How do you get coverage to protect your company’s data?
To secure insurance coverage, you have to do an assessment of your computer systems. It forces you to look at the areas in which your systems can be penetrated. That makes you a better company because you’re forced to fill in the gaps of potential penetration.
Not everybody has to have an assessment, but any business that is dealing with and holding customer information can have an exposure. In certain businesses, people feel very comfortable with the controls in place and may not need to do a physical assessment. But if the underwriters feel you could have a significant loss, they would require their insurance company to do an assessment of your systems. They use an in-depth questionnaire that tries to find holes in that particular network.
Or you can hire a third-party company, not just to assess your system but to try to hack it and break the system to try to find those potential holes before someone who wants to cause the business harm finds them.
How can data coverage protect you from litigation?
Think of the example of the laptop stolen out of a car. Part of the coverage would be a year or two of credit monitoring for the people who may be affected. Chances are that none of their records will ever have credit problems, but you have a duty to protect that credit information.
If data is stolen and it is used in a harmful way to the person — they have loans taken out in their name or credit card bills run up and it has affected their credit scores, leading to collectors hounding them — the indemnity would not only make those people whole, but it would give them expenses toward fixing their credit. Most insurance also includes a partnership with a PR firm that can help you regain the faith of your customers.
Also, forensic computer specialists can be hired to determine what was lost. If there was litigation or a class-action suit or someone was adversely affected because his or her identity was stolen and used by someone else, the coverage would pay third-party indemnity.
There can also be regulatory defense fees, so if you have broken some rule of HIPAA or some governmental body and they fine you, the coverage can potentially pick up the fines related to that.
One of the things that matured in the last few years is ransom demands. If someone stole your data and held it for ransom, you can also purchase insurance that would pay that ransom.
Jonathan Theders, CPIA, is the president of Clark Theders Insurance Agency Inc. Reach him at (513) 779-2800 or [email protected].