6 minute read
Understanding the true costs of data breaches
In the novel and movie, The Martian , an astronaut stranded on Mars digs up a case of plutonium to use as energy. The team had buried the plutonium far from their camp with a flag marking its location due to the risk of the plutonium leaking or the cannister developing even a small crack. When evaluating his needs for an unexpectedly long stay on Mars, astronaut Mark Watney decides he needs the heat enough to drive around with the plutonium in his vehicle.
Managing customer data in 2023 has a similar calculus. It’s necessary for businesses of all sizes to manage computerized data for their clients, but the risks can be tremendous. Industries that manage data and finances may have specific regulations and statutes that require certain protective measures to reduce the risks of a data breach.
Has your cluster lost its luster? Alpha Northeast can bring it back.
Partnering with us means that you can grow your business and continue doing what you do best.
And, we’re an affiliate of the nation’s second largest insurance agency network, ISU Insurance Agency Network—so you’ll get to work with some of the best regional and national carriers around.
When you combine forces with us:
You’ll be eligible for a 100% commission payout from noncontracted carriers and profit share from first dollar.
You’ll have greater opportunity to maximize the benefit of networking with other agencies—which means more underwriting clout and increased profit share.
You’ll have access to the top national and regional carriers.
If you choose to leave the network, you’ll face zero penalty—but we bet you’ll stay.
Insurance producers are subject to several such laws, including the Gramm-Leach-Bliley Act and state data security laws (for more information, see PIA Magazine’s December Tech article). As cumbersome and difficult as compliance may sometimes feel to agents, having clear requirements that require regular reviews and updates to data security system does put agents and producers ahead of many industries when it comes to data compliance.
Many other businesses do not have statutory or regulatory data security requirements, including many of the businesses insured by independent agents. That does not exempt these businesses from legal exposures in the event of a data breach. By collecting and storing data from customers and third-party partners, all businesses leave themselves exposed to legal liability following a data breach. The two key areas would be tort liability and violation of a contract.
Tort law
Those in the legal profession use tort law to settle disputes that do not have a clear applicable statute or regulation to determine who is at fault. It’s the adult equivalent of siblings bringing a fight to a parent to decide the outcome, but with far more money on the line for everyone—especially the lawyers. In tort law, plaintiffs must show that the defendant had a duty toward the plaintiff before they can argue the defendant harmed the plaintiff by violating such duty. In contrast, other civil cases and all criminal charges cite a specific law the defendant allegedly violated without needing to prove the law exists.
Any customer potentially could argue that a business has a duty to take reasonable steps to protect sensitive consumer data even when no cyber security law applies. Several parties already have sued businesses for data breaches in federal courts across the country. Courts have agreed with the plaintiff’s argument that defendants could be liable for damages if a malicious third party intentionally targets the defendant’s business and obtains nonpublic information.1 It has become a developing issue facing federal courts as more data breaches lead to lawsuits.
Another important legal question in such lawsuits is whether the company acted negligently and failed to adequately protect the data it collected. For many businesses, industry best-practice rules may become evidence in these trials to show whether they sufficiently safeguarded data. For example, the Payment Card Industry Security Standards Council creates technical and operational requirements for businesses that accept card payments from major credit card companies.2 While not exactly the law, parties may point to the guidelines as evidence of industry best practices.3 Based on a 2018 study reporting that only 39% of American businesses have complied with these guidelines, many companies may be exposed to potential liability in court should a malicious third party steal their data.4
Contracts
The potential victims of a data breach may have a contract claim against a business following a data breach. Rather than allege the business had a duty to protect nonpublic data, the victims could bring up contract clauses to cite as a violation of a legally binding agreement. Businesses working with other businesses should have a contract laying out the terms of the relationship that should include a basic framework to protect sensitive data about customers and proprietary information.
The PCI Data Security Standard does not simply lay out the standards the credit card companies expect businesses to adhere to—businesses agree in their contracts with credit card companies to adhere to the standards. Many businesses, especially smaller ones, likely contract with a third-party to handle payment processing. The third-party processing the payments would likely have the direct relationships with the major credit card companies that make it straightforward for the small business to accept multiple cards on specific terms and would likely agree to the PCI DSS with companies such as Visa, MasterCard, and American Express, directly. The third-party payment processing company should include those requirements in contracts with the client businesses to ensure their own compliance and protect the customer data. This would legally bind the small business to the PCI DSS standards by contract.
Contractual requirements could vary in their specificity. Cyber insurance contracts may require multifactor authentication and the carrier could deny coverage if the policyholder did not have this specific security measure in place. In contrast, many contracts may refer to industry standards or regulations without including the specifics. This effectively incorporates updates to the standards or regulations without requiring a new contract. A small business’s contract with a payment processor would likely bind it to adhere to the most recent PCI DSS requirements, thus requiring the small business to adapt to changes and updates without new contracts. This carries a huge risk that a business may not update its data security plans as frequently as the standards get updated, leaving a small business exposed to a data breach and contractual penalties.
Containing the risks
Businesses really have no choice but to handle and collect sensitive data—despite the (sometimes) radioactive risk. Regardless of the potential legal exposures for data breaches, the only mitigation options focus on containing the risk and potential liability. Understanding and complying with contract terms is a straightforward way to reduce legal penalties for a data breach.
Cyberinsurance also can reduce legal exposures through the contractual security requirements included in every policy.5 By establishing reasonable security measures for a company to follow, a business can get ahead of claims that it failed to protect consumer data adequately. Unlike service contracts that reference state laws or industry standards for cyber security measures, cyber insurance policies do get updated on a regular basis with requirements that adapt to the risks facing businesses. Meeting the security requirements of a cyber insurance policy helps a business significantly reduce its risk of data breach with regular mandatory updates to maintain the specified coverage.
The entire reason Mark Watney could dig up plutonium on Mars was that the crew of astronauts had brought the radioactive isotope to the red planet in the first place and took the best steps to minimize the risks that it could expose them to extraordinarily high amounts of radiation. As risky as it is for people to constantly enter private information on websites and businesses to maintain it on internal data systems, most people have decided it’s worth the potential harm from a data breach—especially if they have taken the appropriate steps to reduce the potential damage.
Irvine is PIA Northeast’s government affairs counsel.
1 McMorris v. Carlos Lopez Associates, 2021 (bit.ly/3hAxg2h)
2 American Bar Association, 2019 (bit.ly/3UPXoVc)
3 In Re Wawa Inc. Data Security Litigation, 2022 (bit.ly/3Ey3HaR)
4 Verizon, 2018 (vz.to/3OcRKdJ)
5 Remember, if you need to purchase cyber liability insurance for your agency, PIA Northeast offers a product that can help you. For more information, log on to www.pia.org/quote/cyber.php.
EverGuard, a long-term partner for your RBT business.
• Exceptional service is an EverGuard priority
• Uncompromised program loyalty
• Great coverages at competitive pricing with available A&B, Enhancement Endorsement & more
• No limit on alcohol sales
• Package Policy: Property, GL & Liquor Liability
• Entertainment considered
• Experienced & Professional Staff
EverGuard, is a superior Restaurant, Bar & Tavern market with 40+ years’ experience. Your RBT clients can depend upon EverGuard for their protection.
Our continued longevity offering an uninterrupted market assures you will receive the best product underwritten by an AM Best “A” rated carrier without program interruptions. EverGuard’s respected reputation in the RBT market speaks to our stability and reliability to provide industry leading response time and customer service to our partner agencies.
EverGuard Insurance Services
1900 W. Nickerson St., Seattle, WA 98119
EverGuard does not offer or solicit the program in the states of New Hampshire, Connecticut or Vermont.
Maher EverGuard Insurance Services VP, Business Development
