The sales of cyber-insurance policies has spiked sharply this year, mainly due to the increased attention and scrutiny of massive data breaches from Target and Neiman Marcus over the last holiday season. Also, in what was once an uncommon occurrence, banks are now suing retailers who have been victimized by hackers accessing mission-critical data. These threats against corporate data have finally caused many businesses to seek out risk management practices, such as insurance coverage, to protect against loss.
In general, most cyber-insurance policies cover the cost of a data breach investigation, customer notification and credit-monitoring services, as well as legal expenses and damages resulting from consumer class action litigation. According to The Wall Street Journal today, general liability insurers are expected to adopt language specifically excluding damages arising out of cyber-attacks. The nuances of the policies have still not been perfected, and companies should have an attorney who understands this area of law examine the scope of coverage contained within each policy. Doing due diligence will help organizational leaders better determine if the insurance premium benefits the company from a cost-savings standpoint.
Posted in Data Security & Privacy | Tagged cyberinsurance | Leave a Comment »
In response to the thousands of mobile applications hitting the market that often rely on consumer data (i.e. contact information, location, photos, etc.), the Federal Trade Commission (“FTC”) released a suggested list of security guidelines for mobile app developers to follow when designing a program. While a no one-size-fits-all checklist can exist, the FTC views these security tips as a way to help protect the developers, consumers, and reputation of the app. The following are 12 suggested security guidelines for mobile application developers to consider:
1. Make someone responsible for security;
2. Take stock of the data you collect and retain;
3. Understand the differences between mobile platforms;
4. Don’t rely on a platform alone to protect your users;
5. Generate credentials securely;
6. Use transit encryption for usernames, passwords, and other important data;
7. Use due diligence on libraries and other third-party code;
8. Consider protecting data you store on a user’s device;
9. Protect your servers, too;
10. Don’t store passwords in plaintext;
11. You’re not done once you release your app. Stay aware and communicate with your users;
12. If you’re dealing with financial data, health data, or kids’ data, make sure you understand applicable standards and regulations
Before getting into the core aspects of this security guideline, make sure to evaluate the ecosystem upon which the app will reside. The FTC comments that while it is important to get the mobile app working and accepted by an app store, a critical third step, the anticipation and prevention of security glitches, is vital to the apps long-term viability.
Posted in Business Law, Data Security & Privacy | Tagged FTC, FTC Mobile App Security Guidelines, Mobile Application Development | Leave a Comment »
A bipartisan group of House and Senate members introduced the USA FREEDOM Act last month in an attempt to restore Americans’ privacy rights by ending the bulk collection of phone records and requiring greater oversight, transparency, and accountability with respect to domestic surveillance programs. The Sensenbrenner-Rokita NSA Reform Bill (another name for the USA FREEDOM Act) includes significant privacy and oversight provisions, detailed reporting on the number and types of FISA (Foreign Intelligence Surveillance Act) orders issued, and the creation of a Special Advocate post, whose purpose is to advocate for the civil liberties and privacy rights before the FISA (Foreign Intelligence Surveillance Act) Court.
Sen. Patrick Leahy (D-VT) and Rep. Jim Sensenbrenner (R-WI) co-authored an op-ed article published in the Politico whereby they highlighted the need to ensure the protection of Americans’ civil liberties, while preserving the intelligence communities ability “to gather information in a more focused way, as was the intent of the PATRIOT Act.” Both Messrs. Leahy and Sensenbrenner agree that Congress must provide our intelligence community with the necessary tools to keep our country safe, but to date, acknowledge that the intelligence community has failed to adequately justify their expansive use of current laws.
If passed and signed into law, the Bill would require that the Applicant (i.e. Government) establish “reasonable grounds” that the tangible things sought are “relevant” and “material” to an ongoing investigation. The Applicant would be required to create a statement of proposed “minimization procedures” to ensure that the search would be as narrowly tailored as possible. The Applicant would also have to submit a statement of facts showing reasonable grounds that disclosure of the Government’s interest in collecting data would result in (a) endangering the life or physical safety of any person; (b) flight from investigation; (c) destruction or tampering with evidence; (d) intimidation of potential witness; (e) interference with diplomatic relations; (f) altering a target that the government has an interest; (g) seriously endangering the national security of the U.S.; and (h) an explanation of how the nondisclosure requirement is narrowly tailored to address a specific harm.
Are these parameters sufficient enough to balance the civil liberties of Americans’ versus protecting our national security? What type of “minimization procedures” would put your mind at rest to ensure that the intelligence community has not overstepped their bounds? Does the legislation go far enough, if at all, in reclaiming what we lost as a result of 9/11, in regards to our privacy rights, business interests, and standing in the international community?
Posted in Business Law, Data Security & Privacy | Tagged Civil Liberties, FISA, NSA, Rep. Jim Sensenbrenner, Rep. Todd Rokita, Sen. Patrick Leahy, USA FREEDOM Act, USA PATRIOT Act | Leave a Comment »
This past Summer the Ponemon Institute and Experian Data Breach Resolution organization released a report stating that most businesses now rank cyber-security risks higher than natural disasters and other major business risks. Despite the paradigm shift of this reality in the boardroom, few companies are still willing to purchase cyber-insurance as part of their overall risk management strategy. An organizations reluctance to purchase cyber-insurance, in spite of evidence suggesting otherwise, can be boiled down to the assessment of four competing priorities: (1) Risk Transfer – buy cyber-insurance in order to transfer risk to a third-party; (2) Risk Acceptance – bearing the risk and budgeting for the eventual losses; (3) Risk Mitigation – taking steps to contain and minimize anticipated risk losses; and (4) Risk Avoidance – eliminating a risk entirely by removing the conditions that created it.
In today’s corporate cyber-world, it is feasibly impossible for most companies to simply “avoid” the risk altogether. Most businesses have to rely upon certain internal controls to mitigate the risk, and then subsequently self-insure for the eventual breach of information. Upon close inspection of a cost-benefit model, this recommendation is the most financially prudent course of conduct. However, the cyber-insurance industry is rapidly evolving to a point where more and more businesses are looking to transfer their cyber-risks to a third-party.
Unlike traditional business insurance, cyber-insurance policies are unique to the issuing carrier, and nothing is standard in the industry at this time. While a sizable third-party market exists to cover losses suffered by a company’s customers, first-party policies that address direct harms to the company itself remain expensive, rare, and largely unattractive.Several factors are to blame for this, including: (1) a lack of actuarial data which results in high premiums for first-party policies that many can’t afford; (2) the widespread, mistaken belief that standard corporate insurance policies and/or general liability policies already cover most cyber risks; and (3) fear that a so-called “cyber hurricane” will overwhelm carriers who might otherwise enter the market before they build up sufficient reserves to cover large losses.
Companies surveyed by Experian and Ponemon reported that of the 56 percent of companies who reported a cyber-related breach, the average cost per incident was $9.4 million in the last 24 months. This figure, however, was only a small fraction of the average maximum financial exposure of $163 million that the companies surveyed (breached or not) believe they could suffer due to a cyber-attack.
The role of third-party insurance versus self-insuring against cyber-security is not always a mutually exclusive investment. Cyber-security requires a comprehensive risk management solution that examines the organizations people, processes, and technology. To properly evaluate the necessary coverage, businesses should categorize and understand its exposure for its own losses and internal expenses, and consider potential liabilities to third parties based on an assessment of that business.
Posted in Data Security & Privacy | Leave a Comment »