combat fraud, PCI-DSS requires all those in a card transaction stream, including merchants, processors, and acquiring banks, to implement controls to protect credit card data.
- The Federal Trade Commission (FTC) Red Flags Rule
This rule requires creditors to implement a program that identifies and detects warning signs of identity theft before extending credit to customers.
- Massachusetts 201 CMR 17
Some 45 states currently require companies to notify those affected by a data breach as soon as practicable. Massachusetts enacted the most sweeping state mandate to date, requiring any businesses handling personal information of state residents to proactively develop, execute and maintain a program to protect this information.
More than a Policy
Since traditional insurance typically does not respond to data security and privacy events, boards need to be proactive in ensuring that a comprehensive approach to mitigating breach exposures includes insurance.
Privacy and security liability insurance should expressly address both first-party and third-party costs associated with a breach incident. It should be underwritten by a carrier with relevant experience in the line and in-house IT specialists who speak the language of your company’s own data security team. Other important facets to look for in coverage include:
- A broad definition of “covered information,” including not only the personal and private information of individuals but confidential corporate data;
- Coverage for legal liability damages and defense costs, as well as regulatory actions, fines and penalties (as permissible by law); and
- Coverage for the myriad costs a company will incur to manage an incident. Also ask about coverage to notify victims in those few states that do not currently have breach notification laws; while not required, the gesture can create goodwill and keep incidents from escalating.
Once a proper plan and insurance are in place, sound corporate governance requires that you stay closely attuned to data security risk. If the data security issue is not handled properly, the stakes can be high, including directors, officers and corporate liability, exorbitant fines and penalties and damage to your company’s reputation. With policies and procedures to prevent and respond to incidents, broad-based insurance and ongoing monitoring of the risk and regulatory environment, your board can be confident that this governance duty is prudently addressed.
Mark Camillo is vice president of professional liability at Chartis. The views and opinions expressed herein are those of the author and do not necessarily reflect those of Chartis Inc. or its subsidiaries, business units or affiliates.