top 10 ways to protect your company's data
TRANSCRIPT
© 2016 Integro Insurance Brokers
TOP 10 WAYS TO PROTECT YOUR COMPANY’S DATA You know how important data is to your business and you have heard all about data breaches,
but where do you find a simple, straightforward summary of how to protect your company? This
is a question frequently asked, but rarely well-answered, so we rely on our experience helping
companies protect their data to draft the following checklist. Adoption of these measures will help
set you on the path to resilience and help address the risks inherent in our data-driven world.
1. Know what you need to protect § Customer data: Social security numbers, payment card information,
protected health information, transaction and account records,
contact information, and other personal data.
§ Your “crown jewels”: The information critical to the development,
performance and marketing of your company’s core businesses
(e.g., information about your most valuable relationships, financial
records, marketing plans, and trade secrets).
§ Confidential information: Negotiated rates and information
required to be kept in confidence.
§ Employee records
2. Know where it isWhen thinking about how to protect your data, you need to understand
where the data is created, where it is collected and where it resides,
which can include:
§ Your servers
§ Cloud server providers with which you have contracts
§ Mobile devices
§ E-mail, Wi-Fi and other transmissions
3. Protect it, reasonablyYour answers to these questions can help reveal how securely you keep
your critical data. If you find yourself answering ‘no’ more often than
‘yes,’ it may indicate a need to strengthen your security regimen.
§ Do you encrypt the most important data at rest or in transit?
§ Do you require strong passwords?
§ How do you use anti-virus software, firewalls and intrusion
detection (e.g., to prevent or detect malware)?
§ How do you know when your data is leaking, being accessed
without authorization or taken?
§ Is cardholder information handled exclusively by a secure payment portal?
§ How and how often is your data backed up?
4. Limit access and educateOne of the keys to protecting your company against data theft is by
tightly controlling access to critical data. The following questions can
serve as a mini-audit; use them to help you determine how careful you
are in your decisions about who has the right to access your company’s
important data.
§ Do you have the ability to limit access to your protected data
to those who need it, and terminate their access when they no
longer need access?
§ How do you authenticate users?
§ Do you make security awareness education mandatory and
compelling for your employees (e.g., to avoid phishing attacks
and to use strong passwords)?
§ What physical security do you have in place?
§ Do you know, at all times, who has and/or who has had access to
your protected data?
5. Control vendors’ access to your dataWhen you rely on vendors to protect your important data, contracts matter,
especially for small and medium-sized businesses, which generally have
difficulty keeping pace with constantly changing threats to data. Ensuring
contracts have the right protections with suitable secure cloud platforms
is critical to protecting your important data. Cloud offerings vary widely
in their security and related assurances, so it is important to pick the right
one first, and then protect yourself with appropriate contractual provisions.
Particularly important questions include:
§ What does the vendor offer in terms of third-party audits and
certifications?
© 2016 Integro Insurance Brokers
§ What else can the vendor promise about its safeguards?
§ Will the vendor know if there is unauthorized access to your data?
Will the vendor inform you at the first signs of such access?
§ What rights, if any, will you give the vendor in your data, or to any
data derived or created from your data?
§ How, if at all, can the vendor share your data with any other entities,
and under what conditions?
§ How will you get your data back at the end of the contract, or how
will the vendor protect the data it retains?
§ If a vendor has access to your systems, have you limited the vendor’s
access to correspond to the scope of services to be provided?
6. Know your privacy policy(ies)Your company’s privacy policies are the promises you make regarding
the protection of personal data to which you may be held accountable.
You almost certainly need one posted on your website, and a very
different one – both in terms of the issues, the people addressed and the
rights granted – in your employee handbook. Then you need to think
about what the rules are for the mobile apps you may provide to your
customers and employees. You may need additional policies, notices
and provisions, depending on your business, relating to different types
of customers and vendors.
7. Plan for data loss, theft and other incidentsWithout regard to how comprehensive your company’s security posture
is, data loss and theft will occur. The key to preserving your customer
relationships and the value of your business as well as preventing
lawsuits is often a deliberate, prepared and expedient response. At a
minimum, that response should include the following:
§ Your employees and contractors must know where they must
immediately report any suspected loss or theft of your data or
unauthorized access.
§ You need to have a team ready to respond, who can deal quickly
and effectively with:
§ Containment and prevention of harm;
§ Communication with customers, other stakeholders and media
§ Notification of insurance carriers, law enforcement, regulators
§ Affected individuals
§ Remediation and improvement of safeguards.
If you respond well, an incident that could otherwise really hurt your
business can instead be leveraged to build trust.
8. Get coverageThe risks of lost or theft of data and business interruption are precisely
the type that insurance best addresses. This is primarily because
incidents will happen to your data that are substantially beyond your
control. When you understand what your risks are, and have taken basic
steps to prevent and prepare for security incidents, you can choose the
coverage that best addresses your risks and needs.
Today, that coverage almost certainly includes a network security and
privacy liability (“cyber”) insurance policy in addition to standard E&O,
crime / fidelity and commercial general liability coverages, with special
attention paid to issues such as:
§ Extortion loss
§ Tech E&O
§ Business interruption loss
§ Data recreation
Companies should also review their D&O and cyber-risk policies to
determine whether there is coverage for shareholder actions arising
out of breaches or security events. That determination is best made
following a review of any insurance offer. When reviewing an offer of
insurance, companies should consider the following:
§ Definition of Computer Network: This definition lies at the heart
of all cyber policies and should accurately reflect your systems,
including how you and your employees and contractors exchange
data (e.g., cloud computing, use of employees’ own mobile devices).
§ Acts by Employees: Many cyber policies preclude coverage
for intentional acts of past or present employees. This policy
exclusion often extends across both the first-party and third-party
(i.e., liability) coverage parts. In addition to the intentional acts
exclusion, some policies include broad exclusions that could be
read to apply to employee negligence. Business leaders must have
a full understanding of the extent of coverage for acts by their past
and present employees and other members of their organizations.
§ Minimum Requirements: In some instances, policies contain
exclusions that require the maintenance of minimum levels of
security. In other instances, carriers avoid coverage by relying
on conditions within the policy that require policyholders to
implement certain security measures that were disclosed on the
application for insurance.
§ Coverage Parts (policy limits and sub-limits): Cyber policies
include multiple coverage parts; the limit or sub-limit applicable
© 2016 Integro Insurance Brokers
to each coverage part is dependent on the carrier’s underwriting
appetite and the specific needs of an individual insured. It is essential
that the insured understand the limits and sub-limits available for
each coverage part.
§ Coverage for Bodily Injury and Property Damage: If a cyber-event
involving your important data could be associated with bodily injury
or property damage, you need to pay attention to that exclusion
in most cyber policies and know how, if at all, you are covered.
Increasing coverage needs in this area are expected.
9. Get practiceOrganizations cannot allow their cybersecurity programs to gather
dust. Once adopted, the policies and procedures must be regularly
tested, reviewed and revised to address an ever-changing threat
environment. Organizations that do not routinely assess their security
procedures and safeguards against their changing threats are not only
likely to experience more cyber events, but to have more challenges in
responding effectively to those events.
10. Expect new threats and solutionsNew threats to the integrity of your systems and the safety of your data
are developing on a regular basis. Most malware attacks come in waves
and affect similarly situated organizations. Due in large part to the
speed at which these threats materialize, organizations have become
dependent on industry groups and friends to serve as a de-facto
early-warning-device for impending attacks.
In the last few years, we have seen an increase in technology that
can protect the data created and stored by small and medium-sized
businesses. New encryption solutions, secure development platforms
and limitations on where sensitive data can be processed are all
technologies integral to a robust cyber security posture.
It is safe to assume that the threats to the security of our data will
continuously change and become more sophisticated. To counter these
changes, we must remain vigilant, adopt better business procedures
and safeguards for protecting data, continue to make advancements in
technology and develop risk transfer solutions that address the unique
exposures faced by organizations in specific industries.
About IntegroIntegro is an insurance brokerage and risk management firm. Clients
credit Integro’s superior technical abilities and creative, collaborative
work style for securing superior program results and pricing. The firm’s
acknowledged capabilities in brokerage, risk analytics and claims are
rewriting industry standards for service and quality. Launched in 2005,
Integro and its family of specialty insurance and reinsurance companies,
some having served clients for more than 150 years, operate from
offices in the United States, Canada, Bermuda and the United Kingdom.
Its U.S. headquarter office is located at:
1 State Street Plaza, 9th Floor
New York, NY 10004
877.688.8701
www.integrogroup.com
Kilpatrick Townsend is a leading knowledge asset protection law firm
that helps its clients protect their most important information. The
firm’s Cybersecurity, Privacy & Data Governance Practice takes a
comprehensive, multidisciplinary, and integrated approach to helping
clients anticipate and obviate information risks, appropriately monetize
information, comply with law, and contain and obtain coverage for
incidents. Jon Neiditz co-leads the practice, is listed as one of the Best
Lawyers in America® in Information Management Law, and blogs at
datalaw.net and linkedin.com/in/informationmanagementlaw.
For more information, contact:
James Sheehan, J.D.
Integro Insurance Brokers
617.531.6865
The content contained herein is not intended as legal, tax or other
professional advice. If such advice is needed, consult with a qualified adviser.
CA Lic. #0E77964