Each day since Sandy made landfall along the Atlantic coast, our clients have discovered more difficulties left in her wake. Some challenges are easy to see. Others are less apparent, but may cause serious damage. Perhaps no domain reflects this dynamic more than data security and cyber liability. By taking precautions now, serious cyber losses can still be prevented.
Based on our experience, cyber losses typically spike following floods, and Sandy’s storm surge is no exception. Examples of cyber losses that typically follow floods include breaches of sensitive information caused by lost or stolen electronic devices or paper records, corrupted data and interruptions of technology services. While some of these losses are unavoidable, lessons learned from earlier floods can help a company protect itself.
Avoiding a Cyber Loss Is Worth the Extra Effort
A cyber loss such as a data breach is a reputation-altering event that requires immediate and considerable funding to remedy, and often results in serious cash flow strain. In the aftermath of Sandy, unanticipated costs and loss of business stemming from a data breach could mean the difference between recovery and bankruptcy.
Regulators have assessed six-figure data breach fines against small businesses, and fines assessed against major corporations are much more substantial. Some penalties have resulted in consent decree settlements requiring 20 years of independent audits of cyber security compliance. Data breaches often result in class action litigation. The cost of a breach has been estimated at approximately $200 per individual whose data has been exposed.
Bottom line: it is worth expending effort now to avoid a data breach.
Three Steps to Take Now
Taking three steps now – while cleanup efforts are under way – can make a meaningful difference:
- Deploy robust physical security to protect computers while flood damage is being remedied
- Ensure that damaged paper documents containing sensitive information are located, secured and properly destroyed
- Remind employees to carefully secure laptops and other portable devices.
Post-flood situations generate opportunities for criminals to steal electronic equipment and sensitive documents, triggering data breach notification obligations. Taking extra steps now to secure computers and key documents while damage is assessed and remedied can help companies avoid suffering data theft over and above other Sandy losses.
Examples of extra physical security that might make sense, depending on the specific circumstances, include placing computers and sensitive documents in a locked room while cleanup efforts are under way. Where feasible, keep the locked room under video surveillance for extra security. If these potential security options are not practical under the circumstances, other options should be explored. The key is to consider and take reasonable steps to secure sensitive data stored on computers or in paper files to avoid a data breach during cleanup.
Care needs to be taken in securing and destroying flood-damaged documents to ensure that those containing sensitive personally identifiable information (PII) or personal health information (PHI) are not exposed. Keeping sensitive documents in a secure location is important. Numerous data breach claims have resulted when dumpster-diving reporters and others find documents with PII or PHI, exposing the company that failed to secure sensitive information because it was simply thrown in the trash. Keep this in mind when evaluating options for destroying damaged paper records.
Securing Mobile Devices
With more employees working remotely in Sandy’s aftermath, it is worth reminding everyone to carefully secure mobile devices. Theft of mobile devices is a top source of data breaches – a laptop left in the passenger compartment of a parked, locked car is a prime target. Remind employees to take mobile devices with them, or at least put the mobile device in the trunk. This is an easy way to avoid becoming the next statistic. Nobody wants to be the employee responsible for a data breach that happened because a mobile device was left on the seat of a car!
By taking the three steps cited above, companies can minimize the risk of a data breach during post-Sandy cleanup efforts.
Additional Protection: Cyber Insurance
In the aftermath of Sandy, questions will emerge concerning coverage that may be available under cyber insurance policies. Companies with cyber coverage in place will benefit from this protection. Companies without cyber coverage should consider it now. Cyber policies generally cover data breaches, so if a potential data exposure is suspected, it is important to contact a cyber insurer quickly to obtain the maximum benefit of the coverage. Additionally, certain cyber policies include coverage for business interruption, contingent business interruption, digital asset loss and business interruption created by cloud-provider service interruptions. These coverage components are relatively new additions to cyber policies, and the specifics of coverage vary significantly. It is important to establish an early dialog with insurers if a Sandy-related situation triggers cyber coverage.
Business Interruption and Digital Asset Losses
Quantifying cyber business interruptions and digital asset losses is likely to require analysis similar to that for non–cyber business interruptions, supplemented with analysis and understanding of the specifics of the cyber business model and how losses might be generated and quantified. Wilson Elser is preparing an additional alert that will fully address business interruptions.