Cyber Risks Involve Businesses of All Sizes

With the recent data breach involving stolen credit and debit card information of Target customers receiving national news attention, the issue of cyber security is quickly becoming a top concern for businesses and consumers alike. Contrary to popular belief, however, cyber risks do not solely involve retailers or large corporations.

According to a recent report from the internet security firm, Symantec¹, 40 percent of all data breaches occur in organizations of 1,000 or fewer employees and 31 percent of data breaches occur in organizations of 250 or fewer employees. The volume of attacks on small businesses of fewer than 250 employees increased greatly in 2012, compared with 2011, resulting in its percentage almost doubling from 18 percent to 31 percent.

While the attacks against Target and Neiman Marcus involved highly technical malware, a data breach can occur through much simpler events, such as when a laptop containing the personal information of third-parties is lost or stolen. And, one unfortunate consequence of modern technology is that greater processing, transmission, and storage capabilities lead to the possibility of significant amounts of data being available to more and more organizations—with a corresponding increase in the risk of a hacking event or other data breach.

A number of practical steps can be taken to avert a data breach:

1. Using up-to-date anti-virus software;
2. Encrypting networks, laptops, and mobile devices to make them accessible only to authorized users;
3. Implementing a written security plan outlining best practices and properly training employees regarding these practices; and
4. Maintaining firewalls on any computers or devices connected to the internet.

To the surprise of many business owners that have suffered a breach, the typical general liability insurance policy does not provide coverage for security breach remediation or for third-party lawsuits claiming damages as a result of a data breach. As an extra precaution, more and more business are turning to “cyber risk” insurance to provide insurance coverage for these costs and liabilities. Many of the cyber risk policies currently on the market are broken down into first-party (material costs associated with a breach, such as forensic analysis and notification costs) and third-party coverage (costs associated with the filing of a lawsuit alleging damages as a result of the breach). Given the increasing frequency of data breaches and the lawsuits sure to follow from such a breach, the purchase of cyber risk insurance should be strongly considered by any business that obtains, maintains, or stores the personal information of third parties.

In the unfortunate event of a data breach involving the loss of personal information of third parties (such as social security numbers, credit/debit card information, driver’s license numbers), Wisconsin statute imposes a number of different requirements. Under Wis. Stat. § 134.98, any company that does business in Wisconsin, upon learning that personal information pertaining to a resident of Wisconsin has been acquired by an unauthorized person must take reasonable measures to provide notice to that person within 45 days after discovering the acquisition. If a business is required to notify over 1,000 individuals about the unauthorized disclosure of personal information arising from a single incident, the business must then notify all consumer reporting agencies of the timing, distribution, and content of the notices sent to the individuals. Mail is the required method of notice under the statute unless the individual previously communicated with the business via another avenue, i.e., email. There may be defenses to claims or alternatives to notice based on the facts of the particular incident.

It is of the utmost importance for businesses to take all necessary precautions to protect against the costs and legal liability associated with data breaches. Axley’s attorneys are experienced in drafting contracts involving liability for data breaches and analyzing insurance policies that may provide coverage for such breaches. Axley’s attorneys are also able to prepare the appropriate notifications as required by Wisconsin statute and advise on possible defenses to claims.