The how varies from state to state but in broad terms, businesses are required to notify individuals if their personal information is stolen in a data hack. Of course, laws are full of definitions so a legal definition of personal information must come before the rest of this story.
Most states say personal information is:
• Social Security numbers
• Driver’s license numbers
• State identification and state ID numbers
• Banking and credit information
• Other financially sensitive numbers
We hear of a new breach almost daily and those new breaches are causing states to upgrade their rules. Those rules and upgrades were the subject of a discussion panel at the recent NetDiligence Cyber Risk Summit.
In the discussion, Travis LeBranc of Cooley LLP — a company that deals in regulatory matters — wondered aloud whether data breach notification actually serves a purpose in every, single instance. He said we — consumers — are burned out on the topic and almost ignore breach notification.
“How many times has our information been breached, we’ve received a notice, and we’ve had to figure out what to do next? What happens is, people start to think: ‘My information’s out there anyway, so what good is another notification?’” he said. “I know the law requires it — and notification certainly makes sense in a world where we’re talking about very sensitive data like social security numbers — but when you get to these broader breaches that involve personal information (PI), does the constant pursuit of notification continue to serve a valid remedial purpose for consumers?”
Some on the panel agree with LeBlanc. One is Vermont’s assistant attorney general Ryan Kriger. He pointed to notification fatigue as a genuine issue.
“I’ve had people call me and they say: ‘OK, I’ve got this notification, what am I supposed to do now?’ They should do the same things you should be doing even if you didn’t get a notification,” Kriger said. “You should freeze your accounts, you should be looking at your credit card statements, and you should be looking at your credit reports. Everyone should be doing that, whether you’ve been notified of a breach or not.”
The most important reason for those laws — Kriger noted — is to hold businesses accountable and should be driving them to get insured.
“That’s one of the reasons why these laws are really critical. They are, for many businesses, the motivation to have cyber insurance and to have counsel advising them on how to avoid breaches,” he said.
Yet businesses still resist either purchasing policies or upgrading current policies. That’s a big issue since cyber attacks in 2018 hit 1,244 and each one — says the marketing data portal, Statista — takes an average of 197 days to detect.
The cyber security firm Symantec said 4,800 websites are hit each month with formjacking code. That’s the stuff cyber criminals use to steal personal information. The company also reports that supply chain attacks rose 78% in 2018.
FedEx and FedEx lost $300 million apiece in lost business and clean-up costs. Marriot lost a bundle, too with the 500 million identifications stolen from its data base.
RSA — another security risk management company — says mobile devices make companies even more vulnerable. In 2018:
• 70% of fraudulent transactions happened from a mobile channel
• 20% came from a rogue mobile app
• 57% of companies use 10 different anti-fraud tools to manage fraud
• They rarely work
The Council of Insurance Agents & Brokers (CIAB) says its statistics show companies may be suffering burnout similar to consumers. Only a small percentage are going to be upping their cybersecurity protection policies.
• 33% of clients of CIAB members say they’ll purchase some form of cyber insurance
• Just 34% increased their coverage in the last six-months
• 63% of those with cyber insurance will be keeping it at the same level it is now
Ken Crerar is the CEO of the CIAB. He said, “While respondents agreed that clients view cyber insurance as important to have, this did not necessarily translate to clients increasing their budgets for higher limits or increased coverage. As a result, take-up rate and coverage levels have remained consistent over the past two years.”
He suggests that — by not paying closer attention to cyber risks and cyber risk insurance — companies are putting themselves at risk. Here’s why:
• In 2018 the average data breach costs $3.86 million
• That’s up 6% from 2017
• Worse, the limit of the average cyber insurance policy is $2.8 million
• That’s down from $3.2 million in early 2018
• Verizon says 58% of data breach victims are small businesses.
Crerar said what’s saddest about the report is the cost to business of cyber insurance. It is not going up.
• 61% of businesses have not seen an increase in premiums
• Just 26% report seeing an increase
There’s more. Most small and mid-sized businesses — 43% — say the transfer of risk is the reason to purchase cyber insurance. Yet, 20% took out policies only after a cyber breach.
Crerar said regulation — the subject that started this report — is driving more businesses to pick up cyber security policies.
“On the whole, respondents agreed that the clients who had been directly affected by regulation like the European Union’s General Data Protection Regulation and the New York Department of Financial Services’ Cybersecurity Rule were the ones who were starting to ask more questions, such as whether certain fines or penalties would be covered,” he wrote. “As more and more states continue to enact or introduce bills and resolutions related to cybersecurity (at least 22 states enacted 52 such bills by November 2018), it will be interesting to see if that might drive more companies to purchase, or at least consider the purchase of, cyber insurance.”
Source links: Insurance Business America, FreightWaves