Privacy Protection

The secure protection of an individual's personally identifiable information and other confidential data; which is stored in either electronic or paper format by an entity, should be paramount to a company's operations and is one of the most crucial elements contained in the Cyber Liability Insurance package.

With the developments in technology transforming how these types of confidential information are stored and controlled by an entity (aka data controller), born with this are the increasing exposures faced by all data controllers in the everyday running of a business. The large majority of companies in today's business world fit the description of a 'data controller' as they hold and control third parties private information.

Personally identifiable information can include credit card information and personal health information and if these details are compromised (usually via a security breach from a 'hacker'), the subsequent consequences can impose disastrous implications on an entity's ability to continue to trade.

The threat of a 'hack attack' (security breach by a third party hacker) is not the only exposure faced by companies in relation to the protection of personally identifiable/confidential information. Arguably, the threat emanating from an employee/other member of staff is just as serious in nature as the more commonly reported 'hack attacks'.

Either innocently or not, employees/other members of staff can expose their company to having the confidential information of their customers, staff and associates compromised and subsequently placed into the hands of cyber criminals.

The United States (US) was reportedly the first nation to implement specific legislation to uphold the protection of individual's private and confidential information. As the vast threat of cyber attacks show no sign of slowing, other nations, in particular the European Union (EU), have been quick to follow in the footsteps of the US.

The EU's proposed 'General Data Protection Regulation' (GDPR) is close to being finalised and once this has been completed and imposed on each member state, the potential ramifications of this for all businesses (especially SME's) regardless of sector will need to be understood. Complacency to fully understand the legislative obligations associated with this new regulation could put a company out of business.

One key feature of the EU's proposed legislation; also similarly contained in the relevant US regulations, is for a data controller to notify all individuals after there is an actual or suspected breach which leads to their confidential information being compromised.

There is still some debate surrounding the universal notification period once the breach is found or suspected, but some reports suggest that the EU regulation will state that all individual's who have (or are deemed to have had) their confidential information compromised must be notified within 24 hours by the data controller. Failure to comply will result in a fine.

Although this proposed regulation is currently not yet in force, in the UK the Information Commissioners Office (IC O) has the authority to impose investigations and fines for data controllers when they indirectly/directly misplace and/or unlawfully transmit their customers, staff and associates personal information.

The below areas will outline just some of the procedures that will have to be put in place by a data controller once a security breach has occurred and knowledge of the loss/misplacement/indirect transmission of confidential information exists:

• Directly notifying each and every individual whose personally identifiable information has been compromised, or suspected to have been comprised could be complex and will be time consuming. A call centre/identify theft hotline will need to be set up to communicate the extent of the breach to the affected parties
• Credit Monitoring (generally in respect of credit card information being compromised) - After the breach has occurred, the data controller must liaise with the affected parties and offer them something to show how their personal data has been utilised
• If the breach is publicised; which appears to be commonly occurring in today's environment, a specialist PR company may have to be engaged to help mitigate any reputational harm to the company
• A third party specialist may have to be engaged to undertake an independent security audit to determine the scope and extent of the damage caused by the security breach, including whose personal information has been lost/stolen.
• In addition to the above, bodies such as the ICO may initiate a forensic IT investigation into the data controllers systems to ascertain how the confidential information was compromised. The cost for this will usually be bestowed on the data controller and if the report deems the company to have had insufficient security measures in place, the almost certain result will be a fine/s.

SME's ask yourselves this question: 'Would you have the additional financial capacity/resources to apply the above procedures in order to effectively respond to a security breach and continue to trade?'

Even with the UK economy showing recent signs of recovery against the recession, the truth is that the vast majority of SME's would still not be able to honestly answer the above statement as 'yes'.

This is where PIA/BI247 can help support fellow SME's find suitable protection against the data privacy threats, via our exclusive links to A rated Insurance companies offering broad bespoke cover options.

Generally we have access to insurance packages offering wide cover options for Privacy related exposures, as follows:

1. Payment for all sums which a policy holder becomes legally obliged to pay (including liability for claimant's costs & expenses) for claims first made against them arising from a security breach which results in:
   1. an actual or suspected breach of any personally identifiable information (PII), including credit card information, or personal healthcare information (PHI); or
   2. failure to adequately warn affected individuals or provide a timely breach notification; or
   3. a breach of any rights of confidentiality as a direct result of failure to maintain the confidentiality of any data pertaining to an employee; or
   4. a breach of any rights of confidentiality, including a breach of any provisions of a non-disclosure agreement or breach of a contractual warranty relating to the confidentiality of commercial information or PII; or
   5. a breach of any part of a website's privacy statement; or
   6. a breach of any written contract between the policy holder and a third party governing the processing and storage of credit card information including any breach of the Payment Card Industry Data Security Standard (PCI DSS); or
   7. a breach of the policy holder's data or data for which they are responsible that is located on a cloud computing provider's systems.
2. Regulatory Actions and Investigation costs - including any resultant fines and penalties which the policy holder becomes legally obliged to pay
3. Payment for all sums reasonably incurred for first party privacy breach notification costs arising from an actual or alleged security breach to:
   1. fulfil any obligation the policy holder has to notify any third party or employee, including but not limited to the legal costs to draft appropriate notices for any third party or employee affected by the actual or suspected breach of privacy and the printing and postage costs to issue these notices or costs to issue any substitute notice; or
   2. provide credit monitoring services or an identity theft helpline; or
   3. conduct an independent security audit of the policy holder's computer systems to identify the source and scope of the breach; or
   4. conduct a forensic investigation of the policy holder's computer systems as required by law or a regulatory body (including a requirement for a PCI Forensic Investigator).
4. Payment for third party notification costs if a policy holder is contractually obliged to indemnify their client/s against a security breach.

It would be easy to dismiss the above content and many SME's may believe that they would not be exposed to such threats and/or they believe that the examples given could be theoretical in nature.

However, the alarming real life reports suggest that the threat is growing fast and we believe it would be very naïve for SME's to omit from at least considering suitable insurance protection.