Protecting Your Business Under New Data Breach Rules
Starting November 1, 2018, new rules coming into effect mean that any Canadian company which suffers a breach of personal information will be required to notify the Privacy Commissioner along with anyone potentially personally affected by the breach. The new legislation requires companies “as soon as feasible” after a breach, to reach out to everyone impacted and inform them:
• When it happened
• What was breached
• How the breach occurred
• What the company is doing to minimize the impact to the breach victims
My Business Was Breached ─ What do I do?
In an age where we routinely read stories about cyber breaches and the unauthorized release of our personal information (Yahoo, Uber, Facebook, etc.), many will applaud this new legislation and say it’s about time that the public is informed in a timely manner when personal information has been leaked. But what does this mean for your business if it has suffered the breach? Perhaps you were hacked or perhaps a disgruntled employee intentionally released the private information. This new legislation opens up a whole new discussion on how many resources can you afford to deploy after a breach in order to:
• Identify the cause of the breach.
• Stop the breach from continuing.
• Identify what information has been breached.
• Identify who’s been affected.
• Restore or perhaps replace your business’s computer system.
• Notify everyone who might have been affected by the breach.
• Notify the required regulatory officials.
• Deal with any connected third-parties who are claiming that your breached system has now infected their system
• Handle a dozen other things that aren’t listed here that you’ll only find out once you’ve suffered an actual breach…for example, researching how to pay ransomware in bitcoin?
How much time, energy and cost will this add to your bottom line? How much downtime will your business suffer if the entire computer system is corrupted…days…weeks…longer? How can you turn an unknown liability like this into a known entry on your balance sheet?
You’ve likely heard about it but do you really know how it works and how it benefits your business? Cyber breaches don’t affect just one aspect of your operation and likewise, cyber insurance isn’t just one coverage. Instead, the typical cyber insurance policy includes multiple layers of protection for your business. If you suffer a claim, it’s likely that the event will trigger an amount of coverage listed in your policy. Here’s a brief list of some of the coverage often included:
• Cyber Coach: Provides you with a 24/7 “Cyber Coach” who’ll coordinate the initial responses to a breach.
• IT Security: Pays costs to hire an external IT security expert to investigate and remove malware.
• System Damage: Pays costs to restore your computer system following a cyber event.
• System “Business Interruption”: Reimburses your business’s financial loss resulting from a cyber event.
• Network Security Liability: Pays sums you are legally obligated to pay if your system transmits malware to a third party computer system.
• Privacy Breach: Pays to notify victims of your privacy breach and provide credit monitoring.
• Privacy Liability: Pays sums you are legally obligated to pay following a breach of personally identifiable information.
• Legal and Regulatory: Pays to notify regulatory bodies and for your legal defence against regulators
• Regulatory Fines: Pays for fines and penalties (where allowable by law) resulting from a regulatory investigation
• Crisis Communication: Provides an expert to formulate a crisis communications plan for your business.
• Reputational Harm: Reimburses for your loss of profits due to your business’s damaged reputation.
These are the typical coverage found in a cyber policy however each insurer offers their own version of coverage. It’s important that your insurance broker spend the time to understand your unique business operation to make sure the appropriate coverage and limits are discussed and agreed on. No two businesses are alike and neither are any two cyber insurance policies.
Cyber Insurance Premiums
As insurers have been underwriting more and more cyber policies and handling the resulting claims, insurance companies now have a much better understanding of how to price their cyber policies. However, it’s still recommended that for larger and more difficult business exposures that your broker approach a number of markets to ensure you get the best combination of premium and coverage. Depending on the scope of your business operation and the coverage and limits required, annual premiums can start as low as $500. Regardless of premium, cyber insurance allows you to transfer an incredibly difficult and potentially debilitating business exposure into a known data entry on your balance sheet. A cyber insurance policy is definitely a high “Return on Investment” insurance product.