If your company falls victim to a breach to your network, or if an employee’s laptop is stolen, how “secure” are you that you won’t be exposed to the expensive costs of privacy regulation?
“A lot of people think that Internet liability exposure or exposure to violation of privacy laws doesn’t really affect them, when actually every business would be affected by a breach of their network security,” says Phil Coyne, vice president at ECBM Insurance Brokers and Consultants.
Many people and businesses think cyber liability exposure or violation of privacy laws does not or wouldn’t affect them, when actually just about every business could be affected in some manner.
Smart Business spoke with Coyne about what you can do to reduce your company’s exposure to privacy violations.
What kinds of companies are at risk for cyber liability or privacy violations?
Any business that uses a computer or network, uses e-mail, or has access to the Internet is at risk. If you hold client information on your network, or retain private employee information, your risk increases dramatically. Customers who rely on a business’s network, or who have information residing on another business’s network, can inherit exposure, as well.
What legislation and/or regulations could companies be subject to?
Among the federal laws and regulations is the Grams–Leach–Bliley Act, which protects consumers’ financial information and how it is used by and protected by financial institutions. The Health Information Privacy Accountability Act (HIPAA) establishes requirements to protect individual health information. Payment Card Industry Data Security Standard PCI DSS establishes worldwide security standards in protecting customer account information. The Federal Trade Commission Act, Sarbanes-Oxley Act, The Fair and Accurate Credit Transactions Act, Red Flag Provisions and state cyber privacy laws can also come into play.
What are the Red Flag Provisions?
They are part of the Fair and Accurate Credit Transactions Act of 2003, Section 114. This provision requires companies to ‘detect, prevent and mitigate identity theft in connection with the opening of certain accounts.’ It specifically referenced banks, finance companies, automobile dealers, mortgage brokers, utility companies, telecommunications companies and those in the health care industry.
The act requires that any business that has ‘covered accounts’ have a plan in place to help recognize the red flags associated with identity theft and fraud. The plan has to be a written plan that has had the approval of a board of directors or a committee from the board of directors that has senior management involvement. It must include training and oversight of the program.