BY: Bill Skene, Executive Director of Insurance and Risk Management
With a number of high profile data breaches in the news over the past several months, 2014 has already been dubbed by some as the Year of the Data Breach. According to InfoSecurity Magazine, as of July 15, 2014, more than 400 data breaches have been reported, affecting more than 10 million personal records.
While an underground network of overseas hackers stealing thousands of credit card records from large corporations like Target and Neiman Marcus, it makes for big headlines and intriguing primetime reporting. But what does it mean to you as a franchise or small business owner?
How often do data breaches affect small business owners?
Many small business owners I talk to think, “only large retail stores get hit,” and “I have nothing of value to an identity thief.” But the one I hear the most is, “What are the odds that a hacker targets me?” Identity thieves and hackers rarely target a specific small business; it’s a numbers game to them. They send out tricky emails that may appear to be from a common vendor (ie: QuickBooks, PayPal, Xerox, etc.) and all you need to do is open the email or click a link within it for them to gain access to your systems.
Recent studies show 55% of all businesses with revenues under $10 million have experienced a data breach and that number has been steadily rising. Another study showed 72% of all data breaches occur in small- to mid-sized businesses. Their computer systems are generally easier to gain access, and they have inadequate controls in place regarding email, laptop and cell phone use. Experts believe these statistics are actually on the low end because many small business owners may not realize they’ve had a data breach or they just don’t report it. This can result in even larger lawsuits and fines when an employee, client or vendor figures it out.
What constitutes a data breach?
A data breach is essentially the release of nonpublic private information (i.e SSNs, DOBs, financial information, health information, even company trade secrets and documents) into the hands of someone who is not authorized to have it. As you can see from that definition, the loss of private data need not come just from a traditional cyber-criminal; many times the data breach stems from a lost laptop, cell phone or rogue employee. Remember, nonpublic private information not only applies to your clients or customers, it also applies to records you keep on your employees. This means that almost every business in every industry has the potential for a loss.Costs of a data breach
Once a data breach occurs the costs of rectifying the situation can pile up quickly. Most states (46 out of 50) now have laws requiring businesses that experience a data breach to notify every single customer/employee and offer them credit monitoring services. As you can imagine, this can be extremely costly. The average cost of a data breach is $214 per lost record, with more than half of such costs attributable to lost customers and the associated public relations expenses to rebuild an organizations reputation.1
Cyber liability insurance can keep you protected
So as a responsible business owner, how can you protect your clients, your employees and your business from a potentially crippling loss (total losses can range from $10k-$100k and up)? The answer is cyber liability insurance. Not only will this type of insurance policy pay for all of the direct and indirect costs listed above, it also protects you from physical damage to your computer systems from a virus, malware or malicious hacker. This is a crucial coverage because having your systems down for a couple days or weeks can result in a significant loss of income, which can also be reimbursed by the better polices out there. Some policies will even protect you from a lawsuit if you happen to transmit a harmful virus to a vendor or a client and their computer systems become damaged because of it. Reputation damage control and PR services are also included in the top notch policies which can really come in handy when losing the faith of your clients could mean losing everything.
Business owners insurance packages and E&O policies occasionally offer some form of cyber liability built in. But be careful. The coverage is often limited to $10-50k and certain types of losses are excluded from the coverage. These policy add-ons are better than nothing. Depending on the type of business you run and the number of records you keep, the coverage could be woefully inadequate and you’d be much better served by a standalone cyber liability policy.
To determine the best policy for your business, speak with your insurance broker who will examine your risks and recommend the most cost efficient way to protect yourself against them. 80% of small business owners who experience a data breach costing over $50k never recover and end up shutting their doors for good.
1 Ponemon Institute, 4/2009 Global Cost of Data Breach Study.