Feb. 15, 2017
Cybersecurity requirements and best practices have been increasing, as I'm sure are your concerns regarding their enforcement.
If you’re wanting to keep yourself and your company off cybersecurity enforcers' radars and stay ahead of the game if or when cybersecurity best practices becomes law for your industry, this article is for you.
The Journal of Accountancy writer, Neil Amato, reviews the 7 beneath the surface consequences if your business falls prey to a cybersecurity event based on the "Fourteen cyberattack impact factors" by Deloitte.
Perception becomes reality when an organization has suffered a cyberattack. A company's credit rating can be lowered in the aftermath of a data breach, and that can affect a company's ability to raise debt or renegotiate its existing debt, Deloitte said.
The corporate credit rating of U.S. retailer Target was downgraded from "A+" to "A" in March 2014 by ratings agency Standard & Poor's months after a cyberattack.
While Standard & Poor's has kept a stable outlook for the company and says it believes the data security issues are largely behind Target, it has not bumped Target's credit rating back to "A+."
Deloitte's analysis said that credit ratings agencies typically downgrade by one level companies that have experienced a cyber incident.
Any disruption of normal business operations will have financial repercussions.
Resources from one part of a company could be diverted to other parts in the wake of a data breach.
If a company's e-commerce site has to be shut down temporarily, for example, the company will lose out on current and potentially future business when customers go to a competitor.
If those customers like what they see from the competitor, they might not return to the business that suffered a breach. Deloitte's hypothetical analysis showed that customer attrition rate increases 30% in the wake of a cyber incident and doesn't return to normal until three years later.
In the case of Target, S&P said in March 2014: "We expect the data breach to have a somewhat lingering effect on customer traffic at least through the first half of fiscal 2014."
Similar to the effect on a company's ability to raise debt, contract negotiation with other entities is more difficult after a data breach. And that's in addition to contracts that might be terminated as a direct result of a cyberattack.
A company may have built cost increases for services into its financial models, Mossburg said, so those models must be recalculated in the event of a data breach.
The IBM and Ponemon Institute report said the "biggest financial consequence to organizations that experienced a data breach is lost business."
If a company's business is offering services to other companies, the company on the receiving end of the services is less likely to seek additional services from a company that has suffered a data breach.
And a company such as a retailer obviously must rebuild brand loyalty after a data breach.
"Now that this has happened, that relationship has been damaged, and companies have to start over in that investment process," Mossburg said.
This can be the most crippling effect for a company that suffers a data breach.
The effects could be long-lasting or potentially fatal to the company's survival, depending on what type of intellectual property is lost.
"If you lose plans, if you lose designs, or lose [research and development] that you've been working on for months or years, and that then is brought to market by another organization faster and cheaper than you can do it, that impact can be reverberating for decades," Mossburg said.
A company might need to buy or renew its cybersecurity insurance after a cyber incident. But that doesn't mean it's renewing or buying for the same cost as its previous policies.
Deloitte said it was not uncommon for companies to face premium increases of 200% for the same coverage, or to be denied coverage until demonstrating to the insurer that is had strengthened cyber defenses.
Insurers could cite any number of issues with a company in the aftermath of a data breach, Mossburg said, citing weak access controls, an insufficient incident response plan, or insufficient monitoring as among the possible factors.
Basically, insurers are in position to tell a company what it needs to fix before coverage will be continued.
Now that we know the consequences of a cybersecurity breach and the damage it can cause your business, the next logical step is to find out what’s being done about it.
2016 was a busy year for lawmakers for notification rules.
The National Conference of State Legislature Security Breach Statutes tells us 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private, governmental or educational entities to notify individuals of security breaches of information involving personally identifiable information (PII).
Only three states - Alabama, New Mexico and South Dakota - have no law requiring consumer notification of security breaches involving PII.
A total of 26 states introduced or considered security breach notification bills or resolutions. Most of these bills tweaked existing security breach laws that apply to business, government or educational institutions.
Some of the changes, if ultimately enacted, will:
Most states are leaning toward The National Institute of Standards and Technology (NIST) plan for a model infrastructure which promotes the functions of identify, protect, detect, respond and recover.
In that regard, New York is poised to be the first state to pass minimum Cyber Security Standards applicable to larger (>$75MM) banking, insurance or financial services businesses.
The proposed laws are due to roll out in March 2017 and would require such businesses to implement a defensive infrastructure to identify internal and external risks; detect, act and contain Cybersecurity Events; restore normal operations; and meet all reporting obligations.
Certain professionals such as Lawyers, Accountants, Securities Broker/Dealers, and Investment Advisors are already subject to self regulation.
In addition to the federal and state mandates on privacy regulation, there are self-regulatory guidelines developed by governmental agencies and industry groups that do not enforce the law, but set out best practice guidelines for numerous professionals.
These self-regulatory guidelines are premised upon accountability with enforcement components that are increasingly being used as a tool for enforcement by regulators
Generally Accepted Privacy Principles (GAPP) have been developed from a business perspective, referencing some significant local, national and international privacy regulations.
GAPP organizes complex privacy requirements into a single privacy objective that is supported by 10 privacy principles.
Each principle is supported by objective, measurable criteria that form the basis for effective management of privacy risk and compliance in an organization
Title 26: Internal Revenue Code - This provision imposes criminal and monetary penalties on any person engaged in the business of preparing or providing services in connection with the preparation of tax returns who knowingly or recklessly makes unauthorized disclosures or uses of information furnished to them in connection with the preparation of an income tax return.
Internal Revenue Procedure 2007-40 requires Authorized IRS e-file Providers to have security systems in place to prevent unauthorized access to taxpayer accounts and personal information by third parties.
It states that violations of the GLB Act and the rules and regulations by the FTC, as well as violations of the non-disclosure rules contained in certain IRC sections are considered violations of Revenue Procedure 2007-40, and are subject to penalties or sanctions.
If you handle taxpayer information, you may be subject to the Gramm-Leach Bliley Act (GLB Act) and the Federal Trade Commission (FTC) Financial Privacy and Safeguards Rules. Financial institutions as defined by FTC include professional tax preparers, data processors, their affiliates and service providers who are significantly engaged in providing financial products or services.
ABA Model Rule 1.6(c) provides that lawyers are required to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
Comment 18 to the rule considers what constitutes an attorney’s “reasonable efforts” and explains that the attorney’s ethical obligation is not violated if “the lawyer has made reasonable efforts to prevent the access or disclosure.”
Nicole Black, writing for Above the Law in her article Cybersecurity For Lawyers: The Nitty Gritty says “using even basic technology such as email without understanding and implementing necessary security procedures and tools is unethical at best — and at worst can even amount to malpractice”.
Nicole reports that twenty-six states now require that lawyers stay abreast of changes in legal technology and Florida now requires that lawyers accumulate 3 CLE technology credits per biennial cycle.
So, how is it we don’t read much in our local news reports about privacy breaches involving law firms?
The Cyber Liability Insurance industry shares plenty of examples of Law Firm Privacy breaches both offline and online.
The general consensus of experts on the extent of legal cyber security events is that breaches occur all the time yet go unreported except for the mega law firm stories such as the with the recent Panama Papers.
Security experts conclude that without effective laws for breach notification and cyber information sharing, it may remain difficult to truly gauge the threats facing law firms for some time to come.
While they may not be suffering the public embarrassment that accompanies the disclosures required of HIPAA or PCI-DSS regulated industries, law firms will undoubtedly start losing clients as the unregulated “business grapevine” starts spreading the word about sensitive data lost as a result of lax data protection practices.
Click best practices and other measures to prevent cyber attacks and/or regulatory failures to view the full list.
A responsible Cyber Insurance provider, will do much more than just pay out in the event of a real cyber event, they will partner with you to give you the tools and advice on how to mitigate the cyber threat before it becomes a reality.
However, if you do suffer a cybersecurity breach, you’ll want the amenities stand-alone Cyber Liability Insurance offers:
Covers loss and defense costs including regulatory fines and penalties when confidential information is maliciously or accidentally disclosed or destroyed at the law firm or company vendor
Receive a network of technical and legal experts available 24/7 with immediate response to complicated breaches as well as routine compromises of confidential data security
Covers loss of business income and the cost to rebuild or re-engineer electronic data including forensics after a computer hack, virus, denial of service attack or cyber terrorism event
While Lawyer's Malpractice Insurance policies may provide coverage for cyber liability in connection with a legal rep, they do not provide first party coverage or remedial services
*Refer to the actual policy for all terms and conditions of coverage.
Cindy Wiedman, founded Wiedman Insurance Services, LLC (LiabilityPro Insurance Advisors*) August 1, 2014. Cindy is a Registered Professional Liability Underwriter (RPLU) and has designed and administered professional liability insurance programs over a 35-year career working for various insurance administrators in the Midwest such as Shand Morahan & Company, Kirke Van Orsdel, Marsh and Lockton Affinity.
*Serving non medical professionals in Iowa, Nebraska, Minnesota, Kansas and Illinois