“GONE PHISHING!” – The Real Liability of the Virtual World
Phishing is a criminal practice that exploits individuals via fraudulent electronic communication and interaction. Together with spear phishing, clone phishing and whaling, the Internet can be a scamming minefield. If you don’t already, it might be a good time to pay attention to the security breaches you hear about in the news, like Gawker.com in 2010, Sony, Epsilon and others in 2011, and most recently Zappos in early 2012.
Generally speaking, social engineering is putting bait on a virtual fishing pole, casting it out into the vast ocean of the Internet, and waiting to see who might naively take a bite. After being hooked by the apparently trustworthy communication, the unknowing target then proceeds to give up confidential information (social security number, credit card number, etc.) – anything that can help perpetrate identity (ID) theft or credit card fraud. In other cases, the scammer can even get cash from his hooked ‘phish’ by sending emails from a hijacked email account posing as a friend in need. It’s been estimated that scammers can make $500 a day from their victims, if not more.
Businesses of all sizes are subject to security breaches. It can be because their networks were compromised, an employee lost a laptop or perhaps there was an accidental disclosure of confidential information (like posting a spreadsheet of client data to a public website). When this type of breach happens, and it does often, the business can be liable for a host of breach-related costs. To mitigate the consequences, the negligent company must bear the responsibility to:
- Notify customers their data has been disclosed,
- Incur information technology (IT) forensics costs to investigate what caused the breach,
- Be subject to privacy regulatory activity, and/or
- Third-party liability from those who were caused financial harm from the breach.
The liability does not stop at the business that lost customer data; it extends to that company’s subcontractors, independent contractors and vendors who may be the linchpin in the breach. When contracting with business clients, a subcontractor may take on its client’s highly sensitive customer information and therefore is also responsibile for maintaining its security.
Let’s consider what happened to Epsilon in April 2011. Epsilon is one of the largest email and online marketing firms, whose customers includes seven of the Fortune 10 amongst its 2,500 clients. Their breach exposed the names and email addresses of massive customers like Best Buy, Citibank, and Walgreens. While it may not seem like highly prized data in and of itself, names and email addresses are quality bait and useful in constructing a successful scam. Receiving a personalized message from a company that you already have an account with can be convincing and leaves many people susceptible to ID theft.
Whether you’re a big vendor like Epsilon, who performs email marketing services for huge Fortune 500 clients or an independent contractor working on your personal laptop with your client’s confidential data, you can become liable for a security breach of your customer’s (or your customer’s customers’) data if you or your equipment is somehow the weak link. The general consensus from the privacy/security community is not whether someone will be hacked, but when. After that happens, it’s about what was done to mitigate the loss. In a recent study entitled “Empirical Analysis of Data Breach Litigation,” law researchers at Carnegie Mellon and Temple University found that a company that offered credit monitoring after a breach was six times less likely to get sued. If it’s not preventable, then why not at least transfer and minimize the risk and cost. Having a strong service contract that protects your position in the event of a security breach is one way to start, along with maintaining industry standard privacy and security controls. One cost-effective way to transfer the risk of this liability is through Cyber Insurance.
Cyber Insurance combines Technology Professional Liability (a.k.a. Errors & Omissions), Miscellaneous Professional Liability, Privacy Liability and Network Security Liability into one omnibus coverage that protects a company against today’s ever growing need to safeguard electronic information. The coverage can help cover costs like Information Technology forensics, third-party liability, and credit monitoring. The nuance of whether you’re subject to a third-party liability claim or first-party privacy cost claim can be avoided, when you have a policy that covers you from all angles.
One obvious lesson is to be very careful with all communications and actively protect your own confidential information and passwords. If you’re not careful on a personal level, you may have your account hijacked and have to deal with your email’s support team who may, or may not, be able to retrieve your emails from the last five years. Not to mention the scorn of your friends and family who may have given up money or other confidential data to someone perpetrating a scam from Nigeria. For a business, however, it’s critical to not be known as the company that let down its guard and made its customer’s data vulnerable to the scores of hackers, scammers, and organized e-crime syndicates that are on the prowl.
As you explore and utilize the wonderful World Wide Web, enjoy surfing, but don’t get hooked!
BizInsure Guest Blogger: Natalie Chin
Talk to us
Today’s BizInsure offerings are just the beginning. Please take the time to tell us what you think, offer advice, ask questions, give compliments, or make a request…customer feedback defines us. We’re listening. Click here to contact us.