Insurance can help with fallout from data breaches
By AdvocateDaily.com Staff
Businesses can’t avoid the increasingly sophisticated threat of a cyberattack and they should seek out different approaches as part of their overall security strategy, says Fredericton litigator Matthew Pearn.
Many organizations hold information that could be very valuable to thieves who look for a weak cyberlink to penetrate the company’s system and steal that data or even attack the organization, says Pearn, an associate with Foster & Company.
An additional risk is the threat of legal action involving the potential loss of any third-party information, he tells AdvocateDaily.com.
Pearn says it’s in the company’s best interest to ensure there are no holes in the organization’s cybersecurity suit of armour.
Insurance coverage, he adds, is an additional option to help companies mitigate losses if the worst does happen.
“Many people are concerned about exposure of third-party information,” says Pearn. “They want to know how to manage risk.
“They’re also concerned about how to respond when personal information is exposed inadvertently or when someone has breached your system.”
Pearn says insurance coverage has become a helpful option for businesses as they try to make private information secure. A broker can help determine if insurance can be helpful to cover the fallout from potential breaches.
There is also coverage for the legal risk of civil exposure and business disruption caused by the loss of control over intellectual property.
“It makes sense to talk to a broker — especially if you’re holding onto private information that isn’t exclusively yours,” says Pearn.
“The national defence world has been dealing with this for decades,” he says. But for other organizations that use health and financial information belonging to individuals, the game has changed more recently.
A company dealing with point-of-sale purchases may have an individual’s credit card and other personal information that is identifiable. In the wrong hands, that information can be used to steal a person’s identity or compromise their financial security, Pearn says.
“Your ability to respond and manage the crisis correctly is important,” he says.
A breach and release of information is a publicity risk that can lead to reputational damage, says Pearn.
It can also cost a company financially — in fines for failing to deal with a privacy breach and in lawsuits for intrusion upon seclusion and disclosure of private facts.
“Those are all relatively new civil claims that organizations didn’t have to seriously consider 10 years ago but are now the subject of class-action suits and regulatory offences,” he says.
Sometimes that threat comes from the inside.
Pearn points to a case in which a bank employee accessed the accounts of her boyfriend’s ex-wife.
A similar situation occurred in New Brunswick when a medical professional accessed the health records of women he wasn’t treating, highlighted in a privacy commissioner report. Pearn says there was nothing in place to protect those patient files from being accessed by a non-treating physician.
He says the cases demonstrate that institutions risk running afoul of terms-of-use agreements and could open themselves to legal claims.
“It may be sensible to have counsel audit the organization from time to time and give advice on whether its practices fall in line with the agreements with customers,” he says.
“There’s an expectation of security by the individual whose data is turned over to the organization,” says Pearn.