Protecting Your Company Against Liability from Confidential Data Leaks

Posted on Friday, April 19, 2019
Share

The Data Loss Database is an online resource devoted to tracking the occurrences of lapses in data security. Their reports indicate that the occurrence of data breaches has increased from 44 incidents in 2004 to more than 1,300 at present time. In addition to considering that the incidences of these breaches are rising, it is also important to consider how detrimental each occurrence can be to an organization when it happens.

One example: A reported security lapse by one major insurance company potentially disclosed the drivers' license numbers, dates of birth, and Social Security numbers of over a million people who simply filled out an online application for an insurance quote.

To their credit, this insurer has been proactive in contacting each person potentially affected, and offering free credit monitoring and identity theft protection for a year at company expense. But potential penalties to the company are huge. This example alone is enough to illustrate the impact a single data breach can have financially on an organization of any size.

How Data Breaches Occur

There are various ways sensitive data can be compromised in an organization, including:

hacking by outside attackers
data incorrectly stored on laptop computers that are lost or stolen
poor document shredding protocols
mail
e-mail
accidental breaches by inside employees
and deliberate leaks by disgruntled former employees seeking retaliation.

Even organizations that do their best to manage all of these variables may not be able to control every possible way in which data could be leaked in their organization. However, the law is very clear: Businesses are responsible for safeguarding all personally identifiable information entrusted to their care. That goes for employee and customer data alike.

According to the Ponemon Institute -- an independent privacy, information, and data protection firm -- the lost income and man-hours spent notifying individuals affected by a potential breach in an organization costs health care providers an average of $204 per compromised consumer record. In addition, federal penalties on health care companies that leak data on 500 or more patients can be as high as $1.5 million per incident. For other industries, civil and criminal penalties can occur as a result of data breaches that can further contribute to the financial loss to the organization. Many such organizations would potentially be bankrupted in the event of even a single catastrophic breach of their database. Unfortunately, standard business insurance does not typically provide any protection for business losses that occur as a result of a data breach.

Therefore, it can be critical for a company that relies on obtaining and retaining sensitive personal data to consider what is sometimes known as "cyber insurance." This type of data breach insurance coverage is a fairly recent option for organizations. These policies are often very broadly written and offered as stand-alone policies focusing solely on data lost caused by breaches as opposed to other hazards such as fire or flood.

While these policies vary, coverage may include:

The cost of notifying all those potentially affected by the breach.
Any lost income due to damage to a company's reputation.
The cost of providing credit monitoring services to individuals affected by the breach.
The cost of any public relations efforts to rehabilitate a company's image and reputation.
Any costs of legal defenses that occur as a result of the breach.

When shopping for data breach insurance protection, business owners and risk management professionals should ask their agents whether the policy only covers on-site storage, or whether it applies to the Cloud or any other off-site storage technique.

Shoppers should also determine in advance whether the insurance will cover them against claims made against them by credit card companies and other lenders, who lend based on fraudulent information that criminals only obtained because of the leak.

Posted in Tax Topics For Individuals

Disclaimer: The information contained in Dulin, Ward & DeWald’s blog is provided for general educational purposes only and should not be construed as financial or legal advice on any subject matter. Before taking any action based on this information, we strongly encourage you to consult competent legal, accounting or other professional advice about your specific situation. Questions on blog posts may be submitted to your DWD representative.

"I love working at DWD because of the variety of work I get to experience and the team-like structure that is put in place here. Staff members at any level are more than willing to answer questions and…"
Brandon McKee
DWD Senior Accountant