As more information is being kept, used and shared electronically, the risk of that information ending up in the wrong hands is increasing exponentially. So how could you lose your information, what do you need to do when it happens, and how will you pay for it?
How is information lost?
Information can end up in the public domain and out of your control in a number of ways. This includes:
- an inadvertent loss of your information by an employee, usually as a result of the wrong document being attached to an email, an email being sent to the wrong recipient, or the loss of documents or a laptop, tablet or phone which has access to your information;
- the deliberate release of information from a disgruntled employee from within, such as the Barfoot and Thompson employee who released the names of Auckland property buyers in an attempt to show the proportion of Chinese investors; or
- the theft of your information by a malicious hacker from outside your organisation, such as the recent release of information about clients of the Ashley Madison website, celebrities' private photographs stored in the iCloud being released to the media, or the hack of the personal data (including passwords and payment details) of Sony's Playstation's online services.
What do you need to do?
There are some key steps that you should follow if you have a data breach, regardless of how it occurred.
First, you need to contain the breach, assess what information was lost and take any immediate steps that are possible to prevent a similar occurrence. This could involve anything from asking the recipient of an email to delete it and undertake not to use the information that they received, through to using an IT professional to shut down a hacker's access to your system, depending on the type of loss that occurred.
You may then need to notify your insurers, particularly if you have a cyber insurance policy. It is important that your obtain the insurers' agreement to any key steps that you propose to take, so as not to jeopardise insurance cover that might be available.
Next, you need to evaluate the risks that arise from the breach. The type of information that was lost could include credit card details, dates of birth, passwords (which may also be your client's password in other places). You need to consider whether that information is now in the hands of someone who is likely to use it maliciously. When deciding if harm is likely to result from the loss of the information, you should be looking at it from the point of view of your client, as harm can include anything from identity theft, financial loss, loss of business or employment opportunities, to significant humiliation or loss of dignity.
Depending on your evaluation of the risks involved, you may need to notify people affected by the breach. It is not always necessary to notify your clients if there is no risk of harm, but whether you need to notify should be decided on a case by case basis. If notification is given, it should be given to each client personally, with information about what happened, what is being done to limit the risks, and what they should do to minimise any risk themselves. The wording that you use in a notification is important and it is wise to seek legal assistance. You also need to consider whether to notify the police, your insurer (if you have not already done so), your employees, and third parties associated with your business. Serious breaches could also be notified to the Privacy Commissioner, so that the Commissioner is aware of what has happened if your clients contacts him for assistance.
Last, you need to take more permanent steps to prevent another breach in the future. This could include conducting a security audit, reviewing your policies and procedures, and reviewing your employee training. Any portable devices such as laptops, tablets and phones should have protocols in place around their use, including password protection and remote wipe ability. There are a range of professionals who can help you try to prevent any future loss.
How will you pay for this?
Your business may have a general liability insurance to cover you when things go wrong. But whether that insurance will help in these sorts of situations is unclear.
In the United States, where there have been a number of cases about these sorts of issues, the District Court of California decided that the general liability insurance responded to a hospital's data breach which released the information of around 20,000 patients. In contrast, the Supreme Court of New York decided that Sony's general liability policy did not provide cover, because the policy required the policyholder to be the one to commit the breach, and did not cover actions taken by third parties.
Rather than rely on the uncertainty of cover from a general liability insurer, a prudent business, particularly one that holds a lot of sensitive and confidential information about their customers, should consider obtaining a specialist cyber liability policy. These policies can be wide ranging, and can cover a business for the cost of:
- liability to third parties for the disclosure of information about them;
- business interruption resulting from a network attack;
- restoration of the business's network;
- public relations expenses, and more.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.