ka-CHING! Cyber crime notification costs a lot

“Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information,” according to the National Conference of State Legislatures. Those states include Maine and New Hampshire. ka-CHING!

What is your company obligated to do in the event of an actual or suspected breach? What is your company’s liability for an unauthorized release of information? Does insurance cover the cost of complying with the law and managing your reputation? Welcome to cyber insurance.

What is a “breach?” According to Maine statute, “’Breach of the security of the system’ or ‘security breach’ means unauthorized acquisition, release or use of an individual’s computerized data that includes personal information that compromises the security, confidentiality or integrity of personal information of the individual maintained by a person.” New Hampshire’s definitions are substantially the same. The law further defines personal information as first name or initial and last name plus any one or more of the following:

• Social security number
• Driver’s license or state identification card
• Account, credit card or debit card number that could be used without additional identifying information, access codes or passwords
  Account passwords or personal identification numbers of other access codes
• Any information that would allow unauthorized people to assume another’s identity

In Maine, the law requiring notification pertains to two kinds of data users; 1) third parties who store or broker data and 2) “any other person who maintains computerized data that includes personal information.” If you or your company fall into one or the other category, these are the highlights of Maine law requiring you to act as soon as you are aware of a breach of personal information:

• An investigation must be conducted to determine if the information has or possibly could be used by an unauthorized person. (Ka-CHING!)
• Any individual who is a Maine resident whose data has or may be compromised must receive notice of the actual or possible misuse of their information. (Ka-CHING!)
• Notice must be given within 7 business days unless providing notice will compromise a criminal investigation. (Ka-CHING!)
• If the data in one breach involves more than 1,000 persons, you must notify “consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.” (e.g. credit reporting organizations). (Ka-CHING!)
• The Maine Department of Professional and Financial Regulation and/or the attorney general must also be notified. (Ka-CHING!)

The law uses terms such as “reasonably believed”, “reasonably possible”, which means there is a lot of room for interpretation which means potential for lengthy and expensive disputes. In addition to the cost of notification and crisis management services (Ka-CHING!), the State of New Hampshire allows equitable relief for actual damages paid to successful plaintiffs. If the act is found to be intentional, relief must be no less than twice but no more than three times the actual damages. (Ka-CHING)

In Maine, if timely notice is not provided to those affected, a fine of not more than $500 per violation, up to a maximum of $2,500 for each day the person is in violation may be imposed by the state (Ka-CHING!). When added to the cost of compliance and settlements, the person or company that lost their data can be looking at significant costs.

Industry analysts estimate that the cost associated with notifying consumers can average $194 per record. So, having 10,000 records of current and past customers would cost $1.94 million just for notification. The probability of having a data breach is low though the numbers are growing. As long as there is a market for data, thieves and hackers will be motivated to steal it and not just from the big guys. The data breach at Target, for example, originated with the hacking of a regional maintenance vendor.

Here are five things to do now to avoid exposing your business to a data breach and the loss of reputation that occurs with a breach:

• Call your insurance agent to understand your cyber coverage limits and exclusions.
• Write, adopt and enforce data security procedures (e.g. use of personal devices, password protection, data duplication, etc.)
• Find a reputable firm to test your security systems and procedures then implement their recommendations accordingly.
• Give someone within your company authority and responsibility for data security and enforcement.
• Prepare a data breach and recovery plan so you know “who does what, to whom, when” should a breach occur.

Whether you are an employer or employee, you have an obligation to your customers and your business to protect your data and your reputation. So, keep the ka-CHING in your own bottom line.