Hacking and data breaches of companies have been increasing in recent years, leading to public relations nightmares, and possibly even bankruptcies. Workplace policies and cybersecurity insurance could be the saving grace for firms as cyber risks become increasingly prevalent.
Sara Anchors, partner at Quarles & Brady, said a hack can be a huge financial detriment to companies.
“If there is a hack, there is business interruption because they have to stop what they’re doing and take care of this hack,” Anchors said.
Companies experience losses in profit, and might have to pay for informational hotlines and credit monitoring for those affected, forensics to discover the cause of the hack and the resulting need for public relations.
Anchors said the amount of data breaches happening will only grow as time moves on, and companies are turning to a new type of insurance specifically for cyber risks.
“As long as hacking remains profitable, people will continue to attempt to hack companies,” Anchors said.
Data breaches are a huge problem for healthcare firms, which store large amounts of data hackers are especially interested in obtaining.
Hackers seek confidential patient medical records, social security numbers, credit card information and more stored by healthcare firms.
Since 2004, there has been a 107 percent increase of reported violations of the Health Insurance Portability and Accountability Act (HIPPA), the act that protects data and medical information, according to the U.S. Department of Health and Human Services. In 2015 over 111 million records were breached, the department reported.
After a data breach, companies also face HIPPA fines.
In 2014, New York Presbyterian Hospital and Columbia University Medical Center faced a total of $4.8 million in fines after patients’ medical records were found online.
These companies can also be subject to lawsuits. After Banner Health’s summer 2016 data breach, which resulted in compromised data of 3.7 million people, 10 civil lawsuits were filed.
Anchors said companies can look to first and third-party coverage when getting insured.
First party coverage covers business expenses and profit losses that result from a data breach while third party coverage protects a company if they receive HIPAA fines or are sued after a data breach.
Anchors said increased technology puts more information at risk than ever before.
“You go to a doctor’s office now, and sometimes you’re directly writing onto a laptop with that new patient form,” Anchors said.
Companies have their own data like trade secrets to protect as well, Anchors said.
While companies have had some success in getting claims paid out for data breaches under traditional business insurance, insurance companies are denying an increasing number of claims under traditional insurance, Anchors said.
She said many insurance policies specifically exclude data and cyber risks in traditional insurance policies now.
“Property insurance only covers tangible property,” Anchors said. “Some courts have said ‘No, no data is not. It can’t be touched. It can’t be held. It can’t be sent.’ So, you can’t rely on your property policy for coverage.”
Cyber risk insurance has traditionally been expensive, but costs are coming down in recent years, but there is still not standardization among policies, Anchors said.
“It does pay for companies to shop around, to talk with their broker, to look at different policies to find what fits their needs,” Anchors said.
Even with cyber risk insurance, Anchors said companies still need to be careful about how they manage data and their security setting for their computers and servers.
“The insurance company can come back and deny the claim, Anchors said. “In one case where they allowed the claim, they came back and tried to get money, saying you didn’t do what you needed to do to keep that data safe and that was beyond what we agreed to insure you for.”
Anchors said companies need to be able to prove they manage their data securely because if a hack is the result of negligence, it will not be covered by insurance.
She recommends companies bring in an outside perspective to analyze their data management policies and make sure proper security measures are in place.
“This harms your reputation,” Anchors said. “This could be an issue, especially for a hospital to lose patients, or really any business. You’re going to lose customers if people think that you’re not keeping their information secure.”
