In an increasingly digital world, data liability is a bigger concern than ever before. Not convinced? Take a look at this 2016 data breach report from the Identity Theft Resource Center. At 203 pages it provides compelling evidence that non-profits, schools and businesses of all sizes are in the cyberthieves’ cross-hairs.
Unfortunately, too many small and medium-sized businesses assume that their data wouldn’t be of interest to hackers so is safe from an attack. This complacency leads to a failure to take the proactive security steps necessary to prevent the financial catastrophe that even a minor data breach can wreak on a business.
Data breaches are predicted to become more severe in the years to come.
Data liability insurance (also called data breach insurance) is an important risk management instrument that businesses of all sizes need to consider. However, obtaining the right policy at the right price will take some up-front work on your part. Eligibility for coverage and the amount you’ll pay for it will depend on the level of risk your organization represents to the insurer. Here are a few things you can do before applying for this coverage.
Follow these steps to ensure you’ve got the best shot at an affordable option. Also consider an independent review of the entire technology environment because outdated and unsupported devices will need to be replaced.
Ensure you have a written company privacy policy.
Most insurers will require a copy of this document as part of the application process. It identifies the “touch points” where internal and external parties can access sensitive data—including nonpublic data that must never be shared. This policy officially states your company’s rules for keeping that data private. It’s a good idea to have this policy reviewed by a legal professional prior to publishing. You’ll also want to have some means of documenting the fact that all involved parties (including any third-party contractors) have received and understand both the policy and the consequences for infraction.
Physically protect access to your core infrastructure devices.
This document describes how the hardware that stores your sensitive data is physically secured behind lock and key. To get the best rates it is important to employ robust policies that determine who will have access to these resources.
Employ need-to-know access restrictions to nonpublic data.
The greater the number of restrictions on who can easily gain access to sensitive data, the better. The receptionist at the front desk probably doesn’t need access to the same level of data that a mid-level manager does. Make sure you enforce access to sensitive areas of data (accounting and human resources for example) by using clearly defined job responsibilities. This eliminates opportunities for less responsible parties to inadvertently mishandle confidential information.
Establish a written action plan for responding to data breach incidents.
Your insurer will want to see this document, too, because even the best-prepared organizations are vulnerable to the unexpected. Insurers want to know in advance how you plan to respond to these events. Define what immediate steps will be taken to contain a breach (or suspected breach), for example, to identify the scope of parties affected, to inform affected parties–both internally and externally–and to correct the situation to the extent possible.
Establish data destruction procedures.
All computer hardware that is being re-purposed or phased out of use needs to be handled with due consideration for the sensitive information it may contain. Hard drives should be scrubbed or destroyed prior to leaving the building. If hardware is trashed or recycled, be sure to document the data destruction and who took possession of the device.
Information technology is a powerful business tool, but it can also be a huge business liability when handled poorly. To truly follow best practices, the above documents and procedures should be implemented in every business. Data breaches are predicted to become more severe in the years to come; implementing enhanced prevention now may save loss of money and reputation in the future.
Working with a trusted technology management partner ensures that your technology is secure, up-to-date and continuously monitored. If you’re considering a data liability policy for your business or just looking to improve your security posture, contact us to help you take the necessary steps before applying for breach insurance.