Due to recent data breaches at big name companies, awareness is high when it comes to cyber threats. Yet, misconceptions abound regarding a company’s liability and how insurance mitigates the cost of a breach.
Misconception #1: “Our company outsources critical processes to cloud providers, credit card processors and other specialty vendors. If a breach occurs, they are liable, not us."
The reality: Forty seven states (and many foreign countries) have their own privacy laws that identify the responsible party in the event of a breach. Even with many different privacy laws, there is consensus when it comes to identifying the victim and responsible party and your company might not be off the hook the way you would imagine.
For example, in the case of the Target breach, the crime originated with a HVAC vendor that did business with Target. While hacking into the vendor’s computers, cyber criminals found a password that allowed them to access the Target IT system. Once in Target’s system, the hackers dropped in malware that grabbed credit card numbers during transactions made at the store. This data was then sent outside of Target’s system where the hackers could sell the credit card numbers on the black market.
To uncover the responsible party in this case, ask: Whose customers’ data was stolen? Who was originally entrusted with that data?
Although there were plenty of parties involved, Target is ultimately accountable because the victims of the attack are Target customers. Target is responsible for notifying their patrons of the breach and monitoring their credit. Throw in the high costs of the forensic investigation, legal services, crisis communication and damage to the brand and the potential loss grows.
While it’s possible for Target to recover some of these costs from the other vendors in the chain, it is dependent on the terms of the signed contract and the financial capability of that vendor to indemnify them.
Make sure to check out our blog on the common misconception that a company’s current insurance program will help them recover from a data breach. To make sure your organization is prepared for a data breach, stream our seminar, on how to avoid a data breach nightmare and download the MMA 2014 Cyber & Data Security Risk Survey Report.