Identity theft is the fastest growing crime in the United States. Each year, more than 15 million Americans fall victim. It’s also the number one consumer complaint received by the Federal Trade Commission.
Increasing incidences of corporate privacy breaches have resulted in a greater number of lawsuits, consumer backlash and regulatory actions, including fines. More than ever, customers today expect their personal data to be protected.
Forty seven states have enacted legislation requiring companies to notify consumers if their personal information may have been compromised. Even in states where notification is not required by law, failure to notify an individual of a potential identity breach may result in severe civil, regulatory and legal liability costs, as well as potential damage to a company's reputation and loss of consumer confidence.
Identify theft can take place alarmingly fast and its impact can be devastating. The associated financial ruin should not be underestimated.
Businesses must consider customer and investor concern, the outcome of negative and embarrassing information, and the legal and regulatory pressures. Customers and investors alike lose confidence related to any negative news of a corporation, especially when public perception feels that the due diligence required to safeguard customer information was absent. An unforgiving and major event can cause a corporation to lose credibility and business to a competitor. Such an occurrence can be disastrous to a company, possibly to an extent where it may not entirely recover.
Steps to Prevent
1. The first step is to shred, shred, and shred. This basic preventative control limits access by external unauthorized individuals.
2. Limit access to information to job-related functions. Classifying data may help reduce the risk of excessive privilege and prevent a high cost of overprotecting information.
3. Never respond to unsolicited requests for personal information. There have been instances in which employees emailed highly sensitive W2 records to criminals posing as a company executive.
4. Install firewalls and anti-virus software on your machines.
5. A privacy impact analysis is an integral part of an organization’s security management program. This assessment ensures that the risk of exposing personal identifiable information is contained at every level. By identifying vulnerabilities (e.g. personal data stored at processing vendors) throughout the business process, an organization can help reduce the possibility of identity theft occurring at different stages and safeguard (e.g. encrypting laptops) the information that has been entrusted in its care. The assessment creates a structured process for analyzing nontechnical and technical requirements, and compliance with relevant regulations.
While the opportunity to contractually transfer the financial risk of identity theft is minimal to non-existent, there are insurance products on the market that can help transfer some of the financial risk that companies face in this area.
Cyber insurance has evolved from a small provision in the Errors & Omissions Policy for larger technology firms to a standalone product carried by retailers and other companies that hold a large amount of consumer data. The popularity of this insurance product has soared in recent years.
Insurance products are available that offer coverage to the insured company for:
First party costs
- Network Security
- Media Liability
- Errors & Omissions
Third party costs
- Legal liability damages
- Defense costs
- IT forensics expenses
- Regulatory action expenses
- Impacted party notification costs
- Crisis expenses
- Post event services including identity theft recovery services such as education, assistance, and credit monitoring for victims
Purchasing the right cyber liability insurance can be a bit troublesome. Currently, there is little to no standardization of forms and endorsements in the marketplace and limits/retentions may vary drastically depending on your loss history and organization's IT security and incident response best practices.
The best way to get the right coverage that suits your business’ specific needs is to consult with an Independent Risk & Insurance Advisor.
When properly implemented, due care by organizations helps prevent a loss of credibility and money associated with embarrassing negative publicity, as well as legal repercussions. Organizations with these processes in place position themselves to not only save their reputation, but bottom line dollars spent on their Total Cost of Risk (TCOR) as well. It is imperative for organizations to take appropriate and reasonable measures to help reduce the risk of fraud through identity theft.