We all continue to hear reports about this increasing threat, however, do we really understand where the exposure/s really come from?
In Australia, the 13 Australian Privacy Principles (APP’s) that came into effect in March 2014 are certainly one area for businesses with turnover greater than $3M and potentially, even for certain business sectors with turnover less than $3M.
A simple and probably misunderstood exposure to the APP’s is where an overseas cloud provider is used for backing up data – if you are using this service, it needs to be disclosed in your privacy statement.
How secure are your smart phones, laptops/pc’s or tablets? Here are some simple questions to consider;
Are all of your mobile phones and other portable devices encrypted or password protected?
If a mobile phone or other portable device is lost or stolen, do you have the ability to remote wipe it?
If somebody leaves your company, do you have a procedure in place and the legal right and ability to remote wipe their mobile phone or other personal portable devices?
This article from DLAPIPER dealing with the exposure of Bring Your Own Device makes interesting reading and gives some good risk management advice.
What is the procedure for ensuring data off any entity owned PC or Laptop/Tablet is not recoverable at the end of life of the item?
How strong are your password requirements for logging on to your systems? E.g. Minimum 8 characters and must contain a combination of upper and lower case letters, numbers and symbols?
How often do passwords need to be changed?
Smart phones/Laptops and Tablets routinely have sensitive information on them and if lost, even if password protected, could lead to a privacy breach.
Strength of passwords is important, particularly if remote access to your servers is available, it is all too common (even in today’s world) for passwords to be somebody’s partners name or their pets name – i.e. easy to guess.
Here are some real claims examples that I have gathered from insurers and the internet;
An employee of a financial institution has a laptop with sensitive client data go missing. Defence costs against claims by individuals whose data was compromised – $700K.
A financial services company started a blog to convey information to clients and the public. The blog contained a logo/image that was similar to a design that had been copyrighted by another entity. That entity sent a cease & desist letter to the insured demanding that the insured remove the image from the blog. Discussions between the parties failed to reach a mutually satisfactory result and civil proceedings commenced. Claim amounted to $3.23M.
A real estate company discovered malicious software had been uploaded to its servers by an unidentified third party which resulted in corrupted files. Files containing personal information including credit card information had been accessed. Subsequent to the data breach, fraudulent charges were made on various credit cards in multiple countries. The claim amounted to $430K.
A woman purchased a used computer from a pharmacy. The computer still contained the prescription records, including names, addresses, social security numbers, and medication lists of pharmacy customers. Loss: The cost of notifying effected parties $110K, other actions totalling potentially in excess $300K have been brought.
Law firm server and client records locked by Ransonware software. $50K to hacker to release the files and another $100K in loss of income, notifying affected individuals, credit monitoring, etc.
There are many other cases of Ransonware being used, http://www.theage.com.au/…/hackers-draw-ransom-in-cyber-sti….
Many clients do not feel that they have an exposure and are prepared to manage the risk by exposing their balance sheets.
The insurers that responded to this exposure with tailored policy wordings typically have a panel of specialists who they have partnered with to manage any incidents of claims.
Hopefully this article provides some risk management ideas and a broader consideration of the exposures we all face in today’s cyber world.