Any business is vulnerable to data privacy violation. Even gigantic Target, which could afford top-of-the-line defenses against cyber threats, wasn't safe.
The cost of Target's data breach likely is in the hundreds of millions. As we now know, hackers stole personal credit data on about 110 million people. Target has now directly communicated with all of them and needs to pay for credit monitoring for one year, on each and every shopper. (At HNI, we got our monitoring offer. Did you get yours?)
Sources close to Target say the retailer has $100 million in cyber insurance and $65 million in directors' and officers' liability coverage. But the headaches continue for them months later. The Department of Justice is investigating, and C-suite members are before Congress to explain themselves.
Obviously Target’s problem is bigger than anything you or I ever would face, but it’s all relative.
So how does a business stay ahead of cyber risk, and how do leaders manage such a crisis? For modest-sized businesses, a cyber liability policy is a major component of being prepared to deal with a privacy event.
The right insurance plan is an in-place strategy ready to respond to a data privacy violation or cyber attack. In buying a policy, modest-sized businesses get a team of on-call specialists. Their job is to identify and fix the problem, help notify the exposed parties, and manage subsequent damages.
And remember, it doesn't have to be a cyber event. Any business that possesses private data is obligated to protect the information and to take steps if the data are compromised — regardless of whether the breach is a result of employee theft, dumpster divers, or even carelessness. The short story is: You're on the hook!
Let's look at the services and abilities that a privacy liability policy has available to the policyholder:
Forensic investigators to identify the source of the problem and remove it from your IT system.
Lawyers. Although there are generally accepted criteria for response, laws are evolving and some venues are more active than others.
Public relations specialists prepared to make individual notification to exposed parties.
Crisis managers who understand what needs to be done and oversee individual tasks and provide communication guidance.
Defense from government and regulatory fines and penalties.
Reputational management. Different from managing the immediate obligations, some policies include modest limits for experts who help in damage control. How is your brand exposed in your market?
Let’s face it: When it comes to cyber risk, all businesses are exposed. When a business allows private information to be compromised, there are necessary steps to take. A solid and up-to-date IT system with knowledgeable staff is step No. 1 in your fiduciary duty to maintain privacy of protected personal data. A comprehensive cyber security/data breach liability insurance policy is a cheap way to be prepared if you release protected information.