Business Journal Article on Data Theft

November 23, 2009

Recently in the Kansas City Business Journal there was an article about data theft and the insurance options out there. It is nice to see someone finally bringing this issue to light and I hope this will make people realize that the threat is real. Over the past few months, I’ve spent a considerable amount of time trying to educate my clients and prospects on the need for this type of coverage but many business owners still think they are immune to a data theft.

To read the entire article, click here.

Advertisements

Cyber Liability vs. Data Privacy Coverage

July 22, 2009

Although some carriers and individuals lump Cyber Liability and Data Privacy coverages together, they are different coverages. I wanted to take a few seconds to discuss the differences in the coverages.

Cyber Liability coverage covers any liabilities that occur through a website, network or other technology your business uses. If a customer uses your web portal to spread a virus to other users, this would be a cyber liability. If a hacker steals money by hacking into your network, this would be covered under your cyber liability policy. However, typically one of the first things excluded in a cyber liability policy is the theft or loss of data which is why you need a data privacy policy as well. As I’ve discussed in earlier posts, data privacy insurance covers costs associated with a data breach. That breach can occur because data was either electronically lost or stolen or physically lost or stolen. For more information on these coverages, feel free to call me or e-mail me.


A tool to greatly decrease your cyber risk???

July 14, 2009

People have been looking for a tool to eliminate cyber risk for sometime now but have struggled to find something. Not only would a tool help businesses prevent data breaches but it will help insurance underwriters have a better understanding of the risk they’re taking on and allow them to price the data privacy insurance product appropriately.

I got to meet with a local business owner last week who may have the product. He currently has a product that minimizes health, safety, environmental, and other types of risk to help businesses decrease their insurance costs; they distribute their product through a large international insurance company. He was able to show me a product he’s developed that will allow a business owner to do the same thing with cyber risk. So don’t be surprised if you see a product like this on the open market in the next few years!


Why GRC is important to Insurance

June 4, 2009

Everytime I start to think I have a grasp on what’s going on in the data security and privacy space, I talk to someone who makes me realize how vast this world is and how much knowledge I have to gain.  I met with Chris and Chris, the founders of LockPath this morning and realized that the world of GRC is so massive, I’ve just begun to skim the top of the surface.  You may wonder why as an insurance producer I’m interested in GRC but it’s simple.  GRC is a great way to rate the potential risk of a business for an insurance underwriter.  

I use the example comparing the cost of insuring a brand new Ford Taurus vs. a 2005 Porsche Carerra 4.  An underwriter would never charge the same premium for these 2 cars becuase they understand how to qualify each risk.  In the case of Data Privacy Insurance, it isn’t as clear which business is the Taurus and which is the Porsche.  I’m hoping that we can use the principals of GRC to help underwriters quantify the data privacy risk of a given exposure.


What is Data Privacy Insurance?

June 3, 2009

At over $200 per customer, even a small data breach can be very costly to your business.  And even if you take all the necessary precautions to protect your network, we’ve seen no business is too big or too secure to have their network breached.  To help minimize the financial and business losses in the event of a breach, your business can purchase insurance to cover these costs.  However, most standard lines of coverage won’t cover data breaches and the cost associated with them.  In a recent article in the National Underwriter Property & Casualty Magazine, they write, “general commercial liability and umbrella policies do not cover the majority of activities associated with Web 2.0 and social media liability.” [1]  To help cover these costs, a business can purchase a data privacy policy. 

 

What can a data privacy policy cover?

  • Unauthorized access to, use of, or tampering with data
  • Liability arising from denial of service attacks or the inability to access websites or computer systems
  • Crisis management and public relations expenses
  • Regulatory action defense expenses
  • Computer system extortion expenses and losses
  • Intentional wrongful conduct of “rogue” employees
  • Coverage for punitive damages
  • Any form of invasion, infringement or interference with the rights of privacy or publicity 
  • Business Interruption loss and/or restoration expense incurred as the direct result of an enterprise security event which causes a system failure
  • Data restoration costs
  • Legal liability, defense costs and expense reimbursement for your business for a personal identity event

 


[1]Hidden Risks.” National Underwriter Property & Casualty. November 3, 2008.


Creating a “Premiere” Risk Class

June 1, 2009

One of the biggest roadblocks to the emergence of Data Privacy insurance is it’s cost.  I believe the challenge in pricing the coverage correctly comes from the underwriters difficulty in grasping the overall data and network security of a business.  In talking with businesses, it quickly became clear to me that there were a few characteristics that set a business apart from it’s neighbor in the area of data security.  If I can find enough businesses that demonstrate those cahracteristics, I believe we can estable a “premiere” risk class and get competitive pricing on data privacy insurance.  

I met with one of those “premiere” risks today and wanted to point out a few of the characteristics that makes them a leader in Healthcare IT Security.  

  • They have software in place that will detect any rogue wireless access point
  • The have policies and procedures when any change is made to a firewall, router, or other piece of network hardware
  • All systems are scanned on a weekly basis and they hire a 3rd party to attempt to penetrate various systems on a continuous basis
  • Employees are trained annually on protecting sensitive information
  • Their data is all stored and backed up in a Tier 2 data center which will become a Tier 3 center in the next year

These are just a few things that I believe a business can do to help establish themselves as a “premiere” data privacy insurance risk.


National Counterintelligence Executive Speech

May 21, 2009

I had the privledge of going to Los Angeles 2 weeks ago to hear Dr. Joel Brenner speak on the topic of network and data security.  It was a very small gathering and I got the opportunity to talk to him personally after the event.  We discussed the misconception that data loss is covered by a businesses insurance policy and that most businesses were unprepared to deal with a data loss.  During his speech he informed us that the Chinese and the Russians have already been seen in our electrical grids and in the networks of our major banks to illustrate how real of an issue this is.   He offered us some tips to protecting your companies network security which I’ll share below:  

  • Identify which information should be protected and for how long
  • Make sure to encrypt all extremely sensetive material 
  • To dispose of sensetive material, shred or make it unreadable
  • Do not leave vauable company information unattended in hotel rooms
  • E-mail and voicemail passwords must be protected and changed frequently
  • All sensitive materials must be removed from conference rooms and chalkboards and whiteobards erased after meetings
  • Where possible, conduct background investigations on all individuals with access to sensitive information
  • Obtain nondisclosure agreements from employees, vendors, and others with access to proprietary information

These tips were taken from the Department of National Intelligence document Safeguarding Information for the Security Professional.  You can get to their website here.