Data privacy has become a legal technology buzzword as organizations have realized it is a matter of corporate survival. When an organization becomes a victim of a data privacy breach that could easily have been avoided, customers have no problem taking their business elsewhere. In a survey conducted of more than 2,200 executives involved in cyber risk management, the Ponemon Institute found that 52% of respondents believed their company’s exposure to cyber risks would increase over the next 24 months. Alarmingly, only 19% said their organization had acquired cyber insurance. As the list of organizations experiencing a data privacy breach is only growing longer, they should seriously consider acquiring cyber-insurance to protect against the real risk of a major cybersecurity attack and the costs associated with a breach.
Determine the exposure level:
The legal department should play a role in determining what the risks look like, as well as the frequency and severity of exposures based on the environment in which their organization operates. For retailers, healthcare organizations, and the hospitality industry, coverage for a breach of privacy will be at the top of their list, since they handle large volumes of personal information. Organizations need to clarify where their cyber exposures lie to ensure their cyber insurance policy will cover the vulnerable areas.
What does cyber-insurance cover?
Generally, organizations can choose a cyber insurance policy based on the type of coverage that suits their needs. When deciding what the cyber insurance should cover, it’s important to distinguish between your own costs and costs that third parties may attempt to claim as a result of a breach. The main components of coverage are:
- Liability due to a cyber or data privacy breach
- Coverage for any interruption to the business caused by a cyber attack
- Coverage for the response to threats to harm a network, or release confidential information
The role of outside counsel:
Should a breach occur, the in-house legal department should enlist the help of a privacy attorney, who plays a key role in the initial response of investigating an incident. External counsel must quickly and efficiently identify the nature of the event and retain the support of any external vendors (such as forensic investigators or a public relations firm). It is the outside counsel’s job to quickly assess the structure of the threat and make sure it is neutralized as soon as possible. While it’s tempting for legal departments to resolve the incident themselves, it can exacerbate the situation if they accidentally expose more data or don’t have the resources to sufficiently prepare for regulatory inquiries.
The role of technology:
Data privacy laws in many countries require that those responsible for the processing of data, known as data controllers, implement appropriate technical and organizational measures to safeguard the security of personal data. These include providing agreements for informed consent, and proper monitoring and tracking. In light of the number of data breaches, the Dutch government instituted a law that imposes an obligation data controllers: to notify the Dutch Data Protection Authority of any security breach that has or poses a significant risk of having serious adverse consequences for the protection of personal data. In collaboration with our partner Privacy Valley we have developed a new Compliance module for data privacy. Legal departments can use this module to efficiently register and control their activities related to data privacy.
A data breach is more than a loss of data privacy: it’s also the loss of reputation and experience. The risk of a data privacy breach can never be fully eliminated, which is why some organizations have turned to cyber insurance as a method of reducing the risk of exposure. Legal management software like Legisway can provide an extra layer by providing a secure web-based platform for managing legal data. While cyber-insurance itself should not serve as the sole defense against data breaches, it is effective as additional protection. At the bare minimum, every general counsel needs to understand the basics of data privacy.