In the wake of yet another large cyber attack on a well-respected health care provider, it is a good time to review some basics about cyber risk and how to better protect your organization with effective risk management practices. The following is an excerpt published by the Nonprofit Risk Management Center. Clients of Baker, Romero and Associates have free access to services provided by the Nonprofit Risk Management Center.
Data Privacy and Cyber Liability: What You Don’t Know Puts Your Mission at Risk
Your nonprofit’s insurance agent or broker is the go-to resource for information about what’s covered under the cyber liability policy you already purchase, or one you’re considering. Each insurer offers different forms of coverage, but many policies address a few familiar coverage areas. Work with your agent or broker to purchase a policy that adequately protects your nonprofit. Cyber liability policies may include third party coverages (items 1-5 below) and also first party coverages (items 6-7). Third party coverage protects the insured organization against claims that arise from losses suffered by third parties, such as donors or clients. First party coverage protects the insured for its own losses. The following is a list of some of the coverages that may be available through a cyber liability policy:
- Notification Expenses: As discussed above, almost every state has notification requirements for both private and government entities. If a data breach occurred at your nonprofit, it is likely you will be required to notify parties affected by the breach. Spending weeks notifying affected clients, donors and employees could be costly. Coverage for notification expenses will protect your nonprofit from the strain on human and financial resources in the wake of a breach.
- Crisis Management: After a data breach occurs and you’ve met your notification requirements, your nonprofit could still face harsh criticism and scrutiny from affected stakeholders or the media. These disenchanted former supporters may ask: How could this happen? Why didn’t the organization do what was necessary to protect against a breach? Some cyber liability policies offer crisis management coverage to cover the cost of retaining PR help to minimize the damage to your reputation.
- Regulatory Investigation Expense: Since data breach notification laws are subject to change, your commitment to comply may not be good enough. Which means there is always a chance you’ll receive a call from a friendly civil servant. Both state and federal agencies can investigate and take action against a nonprofit that is negligent in guarding personally identifiable information. Some cyber liability policies exclude coverage for governmental or regulatory investigation costs, but other policies include it. And some policies will also cover fines and penalties, such as a fine levied for failing to notify the individuals whose data was compromised within the time limit required by law. These fines can be substantial, and are often on a per record basis.
- Data Breach Liability: This coverage will defend your nonprofit against legal claims brought by a stakeholder who suffered a significant financial loss after their personal data was compromised. A typical suit will allege that your nonprofit was negligent in failing to protect the stakeholder’s personal information, and that their loss was directly attributable to your nonprofit’s negligence.
- Content Liability: Some cyber liability policies offer financial protection related to the content of your website, blog or social media sites. This can range from copyright infringement and intellectual property claims to invasion of privacy or personal media injury (defamation, slander, libel) via electronic content. Some insurers refer to this coverage as “website liability.” Keep in mind that many nonprofits that buy cyber liability coverage principally do so to finance the costs arising from the theft of personally identifiable information, and choose to cover content liability exposures under another policy, such as a media liability policy.
- Data Loss & System Damage (or Data Restoration Coverage): Your current property policy probably covers damage to computers you own, but traditional property policies do not cover the data stored on computers. Most cyber liability policies cover loss or theft of personally identifiable information (e.g., your clients’ home addresses, your employees’ Social Security Numbers, etc.). Some policies also include coverage for computer forensic analysis, the process used by an expert to assess the scope of the damage.
- Business Interruption: Many cyber liability policies cover events related to the temporary or long-term shutdown of an insured entity’s operations, such as: loss of revenue during the downtime after a hack; denial of service; damage to systems or data caused by a virus; etc. Some nonprofits may find this coverage beneficial, however it is unlikely that most nonprofits would be forced to close their doors while responding to a data breach incident. If your nonprofit would have to close in the event of a data breach, you’ll place greater value on having this coverage in place.
Data Security Strategies
To reduce the likelihood and severity of a data breach, consider the following practical strategies.
- Ensure Regular Software Updates: Make certain that IT staff or contractors frequently install security patches and updates to your devices’ operating software and other software. Oftentimes, data breaches occur when software is vulnerable due to age or other issues. Software updates typically include new security measures that will help protect your devices and data against harmful malware and viruses.
- Encrypt Sensitive Data: Would the theft of a laptop or other mobile device constitute a data breach? Possibly, if those devices contain unencrypted personally identifiable information. Consider encrypting sensitive data so thieves who have access to data can’t use it. If you work with protected health information and you are thereby required to comply with HIPAA, review this list of recommended protocols for securing mobile devices from www.HealthIT.gov. Consider the pros and cons of encryption. On the downside, encryption costs money and slows down response time. As a result, some experts suggest that organizations encrypt only data on mobile devices, or strictly prohibit the storage of personally identifiable information on mobile devices.
- Schedule Data Security Training: Some cyber liability policies offer proactive risk management resources, such as educational materials or access to helpful training on data security. Your data security efforts will be fruitless if your employees do not follow your protocols. Remember that human error is a major source of cyber liability exposure, an exposure you can mitigate by adopting clear policies and providing appropriate training. Topics you might want to cover in your training include: BYOD policies, network security protocols, encryption instructions, relationships with tech vendors, data breach notification laws, information on the nonprofit’s cyber liability coverage, and your insurer’s requirements for filing cyber liability claims. Ensure that your employees recognize how easily a data breach can occur, and how detrimental a breach could be to your nonprofit’s mission.
- Adopt a BYOD Policy: Establish a Bring Your Own Device (BYOD) policy that clarifies whether employees may access PII on their personal devices (laptops, cell phones, etc.). Communicate the policy to employees, including instructions on what type of data may be accessed on personal devices, procedures for accessing data securely (e.g., through a secure network), and procedures for storing and transmitting data securely (e.g., using encryption). You might also decide to offer resources to employees such as AT&T Toggle, a BYOD solution that allows employees to switch from ‘work mode’ to ‘personal mode’ on a smartphone. Whatever your BYOD policy is, aim to strike a balance between protecting nonprofit’s data and upholding the privacy rights of your employees.
To prepare your nonprofit for the breach you hope will never happen, consider the following important questions.
- What constitutes a data breach? State security breach laws generally define what constitutes sensitive information. But no two state laws are identical. In some cases, such as Florida, a data breach is an actual breach. Florida Title XIX, Chapter 282 defines “breach” as: “a confirmed event that compromises the confidentiality, integrity, or availability of information or data.” In other states a data breach has occurred if there is reasonable belief that a data breach occurred, even without hard evidence of an actual breach.
- Who must we notify? Most states require organizations to notify all consumers affected by the data breach. Some states also require you to notify the state attorney general or consumer reporting agencies.
- How should we contact our customers? Some states require that specific communication methods are used to notify consumers of a data breach. For example, some states prohibit using pre-recorded phone calls, while other states only allow you to email consumers whom you have permission to contact via email.
- How quickly must we contact our customers? Every state notification law includes a timeframe for data breach notification. If you fail to notify your consumers within the appropriate timeframe, your nonprofit could face litigation and harsh fines.
- What resources are available from our insurance providers? As indicated previously, some insurers provide proactive risk management help, and have experts on call to either answer or help you determine the answers to the questions that follow. Keep cyber liability insurance information close at hand so that you’re ready to make the call when you need to.
- What changes should we consider? Once you’ve addressed the crisis at hand and have complied with insurer and regulatory agency requirements, take time to consider lessons learned from the incident and the need for changes in policy, practice and training. Consider conducting a risk assessment focused on data privacy exposures, identifying training needs for staff, and updating internal policies that concerning the collection, storage and protection of personal information from clients, donors and employees.
Reprinted with permission from: Nonprofit Risk Management Center, Data Privacy and Cyber Liability: What You Don’t Know Puts Your Mission at Risk By Erin Gloeckner and Melanie Lockwood Herman