An employee at a small financial services firm receives an email containing a ZIP file that appears to be related to one of his clients. He opens the file, unknowingly causing malware to penetrate the firm’s systems and grants the email sender the ability to browse the firm’s clients’ files, which contain personally identifiable and financial information, as well as the firm’s intellectual property.
The firm reports the covered matter to its insurance carrier under its cyber protection policy and is subsequently contacted by a law firm acting as a breach coach. The breach coach advises that an outside party should be brought in to perform a forensic review and investigate the matter to fully analyze what occurred and to ensure the system is secure. The breach coach explains that due to the type of information that was or could have been accessed during the breach, the firm is required to notify its clients. The firm’s response to the insurance carrier and breach coach is a clear, “Thanks, but no thanks.”
Though not highly publicized like large-scale data breaches, network security attacks on small businesses occur daily. The Global State of Information Security Survey 2015, released in October 2014 by PwC in conjunction with CIO and CSO magazines, estimated that the incidence of network security breaches for mid-sized businesses rose by 64 percent from 2013 to 2014. Further, the Verizon Communications 2013 Data Breach Investigations Report found that close to 62 percent of data breaches that year were at the SME (small/medium enterprise) level. These entities are attractive targets as they typically do not have robust security measures or information technology personnel trained in thwarting sophisticated network attacks.
Using coverage from their network security insurance policies, businesses can take steps to repair damage caused by a breach and notify affected individuals. There are times, however, when businesses refuse assistance and do not want to notify outside parties. In fact, it is widely accepted in the market that the majority of breaches are not reported to affected parties. Attorneys and insurance professionals faced with this situation should understand the reasons behind and the ramifications of this position, and advise their clients accordingly.
Companies refusing to allow a formal forensic investigation to occur following a breach typically will do so citing redundancy and cost. The first responder in a breach situation is usually the company’s IT personnel who either installed the penetrated security system or at least approved it. A company could assert that an investigation by an outside vendor is not needed because its IT personnel have reviewed the matter and reported that all is well.
The response to this position is two-fold:
First, the IT forensic firms employed by carriers in breach situations specialize in such matters, where internal IT personnel likely do not. This expertise can lead to a more comprehensive assessment of the event, a determination of the attack vector and better assurance that the matter is concluded.
Second, a conflict situation may arise if only the target’s IT personnel are allowed to review the matter. Relying solely on the opinion of the individuals who implemented or approved the system as to why it failed is clearly not a good practice. The diagnostic opinion of a qualified individual outside of the company removes any chance that it is influenced by pride of work or fear of negative repercussions from management.
Quite often, the “green elephant” in the room when a business is weighing whether to have an outside forensic review following a breach is the cost. Depending on the size of the applicable deductible or retention in a policy, most expenses incurred following a breach covered by insurance could be borne by the insured. The cost of a cyber breach in 2014 for a small business was approximately $21,000, more than double the average cost of a breach for such a company in 2013, according to report by the National Small Business Association.
A relatively simple computer system in a small company can potentially be reviewed following a breach in an efficient, cost-effective manner. A small business, however, may not have the financial ability to fund a prolonged review if one is needed. It is important to help the business gain the proper perspective on the financial aspect. The network that is being examined is likely the lifeblood of the company and the cost should be viewed from that perspective – if it remains compromised, then there will be no company. If forensics is engaged, the attorney and insurance professional should hold a scoping discussion with the forensic firm and request a corresponding budget approved by all parties.
The breach coach, most often an attorney, is an integral participant in addressing an incident that may have resulted in a data breach. Although the breach coach may be an expert in cyber matters, the relationship between a data breach coach and the responding business can get complicated. This is especially true if the business, contrary to the breach coach’s recommendation, does not wish to provide notification of a data breach as required by law.
Such a decision by the business may be driven by concern with loss of revenue, reputational harm, investing in network security, public relations, government fines and penalties, or litigation that can follow breach notification. In those situations, the business’s decision takes precedence over the breach coach’s recommendation. But companies should be aware of the risks associated with noncompliance.
In 2015, the Ponemon Institute released its data breach study for the United States and found that the average cost for each lost or stolen record containing sensitive and confidential information was $217 and the average cost paid by organizations for a data breach increased to $6.5 million. Instances involving more than 100,000 compromised records are excluded from the study because those instances would skew the results. As such, corporate attention to the significant costs associated with notification of a data breach is well-founded.
The potential exposure to the business related to notification is real, and in many instances, can result in serious financial consequences. For this reason, business executives may follow Scarlett O’Hara’s advice and delay notification until “tomorrow,” or even refuse the breach coach’s legal recommendation that notification be provided. If the business’s decision is to delay or not provide notification and this contradicts the breach coach’s recommendation, it is imperative that the breach coach and business executives communicate and understand the ramifications of such an action. This could include governmental sanctions and litigation actions.
But does the breach coach have a duty to provide notification, whether to the affected individual, law enforcement, or some other entity, in the event that the responding business flatly rejects the recommendation? Although 47 states have passed data breach laws, each slightly different, unlike environmental statutes, none impose an independent obligation on the breach coach to provide notification of the purported data breach. Rather, the obligation is on the business.
Although business executives have just concerns about notification in the event of a data breach, notification does not need to be the business’s Armageddon. If a data breach is managed properly, it is possible for a business to emerge stronger than before the breach occurred and, through candid and honest communications, retain its existing customers. Pleased with the level of communications, those customers may appreciate the business’s notification and assist the business in acquiring new customers. Businesses that invest in pre-breach response planning are best prepared for a data incident and more likely to succeed in converting a data breach into a positive business development.
In the case of an insured business refusing to allow an investigation of a breach by a qualified forensic firm or refusing the advice of a breach coach, the insurer is left in the position of having to take the word of its insured that the matter is resolved. If a policy has language that addresses the consequences of an insured’s refusal for assistance following a covered breach, such language should be brought to the insured’s attention so it can be guided accordingly. If the policy is silent on such a circumstance, the matter can be complicated from a coverage analysis standpoint.
Issues to be considered by the
insurance professional include:
- The insured’s failure to rectify the breach on its own, which can lead to greater subsequent exposure.
- An unrelated second breach due to a failure of the insured to correct its system and procedures following the first breach.
- Claims from individuals whose information was accessed during a breach who were not timely notified but should have been.
A company’s refusal to accept assistance could have wide-reaching effects on all parties involved. In the end, though, a company cannot be forced to do something it does not want to do. Faced with this, the respective roles of the insurance professional and attorney may be limited to providing comprehensive advice to the business. If that is accomplished, then they will have ensured that the ultimate decision by the company will, at the very least, be a well-informed one.
The article reflects the opinion of the authors and does not necessarily represent Aspen’s views. The article reflects the opinion of the authors at the time it was written taking into account market, regulatory and other conditions at the time of writing, which may change over time.