Haliburton Insurance Inc have been in the Regina community for over 50 years, we know it is customer service and knowledge that counts when you are in need of an insurance company in Regina. Our team of dedicated insurance brokers in Regina can assist you in finding the plan that works best for your insurance needs and your unique circumstances. In our recent post here we discuss Data Compromise, explaining what it is, how it can affect you, and most importantly how to protect yourself from this situation. All of this is particularly relevant due to the increased ‘digitization’ of businesses in the time we are living in.

One of the newest and least purchased products in our industry is quickly becoming one of the most important following the COVID-19 pandemic response. Many businesses and organizations have taken this time as an opportunity to digitize their businesses, with many opting for an online store or some form of an online portal to service their clients. While this is great for business, and definitely a plus to the interconnectedness and ability to move product to new markets, it also opens a company up to more liability in lost or compromised data. This is not a new risk of course, as it applies to both physical and digital files.  The costs associated with a data breach have increased significantly over the past few years due to changes to the Personal Information Protection and Electronic Documents Act (PIPEDA) which came into effect in November 2018. These new changes and regulations outline regulations and requirements any time there is a breach of data that compromises someone’s personal information which constitutes a real risk of significant harm. While not strictly defined, significant harm can be bodily harm, humiliation, financial loss, identity theft, and damage to property, among other things.

When a breach is detected that could cause significant harm as described above, your business is required to respond, notifying the affected members/clients that their data had been breached including what was accessed. This can be a costly endeavour, with the average cost of a data breach per person being around $250. The average cost of a large scale data breach, in fact, is around $2 – 3 million.  There are times when organizations know that there has been a breach but the full scale of it is not known.  The costs associated with these can be huge.

The naming of the coverage as “data compromise” or “cyber” is a bit of a misnomer, as if you have a physical filing system, you can still be affected in a major way. Obviously, if only one person’s data is affected, then, the cost may not be significant, but consider your techniques for getting rid of old documents. If your strategy is to just throw old records in the garbage, you may have a large breach on your hands. If you are offloading 1000 old records you believe to be stale-dated into the standard garbage, you can easily see a breach of upwards of $250,000. If someone accesses your building and your file room, you may need to notify every person whose data you store physically, which could be significantly more costly. A better strategy, then, would be shredding all documents, or subscribing to a service that shreds your documents for you, as well as having a locked room for all your files and practice key safety principals.

Data Compromise If you have a digital filing system, you are susceptible to hacks from multiple different avenues. Ensuring your firewall is capable of blocking unwanted outside traffic is one step, as this would only prevent outside actors from entering your system without your invitation. A USB stick picked up on the ground and plugged in to see what is on the stick may contain a virus used to access the system, downloading a program from an unknown source could contain a virus as well. Social engineering could cause significant harm to your business as you may believe you are conversing with someone of authority within your organization, and may inadvertently give access to sensitive data to someone looking to damage your business.

The good news is that you can be insured for this, and the expert team here at Campbell & Haliburton can help you determine what insurance works best for you depending on your business. Your first steps to digital safety is having an appropriate strategy in place for storing and destroying customer data as well as having an IT strategy that includes training of staff against possible hacks and social engineering strategies. Without these first steps in place, you will not be prepared for an attack on your data. Once you have a strategy in place for dealing with a breach or preventing one before it occurs, you are able to purchase insurance to protect your business against this should it happen. Many insurers have taken to including a base amount of coverage for third party costs, but this is typically a small amount of coverage that may not protect you in the case of a large breach. Third-party costs include covering losses to clients, such as providing credit monitoring services and replacing documents that may be compromised by the loss. First-party costs are typically not covered by these built-in policy types, however, so the cost to your business in obtaining IT firms, lawyers, and sending mail out to those affected would require a separate policy, as would higher limits of third party cyber coverage.

Considering the average cost of a data breach at $2 – $3 million, the amount of coverage you should purchase should exceed this  amount, as there is no way of knowing how much you may need until you need it.  We always recommend carrying as a high a limit as possible, as it is impossible to know how much coverage you may need until the moment you need it.

Common Misconceptions:

 

My business is too small to be attacked

Sometimes hackers look to go after smaller businesses in order to find breaches into larger organizations. Consider that you are a small renovation contractor who has been contracted out to rebuild a portion of a larger store after a fire. In order to properly repair the building, you subcontract out to an IT firm to repair the computer network storing customer data such as credit card information, names, addresses, and dates of birth. In the process of repairing, you are called by the owner of the store, who asks that you add his IP address to the system so he can access files from home. This person who called uses the correct name, speaks in the same mannerisms as the store owner, and you believe it to be the same person. You have the IT firm comply with the request only to find out that the person was not the store owner, but a data thief who can now use the data for nefarious purposes.

We have on-staff IT, they monitor for anything coming in

Monitoring things coming in is not the only way to stop a hack. Sometimes it is as simple as someone plugging in a USB drive that contains a rootkit, installing a virus to the system without needing to go through the firewall. While the IT staff may be monitoring incoming transmissions, they cannot monitor every computer all the time. Appropriately training staff to not plug in unknown devices to their computers can prevent this, but if it happens it is best to be prepared.

Our files do not contain anything private or sensitive

While this may be your perception, if you store a person’s name, address, and phone number, these three things can be used to impersonate your client and give a hacker access to other information elsewhere. If this startling information was obtained from your business, you could be found to be liable for damages incurred as a result of the loss.

Our Trusted  Regina Insurance Agents at Campbell & Haliburton have your best interests and safety in mind and our commitment to customer service is one of the pillars of our business. We also know insurance inside and out, so please contact us for all of your insurance needs and we will be more than happy to help ensure what you value most is protected.

For more information visit the Officer of the Privacy Commissioner of Canada’s website https://www.priv.gc.ca/en/privacy-topics/business-privacy/