A significant percentage of business these days are responsible for the protection of large amounts of private and personal information about their clients, customers and employees. Regulatory statutes such as HIPAA, Sarbanes-Oxley and Gramm-Leach-Bliley have imposed significant responsibilities to maintain privacy. We’ve all seen the big news stories about Hewlett-Packard, Bank of America, Citigroup and others who had significant security breaches that exposed their customers and employees to financial loss and themselves to serious exposure. For every one of those there are dozens of smaller cases that go unreported.
What do all of these incidents have in common? None of them involved the familiar scenario of a computer hacker breaching the businesses’ computer systems to obtain confidential information. All of the situations involved a lack of “nuts and bolts” physical security. Hewlett-Packard had a laptop stolen containing the personal information of 196,000 current and former employees. Bank of America lost back-up tapes containing government employees’ data during shipment to their back-up center. Citigroup “misplaced” a box of computer tapes containing personal data on 3.9 million customers. Small businesses are not immune to this exposure.
Most, if not all, of the incidents could have been avoided by implementation of simple security measures. Here are some of those simple measures that you may wish to consider to safeguard sensitive or confidential data:
- Don’t leave a laptop in an unlocked vehicle or in plain sight. This applies especially in a parking garage and even in your driveway.
- Carry your laptop in a non-descript carrying case.
- Don’t leave a remote meeting or conference without your laptop.
- Never check a laptop in your baggage. Watch your laptop through the entire airport screening procedure.
- Consider other theft deterrents such as locking the laptop away when not being used, cable locks, theft alarms and adding easily identifiable markings.
Securing Your Backup Media
- Choose the best backup media for your business based on size of database and ease of storage and transportation. Use encryption if done electronically.
- Establish security procedures for the physical storage and transportation of the media.
- Ensure the physical security of the media at your storage site.
Many business owners are confused, misinformed or haven’t considered how their insurance coverage would respond in the event of a security breach and believe that their existing commercial general liability coverage would protect them. This misunderstanding could prove costly in the event of a claim. Generally the two primary coverages in commercial general liability are for claims of bodily injury or property damage that arise from your products, services and operations. It is not intended to cover your liability for loss of intangible property such as computer data. So, if your business is found responsible to a third party for economic damages due to the loss of their private data, your commercial general liability would not cover it.
You will need an errors & omissions or media insurance product that is specifically designed to meet these kinds of exposures. Typically, these products cover your liability for pure economic loss arising from loss of a third party’s private data through loss or breach of security and dovetail with the commercial general liability policy closing gaps that would otherwise exist. It is also recommended that both the commercial general liability and errors & omissions coverages be purchased form the same insurance carrier whenever possible to eliminate any potential coverage disputes.
Your insurance professional will be able to discuss the errors & omissions and media insurance products that best provide coverage for these exposures to your business.