Tag Archives: Cyber Liability

Protecting Against Online Fraud

While computers have improved the speed and efficiency of how we work, they have also allowed thieves and con artists an easier avenue by which to steal from people and businesses. One of the ways these cyber criminals use computers to steal is through online fraud, one of the fastest-growing crimes today.

Types of Online Fraud

Your company’s intangible assets could be at risk if you or your employees are not mindful of online fraud attempts. Understanding and identifying different types of online fraud could save your company thousands, or even millions of dollars in lost sales, damaged reputation, legal costs, etc.

  • Social engineering is the act of taking advantage of human behavior to commit a crime. Social engineers can gain access to buildings, computer systems and data simply by exploiting the weakest link in a security system—humans. For example, social engineers could steal sensitive documents or place key loggers on employees’ computers at a bank—all while posing as an IT consultant from a well-known company. Social engineers can be tough to spot because they are masters at blending in.
  • Phishing is attempting to acquire information such as usernames, passwords, credit card numbers and other sensitive information by pretending to be a trusted entity in an electronic communication, such as email. One of the more common phishing scams is receiving an email that asks the user to verify his or her account information. A quick check of your email’s Spam folder would likely result in a few examples of phishing.
    • Pagejacking and pharming occurs when a computer user clicks on a link that brings them to an unexpected website. This can happen when a hacker steals part of a real website and uses it in the fake site, causing it to appear on search engines. As a result, users could unknowingly enter personal information or credit card numbers into the fake site, making it easy for a hacker to commit online fraud. Pharming is the name for a hacker’s attack intended to redirect a website’s traffic to a fake site.
    • Vishing is similar to phishing and pharming, except victims of vishing attacks are solicited via telephone or another form of telecommunications. The hacker can easily pose as a representative of a bank or other institution and collect personal information that way.

 

Corporate Identity Theft

It doesn’t matter if you are a Fortune 500 company or a small “ma and pa” shop, cyber thieves are always looking for their next score. It is often assumed that smaller businesses are too small to attract attention from cyber crooks, but according to Verizon Communication’s 2012 Data Breach Investigations Report, 72 percent of the 855 data breaches analyzed were at companies with 100 or fewer employees. No company of any size is completely safe from cyber thieves.

There are many ways a cyber thief can steal a company’s identity in addition to the various types of online fraud listed above:

  • Stealing credit history – A cyber thief could steal and use a company’s credit history for his or her own financial gain, and then use it to set up a dummy corporation, racking up huge debt for the real company.
  • Dumpster diving – All too often, papers with sensitive information are recklessly tossed in the garbage instead of being properly shredded and discarded.
  • Hacking – Having proper security measures in place for your computer system is essential to keep intangible assets safe. Make sure you are using firewalls, routers and other security devices to protect your assets.

 

Prevent Online Fraud

Understanding and being able to identify potential online fraud techniques is the key to keeping your company safe. Use the following tips to protect your intangible assets and ensure protection against a data breach:

  • Never give sensitive information like social security numbers or credit card numbers out over the phone unless you know the person on the other line.
  • Shred all credit reports and other sensitive data before disposal.
  • Educate employees about phishing and pharming scams. Remind them to not click on anything that looks suspicious or seems too good to be true.
  • If your company doesn’t have an IT department, hire an outside company to set up the proper security measures for your computer network.
  • Always monitor credit reports and other financial data for the company. If you see things that don’t belong, investigate.
  • Do not allow employees to write down passwords in the office.
  • Always encrypt sensitive data.

 

If You are a Victim

It is common to have an “it will never happen to us” philosophy when it comes to fraud. Unfortunately, that thinking can lead to lax security measures and carelessness when it comes to protecting intangible assets. If you become a victim of online fraud:

  • Act quickly. Report the fraud immediately to local law enforcement. Notify important suppliers, vendors and partners.
  • Alert your customers. If there is a data breach involving customers’ personal information, activate your plan to alert them. This information could be incredibly harmful to your customers, so alert them as soon as possible.
  • Do an investigation. If you do not have the resources to do an internal investigation, consult a third party. The quicker the breach can be dealt with, the fewer negative effects your company will endure.
  • Take measures to lessen the chance of a future breach. Fortunately, cases of online fraud can be good learning tools for your company. Analyze why the breach happened and take steps to make sure it doesn’t happen again. 

Count on Our Risk Expertise

A data breach as the result of online fraud could cripple your company, costing you thousands or millions of dollars in lost sales and/or damages. Contact Texas Associates Insurors today to learn more about our resources and ensure you have the proper cyber liability coverage to protect against losses from fraud.

Tagged , , , , , , , , , , , , ,

Responding to a Data Breach

No company, big or small, is immune to a data breach. Many small employers falsely believe they can elude the attention of a hacker, yet studies have shown the opposite is true. According to Verizon Communication’s 2012 Data Breach Investigations Report, 72 percent of the 855 data breaches analyzed were at companies with 100 or fewer employees.

Data breach response policies are essential for organizations of any size.  A response policy should outline how your company will respond in the event of a data breach, and lay out an action plan that will be used to investigate potential breaches to mitigate damage should a breach occur.

Defining a Data Breach

A data breach is an incident where Personal Identifying Information (PII) is accessed and/or stolen by an unauthorized individual. Examples of PII include:

  • Social Security numbers
  • Credit card information (credit card numbers – whole or part; credit card expiration dates; cardholder names; cardholder addresses)
  • Tax identification information numbers (Social Security numbers; business identification numbers; employer identification numbers)
    • Biometric records (fingerprints; DNA; or retinal patterns and other measurements of physical characteristics for use in verifying the identity of individuals)
  • Payroll information (paychecks; paystubs)
  • Medical information for any employee or customer (doctor names and claims; insurance claims; prescriptions; any related personal medical information)
  • Other personal information of a customer, employee or contractor (dates of birth; addresses; phone numbers; maiden names; names; customer numbers)

Data breaches can be costly. According to the Ponemon Institute’s Cost of a Data Breach Survey, the average per record cost of a data breach was $194 in 2011; the average organizational cost of a data breach was $5.5 million.

Internal Responsibilities upon Learning of a Breach

A breach or a suspected breach of PII must be immediately investigated. Since all PII is of a highly confidential nature, only personnel necessary for the data breach investigation should be informed of the breach. The following information must be reported to appropriate management personnel:

  • When (date and time) did the breach happen?
  • How did the breach happen?
  • What types of PII were possibly compromised? (Detailed as possible: name; name and social security; name, account and password; etc.)
  • How many customers may be affected?

Once basic information about the breach has been established, management should make a record of events and people involved, as well as any discoveries made over the course of the investigation to determine whether or not a breach has occurred.

Once a breach has been verified and contained, perform a risk assessment that rates the:

  • Sensitivity of the PII lost (customer contact information alone may present much less of a threat than financial information)
  • Amount of PII lost and number of individuals affected
  • Likelihood PII is usable or may cause harm
  • Likelihood the PII was intentionally targeted (increases chance for fraudulent use)
  • Strength and effectiveness of security technologies protecting PII (e.g. encrypted PII on a stolen laptop, which is technically stolen PII, will be much more difficult for a criminal to access.)
  • Ability of your company to mitigate the risk of harm

Government Regulation

There aren’t many federal regulations regarding cybersecurity, and the few that exist largely cover specific industries. The 1996 Health Insurance Portability and Accountability Act (HIPAA), the 1999 Gramm-Leach-Bliley (GLB) Act and the 2002 Homeland Security Act, which includes the Federal Information Security Management Act (FISMA) mandate that health care organizations, financial institutions and federal agencies, respectively, protect their computer systems and information. The language is generally vague,  so individual states have attempted to create more targeted laws regarding cybersecurity.

California led the way in 2003 by mandating that any company that suffers a data breach must notify its customers of the details of the breach. Today, 46 states and the District of Columbia have data breach notification laws in place. Only Alabama, Kentucky, New Mexico and South Dakota have yet to enact such a law.

While notification laws vary from state to state, all include four basic provisions:

  1. All notification laws put a number on how long companies have to notify customers of a data breach and by what medium the notice will be given (written, email, press release, etc.).
  2. Laws set forth a penalty system (that differs from state-to-state) for failure to notify customers in a timely manner.
  3. Depending on the specifics of the breach, customers can sue the company for its part in the data breach.
  4. All notification laws have exceptions in a range of situations.

Your Notification Responsibilities

Responsibility to notify is based both on the number of individuals affected and the nature of the PII that was accessed. Any information found in the initial risk assessment should be turned over to the legal counsel of your company who will review the situation to determine if, and to what extent, notification is required.  Notification should occur in a manner that ensures the affected individuals will receive actual notice of the incident. Notification should be made in a timely manner, but make sure the facts of the breach are well established before proceeding

In the case that notification must be made:

  • Only those that are legally required to be notified should be informed of the breach. Notifying a broad base when it is not required could cause raise unnecessary concern in those who have not been affected.
  • A physical copy should always be mailed to the affected parties no matter what other notification methods are used (e.g. phone or email).
  • A help line should be established as a resource for those who have additional questions about how the breach will affect them.

The notification letter should include:

  • A brief description of the incident, the nature of the breach and the approximate date it occurred.
  • A description of the type(s) of PII that were involved in the breach (the general types of PII, not an individual’s specific information).
  • Explanation of what your company is doing to investigate the breach, mitigate its negative effects and prevent future incidences.
  • Steps the individual can take to mitigate any potential side effects from the breach.
  • Contact information for a representative from your company who can answer additional questions.

We Can Help You Recover from a Data Breach

At Texas Associates Insurors, we understand the negative effects a data breach can have at your company. Contact us today so we can show you how to recover from a breach and get your company back on its feet.

Tagged , , , , , , , , , , , , , , , , ,

Cyber Liability CGL versus Specialized Cyber Liability Coverage

Let’s face it….we live in a world of technology. GOOD technology. The only way to effectively protect the assets of your business is to carry adequate Commercial General Liability (CGL) Insurance coverage. A CGL policy protects your business from damages caused by bodily injury or property damage for which your business is found to be legally liable. CGL is usually triggered first in the event of a loss, so many business owners don’t feel an additional endorsement or stand alone policy is necessary.

A typical CGL policy contains three coverages:

  1. A.    Bodily Injury and Property Damage Liability (BI/PD) – the duty to indemnify and defend the insured for claims made due to bodily injury or property damage.
  2. B.    Personal and Advertising Liability (AI/PI) – same framework as Coverage A, except it insures claims for personal injury and advertising injury.
  3. C.    Medical Payments – insurer promises to pay emergency medical expenses for bodily injury for the uninsured or its employees as a result of an accident on the insured’s premises. It pays regardless of who is at fault.

Coverage B for Intangible Assets

If the threat exists that a) your company could be sued by a competitor for infringement or intellectual property theft, or b) you do not have the funds to cover legal fees associated with defending your patent or trademark, it is vital that you purchase this coverage. Defending infringement litigation can cost hundreds of thousands of dollars, not including the cost of damages and prejudgment interest. In patent infringement cases, attorney’s fees can easily top $1 million. Budgeting and planning for the protection of intellectual property rights may not only save your company a significant amount of capital, it may also help keep your business viable when legal bills accumulate rapidly.

Any act by the insured that somehow violates or infringes on the rights of others (referred to in the policy as an offense) is the subject of personal and advertising injury liability coverage, although only those acts that are specifically listed in the policy are covered. The coverage under the “advertising injury” provision is limited to those injuries that are directly related to the advertisement. Therefore, the policy covers debts owed by the insured party due to claims filed against it.

Coverage B policyholders are sometimes covered in cases relating to trademark infringement; however, copyright claims are only successful where they are directly related to advertising, and patent claims are rarely covered under the “advertising injury” provision. The cases which allow for coverage in a patent infringement case are generally limited to instances in which a court finds contributory infringement or inducement to infringe through an advertising medium. Since the “advertising injury” provision in a standard CGL is rather limited, many businesses consider additional coverage to protect their intangible assets.

There are three important exclusions in the AI/PI coverage that outline the need for additional intangible asset coverage:

  1. Excludes AI/PI arising out of the infringement of copyright, patent, trademark, trade secret or other intellectual property rights.
  2. Excludes AI/PI committed by an insured whose business is: (1) Advertising, broadcasting, publishing or telecasting; (2) Designing or determining content of websites for others; or (3) An Internet search, access, content or service provider (ISP).
  3. Excludes AI/PI arising out of an electronic chat room or bulletin board the insured hosts, owns, or over which the insured exercises control.

There will be a large coverage gap in a traditional CGL policy if you are a media company, technology company or any other company that does business predominantly on the Internet.

Specialized Cyber Liability Coverages

Because of the increase in the number of a) intangible assets companies possess and b) the number of companies doing business on the Internet, new types of liability coverages have emerged to meet specific needs.

Errors & Omissions (E&O)

E&O insurance, also known as professional liability insurance (PLI), helps fill gaps in traditional CGL policies by protecting professional advice- and service-providing companies from having to bear the full cost of defending against a negligence claim that a service the company provided did not have the expected or promised results.

An E&O policy can cover intellectual property losses due to copyright infringement and plagiarism while also protecting a business in case of a data breach or identity theft. For example, if an IT specialist at a company makes a mistake with the company firewall and allows malware to spread through the company’s network, an E&O policy would help cover the company’s losses from the exposure.

An E&O policy can be customized with several other coverages, such as:

  • Electronic Data Loss – A fire or virus could lead to a business losing all of its data. An electronic data loss policy covers against this data loss and helps replace any income a business loses as a result of the loss.
  • Data Breach – This coverage is becoming more popular as the number of expensive data breaches increases around the globe. Data breach coverage can help a business cover the costs of customer notifications and any defense costs associated with the breach.
  • Media Liability – This coverage protects media-related firms from claims arising from defamation, invasion of privacy, plagiarism, copyright infringement, etc.

Directors & Officers (D&O)

A D&O policy insures upper management against claims of securities fraud, breach of fiduciary and other types of liability. For example, shareholders of a company could sue a company’s directors and officers for not putting the proper measures in place to stop a data breach.

Claims Made vs. Occurrence Policies

When purchasing CGL and cyber liability coverage, businesses have two primary policy types to choose from—claims made and occurrence. A claims made policy covers claims while the policy is in force, while an occurrence policy provides coverage for when the act occurred. Both types offer distinct advantages and disadvantages, so it is wise to do research to determine the best type of policy for your business.

  • Cost – Claims made policies are generally cheaper than occurrence policies. Premiums for claims made policies start low but increase each year to reflect the increased likelihood for claims in the future. While occurrence policies are generally more expensive, there is only a one-time cost with no additional fees.
  • Selecting coverage – With a claims made policy, coverage limits are easier to choose because they can be increased annually. You run the risk of being underinsured with an occurrence policy because the coverage you selected 10 years ago might not be able to cover expenses from a claim made today.
  • Pre- and post-coverage options – You will need to purchase “nose” and “tail” coverage with a claims made policy because if you are sued in 2006 for services provided in 2004, you will only be covered if your policy has an Extended Reporting Period (ERP), or “tail” coverage. Tail coverage can be expensive, but it is often included for free if you have been insured with the same company for a certain amount of time or it can also be offered as an incentive for switching to another company. Similarly, a “prior acts” endorsement, or “nose” coverage is needed when switching insurers to cover claims that occurred before the new policy was purchased. With an occurrence policy, no nose or tail is needed. It is easier to change insurance companies with an occurrence policy because no pre- or post-coverage endorsements are necessary.
  • Long-term protection – An occurrence policy will give you better long-term protection because you are insured from a claim no matter how long after the event the claim was made. For example, if a software company was sued for a security problem in one of its programs that led to a customer suffering a data breach 5 years after the product was released, the software company would be covered by the occurrence policy in place at the time of the breach.

 

Trust Us to Protect Your Intangibles

Here at Texas Associates Insurors, we know insurance can be complicated and confusing. Contact us today. We can help you navigate the complex cyber liability insurance world and discuss the coverages you need to protect your business from cyber risks.

Tagged , , , , , , , , , , ,

Technology makes doing business easier, but what are the risks?

It is hard to believe how anything in business got done without today’s technological advances.  In the past we had to rely on the US Mail, phones and more recently, the fax machine to get information from one person to another.  Now in the age of instant communication, we have email, text messages and the ever important Facebook post to get our messages across.

With all the advances in technology, we are able to get more done in less time, and in many cases, with fewer people, than ever before.  While our technology changes and improves, have you kept up with the new risks your business faces?  

A phrase that comes up with increasing frequency is “Cyber Liability”, but what exactly is that and should you as a business leader be concerned?  Cyber Liability is essentially the exposures faced by companies from their online activities.  Once thought to be only needed by the “dot coms” of business, any company that routinely uses the internet as a business tool has new risks for loss such as:

  • A hacker breaking into your network and stealing sensitive customer information
  • A virus on your computer network shuts down your operations, leading to a loss of revenue
  • An employee posts negative comments about your biggest competitor on Facebook and you are sued for defamation of character

Evaluating exposures to loss and developing a plan to mitigate the risk is a critical service that Texas Associates Insurors provides for our clients.  Insurance policies may be a big part of your overall risk management plan, but if those policies haven’t kept up with the changing times, you may be more exposed than you know.

Tagged ,