My friend Dan (not his real name for protection of privacy) recently returned from a week of non-stop travel. Three cities, six airplane flights, and two hotels later, he was finally home. He was about to hit his head on his own pillow when he realized his company iPad was missing. Dan’s heart stopped. On that device was client contact information, product details, and company marketing plans. He’d used the iPad during his last layover. Who had it now?
Cyber or “data” insurance is not just about protecting you in case hackers steal your information. It covers the loss of intangible property, such as:
· Data files
· Proprietary formulas or strategies
· Sensitive financial information
· Personal data of employees or customers
In Dan’s case, he could easily replace his device. But it’s a cyber policy that would protect his company, and his clients and contacts, in the case any protected information on the lost device got into the wrong hands.
A data breach can happen electronically, verbally, or in written form. It can happen from outside your company - like hackers. Unfortunately, most breaches actually occur from inside your organization.
Let’s take a closer look at four types of common data breaches covered by a cyber policy.
1. Internal Links
In April 2017, the Yakima Herald-Republic reported that the local hospital, Virginia Mason Memorial, had recently sent 419 letters to past emergency room patients, letting them know about a privacy violation. The hospital’s routine audit revealed 21 employees had improperly accessed those patient’s records, including medical information and addresses. The employees were spending time viewing information for patients they were not responsible for.
Administrators knew health information was accessed, and they could not guarantee financial information was not also viewed. Clean up required not only patient notification, but credit monitoring (at the cost of the hospital), forensic analysis through an outside firm to determine whether patients’ data has shown up on the black market, and serious evaluation of employee training and enforcement of privacy rules.
The Yakima hospital employees may not have intended any harm. But often, internal leaks can be caused by a rogue employee with malicious intent.
2. Verbal Data Breach
One of the most well-known verbal data breaches came when a local pharmacist accessed patient records and shared it with an outside 3rd party. The pharmacist at a Wallgreens in Indiana used her powers under her job to access private health information of her husband’s ex-girlfriend, and shared it with him. When the exposed individual found out, she sued the employer. Though the pharmacy appealed to the Indiana Court of Appeals, the court upheld the original verdict, costing the healthcare employer $1.44 million dollars.
But what’s most important for you, is the example this case set of a court holding the healthcare employer liable for a single employee’s violation of HIPAA. The cost above only includes the civil lawsuit, and does not include any potential fines from the Office of Civil Rights (OCR).
Over the past few years, it’s typically taken a compromise of several hundred records to trigger a HIPAA fine by OCR. However, as of early 2018, we are seeing healthcare businesses fined for as few as one record breach.
3. Written Data Breach
If an iPad can be left on an airplane, how easy is it that a financial report could be left at a coffee shop? How easily could a note with a credit card number on it accidentally get tossed in the trash instead of the shredder and picked up by the cleaning crew? Or even worse, a customer or contact list taken by a disgruntled employee? Protection of cyber insurance is not limited to just electronic transmission.
Industry statistics have shown unintended disclosures, such as misdirected faxes and emails, or the improper release of discharge papers, contribute to as much as 40% of healthcare data breaches.
On June 8, 2017 one hacker, who calls himself TheDarkOverlord, broke into records systems and leaked 6,000 patient records from a medical office and 6,300 records from a dentistry office, both in California. (As reported by healthcareitnews.com) The next day, that same hacker began threats to a pediatric dentist in Virginia.
With the average cost of a healthcare breach being $380 per record, these clinics likely faced over $2,000,000 in costs for legal fees, forensic investigations, patient notifications and possible credit monitoring, and public relations to restore their patient’s trust. And that doesn’t include HIPAA fines.
Even if your data is stored on a server contracted with a third-party (like cloud based systems), you are most likely responsible for any notification, regulatory fines and penalties and lawsuits (read the fine print of your contract). You can’t control your provider’s systems, but you can protect yourself with cyber insurance.
More Than Money
A solid cyber policy provides more than insurance dollars to cover costs. What you are really buying is an expert team who are ready day #1 to help you through the chaos of a data breach.
If you discovered your data got into the wrong hands today, who would you call? Do you know exactly what you are required to report and when? The laws are different in all 50 states. A solid cyber insurance policy includes access to licensed attorneys who are trained to help you navigate necessary steps so you are able to get back to leading your business.
Many policies will also help you with business interruption loss. How well would you operate if your computer systems, documents, and credit card processing went down for one, two, three or more days? What would the down time cost your organization?
What happened to my friend Dan? Well, he got lucky. He immediately called the airline. And it just so happened that out of all the service centers, the airline desk at his local airport answered his call. By lucky chance the iPad had just been turned in by the night cleaning crew and was awaiting his pickup the next day.
Odds are, data recovery won’t be so easy next time. But Dan now knows what to do and who to call. Do you?
Cyber Security - Part 1: How Do I Know If I'm Really At Risk?
Cyber Security - Part 3: 6 Keys to the Right Cyber Protection for You – coming soon