This week, we celebrate one of the very best days of the year: Opening Day for Major League Baseball. I’m from Milwaukee and grew up going to County Stadium/Miller Park to watch the games. Whenever I’d go, I always admired the catchers. I was impressed by their ability to crouch behind the plate for hours on end, taking fastball after curveball after slider, all while their opponent is swinging what amounts to a club just inches from their head, and an umpire is barking judgments after every pitch. They’re a resilient bunch.
They kind of sound like an IT security professional, don’t they? Working in the trenches, fielding curveballs and fastballs in the form of threat vectors, an opponent constantly trying to break things wide open, and an executive team watching over their shoulders ready to bark at any wrong move. Good IT security is worth its weight in gold, and then some; the best defense is a great defense.
But even the best catchers can still mishandle a pitch, the best pitchers will still throw a wild one, and the best batters will still foul one right towards the seats behind home plate. When those things happen, we have nets and backstops behind the catcher to catch those errant balls and ensure that no one gets hurt in the stands.
Kind of sounds like cyber insurance, doesn’t it?
Cyber insurance is your backstop for when the bad stuff happens. Even the best, most experienced IT security professional can make a mistake, the best firewalls can be temporarily misconfigured, and the best (and increasingly, even average) hackers can find ways to exploit your vulnerabilities. When that happens, and you lose client data, financial data, patient data, third party trade secrets, or payment card information, you can bet that regulators will be knocking on your door.
A good cyber insurance policy should include coverage for defense expenses associated with a regulatory investigation and any subsequent fines/penalties/reimbursements that may arise as a result of those proceedings. So, what regulations may you be subject to? The following is a brief summary of some pertinent cybersecurity regulations/regulatory bodies that you ought to be aware of. These are drawn from the book, “Taking Back Control of Your Cybersecurity Now: Game Changing Concepts on AI and Cyber Governance Solutions for Executives” by Paul Ferrillo and Christophe Veltsos, published in 2017 by Advisen.
(I’m assuming that we all read books on cybersecurity in our free time, right?)
- Federal Trade Commission
- Section 5 of the Federal Trade Commission Act prohibits unfair & deceptive trade practices
- An “unfair” trade practice is one which 1) is likely to cause “substantial injury” to consumers, 2) consumers cannot reasonably avoid the injury, and 3) the injury is not outweighed by benefits to consumers
- In both the Wyndham hotel breach and the LabMD breach, the FTC exercised its regulatory authority and charged both companies with Section 5 violations
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Medical records are an incredibly valuable thing on the dark web, so safeguarding them must be a top priority
- Failure to do so can result in stiff penalties ($50,000-250,000 per violation)
- Health Information Technology for Economic & Clinical Health Act (HITECH)
- Increased the scope of organizations subject to HIPAA; now includes any organization that handles health information (including businesses, schools, banks, etc), not just those in the healthcare sector
- Increased the fine ceiling to $1,500,000 per violation
- Gramm-Leach Bliley Act
- Requires financial institutions to safeguard customer data
- Violating companies can receive fines of up to $100,000 per violation and the directors & officers can be held personally liable with a fine of up to $10,000 per violation
- Payment Card Industry Data Security Standard (PCI DSS)
- Not a governmental regulation, rather, an industry standard for securing payment card information
- After a breach, fines (penalties for breach), fees (investigation costs) and assessments (card replacement cost and fraud losses) are all charged to the card-issuing bank and subsequently passed to the merchant who accepted the card via the merchant services agreement
Additionally, both New York State (effective March 1, 2017) and the European Union (effective May 25, 2018) have released new data security regulations that could impact any business who has data from a resident of either New York or the EU stored on their network.
Finally, with the recent signing of South Dakota’s breach notification law, 49/50 states (including the District of Columbia, Puerto Rico, and the Virgin Islands) have laws on the books requiring notification to affected residents of their state if their data has been breached.
I’m not a lawyer, so it’s best to discuss your own situation with an attorney who can advise you regarding which regulations you’re subject to.
At Hausmann-Johnson Insurance, we have a team committed to understanding cyber insurance at its deepest level. Talk to your Property & Casualty Consultant to learn more; we’re happy to help.
Interested in learning more about protecting your business from cyber threats? Register for our webinar: The Impact of Cyber Claims.
COMMENTS