The secure protection of an individual's personally identifiable information and other confidential data; which is stored in either electronic or paper format by an entity, should be paramount to a company's operations and is one of the most crucial elements contained in the Cyber Liability Insurance package.
With the developments in technology transforming how these types of confidential information are stored and controlled by an entity (aka data controller), born with this are the increasing exposures faced by all data controllers in the everyday running of a business. The large majority of companies in today's business world fit the description of a 'data controller' as they hold and control third parties private information.
Personally identifiable information can include credit card information and personal health information and if these details are compromised (usually via a security breach from a 'hacker'), the subsequent consequences can impose disastrous implications on an entity's ability to continue to trade.
The threat of a 'hack attack' (security breach by a third party hacker) is not the only exposure faced by companies in relation to the protection of personally identifiable/confidential information. Arguably, the threat emanating from an employee/other member of staff is just as serious in nature as the more commonly reported 'hack attacks'.
Either innocently or not, employees/other members of staff can expose their company to having the confidential information of their customers, staff and associates compromised and subsequently placed into the hands of cyber criminals.
The United States (US) was reportedly the first nation to implement specific legislation to uphold the protection of individual's private and confidential information. As the vast threat of cyber attacks show no sign of slowing, other nations, in particular the European Union (EU), have been quick to follow in the footsteps of the US.
The EU's proposed 'General Data Protection Regulation' (GDPR) is close to being finalised and once this has been completed and imposed on each member state, the potential ramifications of this for all businesses (especially SME's) regardless of sector will need to be understood. Complacency to fully understand the legislative obligations associated with this new regulation could put a company out of business.
One key feature of the EU's proposed legislation; also similarly contained in the relevant US regulations, is for a data controller to notify all individuals after there is an actual or suspected breach which leads to their confidential information being compromised.
There is still some debate surrounding the universal notification period once the breach is found or suspected, but some reports suggest that the EU regulation will state that all individual's who have (or are deemed to have had) their confidential information compromised must be notified within 24 hours by the data controller. Failure to comply will result in a fine.
Although this proposed regulation is currently not yet in force, in the UK the Information Commissioners Office (IC O) has the authority to impose investigations and fines for data controllers when they indirectly/directly misplace and/or unlawfully transmit their customers, staff and associates personal information.
The below areas will outline just some of the procedures that will have to be put in place by a data controller once a security breach has occurred and knowledge of the loss/misplacement/indirect transmission of confidential information exists:
SME's ask yourselves this question: 'Would you have the additional financial capacity/resources to apply the above procedures in order to effectively respond to a security breach and continue to trade?'
Even with the UK economy showing recent signs of recovery against the recession, the truth is that the vast majority of SME's would still not be able to honestly answer the above statement as 'yes'.
This is where PIA/BI247 can help support fellow SME's find suitable protection against the data privacy threats, via our exclusive links to A rated Insurance companies offering broad bespoke cover options.
Generally we have access to insurance packages offering wide cover options for Privacy related exposures, as follows:
It would be easy to dismiss the above content and many SME's may believe that they would not be exposed to such threats and/or they believe that the examples given could be theoretical in nature.
However, the alarming real life reports suggest that the threat is growing fast and we believe it would be very naïve for SME's to omit from at least considering suitable insurance protection.