In my time as a security consultant and managed services provider, I've seen some questionable behavior and attitudes. Prime among them is the common belief in the business community that indemnity offered by cyber insurance and contracts replaces prudent actions taken for regulatory compliance and for data breach prevention. VARs or technology consultants dealing with high-risk clients in the healthcare and finance industries, among many others, will likely confront this same mindset.
The fact is, I have seen all too many risk-taking CEOs, business owners and managers in dangerous denial. Even worse, I've seen IT consultants or client staffers misleading or, in extreme cases, lying to those they report to about the condition of the security or compliance of the company.
These risk-takers somehow maintain the belief that because they are incorporated and insured, they have protection against the risks. This may work to a limited extent for issues like fire and flood and maybe even personal injury, where there are often caps on liability. This also might work if you are OK with spending your life in court, under long-term scrutiny from government auditors and, in some cases, losing your business. If you have unlimited funds to pay regulatory penalties and settlements from individual and class action lawsuits, then you have nothing to worry about.
Many contracts contain what I call 'weasel clauses' -- sections of the contract that are intentionally ambiguous or too broad to provide real protection.
According to the Ponemon Institute's 2011 Cost of Data Breach Study: United States (sponsored by Symantec Corp.), the average cost of a breach was $5.5 million. In my experience, the average service provider does not carry $5 million in cyber insurance, if they carry any at all.
So if you don't have a pile of money, enjoy your freedom and want to stay in business, there is much to contemplate in opposition to this strategy.
Consider the following questions:
- Do you think your company or clients are too small or too obscure to be a target or a victim?
- Are you cognizant of the real risks you face or are you convinced, like so many, that data breach is just the bogeyman locked in your lucky closet?
- Even more important, has this belief resulted in inadequate action being taken to prevent potential entity killing losses?
- Could you withstand the damages from intrusions into your clients' or your own confidential data?
I think if you are honest with yourself, your answers will reveal that you're in at least some denial about the real threats you and your customers face.
Let's examine some common business facts, potential impacts of a breach and then the limitations of contract and insurance versus a comprehensive risk mitigation strategy. Let's start with the following assumptions:
- Nearly every business possesses and maintains databases or other information repositories of intellectual property and financial, personnel and client or prospect information.
- If you are working in healthcare, finance, retail or other business verticals that involve healthcare services or credit transactions, you very likely possess personally identifiable information (PII) and/or protected health information (PHI), which are both regulated by a variety of strict U.S. federal and state laws.
- Data protection and breach notification laws on both the state and federal levels are daunting, with some carrying potential seven-figure fines and even private rights of action (California's is $1,000 per record), potentially leading to tens or even hundreds of millions of dollars in losses.
- As a VAR or consultant you likely have connections, passwords, documentation and other data that can lead a hacker to eventually breach a major target.
Understanding the above assumptions, let's briefly go through the reality of just one recent breach at Advocate Health and Hospitals Corp. (dba Advocate Medical Group, or AMG) in Downers Grove, Ill. In July, the data of 4 million patients was breached, via the theft of desktop computers, according to the U.S. Department of Health and Human Service's public posting. The AMG theft is reportedly the second largest breach of PHI disclosed under U.S. Department of Health and Human Services' 2009 mandatory notification rule. This kind of theft could happen to anyone.
What will the impact of the AMG breach be? No one knows how this will end, but a few things are both predictable and already in motion:
- The notification to HHS will undoubtedly involve an intense investigation by the Office for Civil Rights and, because a crime was committed, the Department of Justice.
- There is an active class action lawsuit claiming that the physician group failed to meet privacy regulations by not using encryption and other required security measures.
- This is the second breach reported by AMG, which greatly increases the likelihood of willful neglect accusations and associated million-dollar fines.
- A Google search of "Advocate Medical" produces multiple stories about the lawsuit on the first page.
- Clients and partners of AMG will no doubt be far less trusting of AMG.
So why are contracts and cyber insurance not enough?
First, while a contract may grant rights to you, it does not prevent you from being sued. If you are opposed by a class action lawsuit or a well-funded, large corporation, it doesn't matter if you are right, you could lose the case to a thousand lawyer bills. And a contract cannot defend your reputation or repair public perceptions that you may be at fault. Contracts are also only as good as the parties who sign it. If push comes to shove, the party that offered indemnity or agreed to limitation of liability can still attempt to evade the agreement. In fact, many contracts contain what I call "weasel clauses" -- sections of the contract that are intentionally ambiguous or too broad to provide real protection.
More opinion from Kevin McDonald
Dangers of selling to line-of-business managers
Whither cloud storage services accreditation?
Honest VARs, MSPs and the cloud storage conundrum
Another major issue with contract liability limits, especially where HIPAA and other laws are in play, is that you cannot fully waive your civil or criminal liability in an agreement if your actions are either fully or partially the cause of the violation. If the government wants to come after you, it will, and a signed contract won't help you.
As far as insurance is concerned, it's true that cyber insurance is vital and now a billion-dollar business. It is becoming far more affordable and valuable than ever before. Even so, there are significant limitations that make cyber insurance only part of a comprehensive risk management strategy.
"Many insurance companies have limits on their breach and compliance coverage. They also require significant attestation of your compliance and security posture," said David McNeil, vice president of California-based Edgewood Partners Insurance Center (EPIC). "If you then fail to meet what you have attested to and there is a subsequent breach claim, you will likely find it much more difficult to get the claim paid."
In addition, cyber insurance underwriting and post-breach testing of the coverage is still in its infancy. We have yet to see how or when the insurance companies will pay claims. The key is to choose a good, honest broker and to be sure that whatever you say you are going to do gets done.
The bottom line: There is no hiding place for those who are seen by the public to have blatantly chosen the easy way out at the expense of the public's private information. It's incumbent upon all of us to make sure that we aren't just managing our own risk. Those who place their data in our care should be able to trust us to guard it properly.
There is no doubt that we all make mistakes and that breaches will happen, but willful neglect should never be seen as an acceptable option.
This was first published in October 2013