Cyber Insurance – A Better Way to Help Small Businesses Manage Cyber Risk

In a recent Wall Street Journal article, The Case for Protecting Small Firms from Cyber Lawsuits, the authors argue that, because smaller companies lack the resources of larger companies when it comes to protecting data, smaller companies should have legal protections to exempt them from facing the consequences of these laws.

While it seems this argument is based on a fundamental misunderstanding of the purpose of these laws, it does offer some productive suggestions and I found it interesting for another reason. The reasons the authors gave for arguing that smaller companies should be exempted from the laws are some of the same reasons I give to smaller companies when I explain why it is so important that they have appropriate cyber insurance coverage:

  1. Small businesses have the same obligations to protect data that larger companies have.
  2. Breach notification laws may have penalties of a certain cost per record breached, regardless of fault.
  3. Breach notification laws may require notifying those individuals whose data was breached, that their data has been breached.
  4. Breach notification laws may require providing identity theft protection services to the individuals whose data was breached.
  5. Individuals whose data was breached may sue and seek recovery of damages and legal fees.

Cyber insurance coverage that is appropriately tailored to meet the needs of a small business will provide them with protection against the risks listed above, and many more, such as the legal fees and costs of having an experienced attorney serve as their breach guide to advise them through the process of managing a cyber incident (see Why You Need a Cyber Attorney) and properly respond to the incident.

I have been practicing in the cybersecurity and data privacy areas of law for nearly two decades and have served as breach guide to hundreds of companies — one of the biggest lessons that I have learned in all of these years is that in many cases, it is not the initial incident that causes most of the harm, it is the failure to properly respond to the initial incident after learning about it that causes it to escalate.

Incident response is expensive. The legal fees, the fees for security services, forensic services, remediation, public relations, and identity theft protection, notification of consumers, and reporting to regulatory agencies — all of these things are very expensive but they are mandatory to properly respond to an incident, in most cases. When a business does not have the resources to pay these expenses, it is not able to properly respond to an incident and that is what can be most devastating of all for small and midsize businesses. That is why it is so critical that small and midsize businesses have appropriate cyber insurance coverage to step in and provide them with the resources needed to help manage and properly respond to such incidents.

House panel to DHS, FBI: help small biz with cybersecurity – start with good cyber hygiene

The following testimony excerpts are very similar to what the #CyberAvengers have been preaching, and for good reason, it is the truth. Checkout the #CyberAvengers Tools for where to begin.

Richard Driggers, DHS deputy assistant secretary for the cybersecurity and communications, said that basic computer hygiene, such as regular software updates, could keep small businesses safer.

“It doesn’t take sophistication to exploit a vulnerability in a small business. And I think all small businesses need to assume that they have some type of vulnerability that exists within their networks or devices that they’re using,” Driggers said. “A lot of small businesses don’t have the resources to really put in place very sophisticated cyber defense mechanisms. But they do have the resources to do the low-cost things … and that should be the focus.”

* * *

“The best thing small businesses can do is elevate the need for cybersecurity within their organizations. Hire capable, competent people to help protect data, create a culture within the organization that promotes security. It’s gotta be something you do every day; it can’t be after the fact,” Marshall said.

Full article: https://fcw.com/articles/2018/02/01/small-biz-cybersecurity-williams.aspx?m=1

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Helpful FTC Guidance on Cybersecurity for Small and Midsize Companies

FTCIt is important for all companies — especially small and midsize companies — to have a basic understanding of what the FTC considers to be reasonable cybersecurity. The FTC is known for being one of the more aggressive regulators that are investigating and enforcing (what it views as) inadequate cybersecurity by companies doing business in the United States. In the watershed case solidifying the FTC’s authority to regulate companies’ cybersecurity under the FTC Act, F.T.C. v. Wyndham Worldwide Corp.,  the U.S. Third Circuit Court of Appeals looked to resources published on the FTC’s website and found that Wyndham’s cybersecurity was very rudimentary and contravened recommendations in the FTC’s 2007 guidebook, Protecting Personal Information: A Guide for Businesses.

The FTC recently published a couple of helpful resources on its website and companies of all sizes would be well-served to spend some time reviewing the recommendations in these resources:

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.