This article first appeared in THE LEGAL SIDE OF TECH on CIO.com here.
Recent high-profile data breaches highlight the challenges in understanding how laws apply to a wide variety of information management scenarios and a host of other regulatory, compliance and legal issues.
Cybersecurity and privacy continue to make headlines. Experts have more questions than answers addressing risk management concerns in the evolving cybersecurity market.
High-profile data breach incidents
On March 7, 2017, the CIA got doxed by the anti-secrecy organization WikiLeaks. Nearly 9,000 documents appeared online showing the CIA sought to observe conversations, online browsing habits and other activities by infiltrating the systems that contained them, such as Apple and Android smartphones, laptops, TVs and even cars. The government is not alone.
Nearly every industry that handles sensitive data has been breached recently:
- Healthcare: ransomware attacks are projected to rise 250%, and hackers were responsible for 106 major healthcare data breaches in 2016.
- Financial services: Despite ranking only third in volume of security incidents, the financial services industry came in first in number of incidents leading to confirmed data losses.
- Insurance: Risk is twofold in this market, because insurers are not only targets of hackers, they’re also providers of coverage to victims.
- Education: At the beginning of February 2016, the University of Central Florida announced a data breach had affected approximately 63,000 current and former students, faculty and staff.
Third-party vendor risk
Third-party vendors remain a growing source of concern. Companies are well-advised to look beyond their own cybersecurity policies and standards to the potentially bigger risk that arises from giving third-party vendors direct access into their systems. Indeed, low-tech threats like errors by vendors’ employees represent an often-overlooked danger to company data security. Newer technology trends such as enterprise-level SaaS provisioning and cloud data storage and processing offer new possibilities and perils alike.
Given the inevitability of cybersecurity breaches, companies are increasingly looking to insurers to offset the losses they are likely to face after suffering an attack. However, because the cyber insurance market is young and growing rapidly, the scope and availability of policies is still fluid. Companies should carefully review the specifics and limits of coverage. According to one source, most questions right now are focused on coverage for business interruptions and losses related to fraudulent transactions.
Smaller companies may face even bigger challenges. Few small companies have the staff or the resources to actively manage cybersecurity risk, and many assume that their business risks are small. Despite their smaller size, these businesses will incur the same level of breach-related costs as larger companies.