The number of cyber attacks and data breaches has increasedsignificantly in recent years, and public entities are not exempt.These “cyber events” include the theft or release of personallyidentifiable information such as Social Security numbers from acomputer system, the transmission of malware from a computer to athird party or a “denial of service” attack that results in theinability to use computers or websites.

These incidents can have a considerable financial impact on apublic entity, including the cost of lawsuits, crisis managementand notification of the affected parties. They can also lead to apublic relations nightmare.

But despite these facts, some public entities continue tobelieve they are not truly susceptible to a cyber event. Why?

Read related: “Corporate IdentityTheft.”

Here are some of the more common misconceptions held by publicentities concerning their vulnerability:

1. “Public entities are not a target for cyberattacks.” Actually, public entities are a perfect targetfor cyber attacks considering the amount of confidentialinformation in their possession. There is probably no other type oforganization, other than a bank or financial institution, thatstores more personally identifiable information. It's not uncommonfor a public entity to have an individual's Social Security number,income statements, bank account numbers, driver's license numberand even credit card information. In addition, public entitiestypically have confidential personal medical and health informationfor all of their employees.
2. “We have the latest technology and software availableto protect our electronic information andsystems.” The growing number of cyber attacks (morethan 500 million records breached since 2005) at both large andsmall organizations–even those with the most sophisticated softwareprotection–demonstrates that no organization can be sure they arenot susceptible. One of the most common causes of privacyinformation breaches today is not hacking, but humanerror. When confidential information is stored outside thenetwork system on laptops, smartphones or other electric storagedevices, it can be compromised when the device is lost orstolen.
3. “Even if our network is breached, we are covered underour general liability or other insurancepolicies.” General liability insurance commonlyprovides coverage for “bodily injury” and “property damage.” Property damage typically means physical injury to tangibleproperty, including the resulting loss of use of that property.However, electronic data is not tangible property and is notcovered. In addition, property insurance, crime insurance andprofessional errors and omissions insurance do not typicallyprovide coverage for cyber liability and notification requirementexpenses.

Read related: “FBI Says Cyber Risk to Surpass TerrorRisk.”

4. “Cyber liability notification requirements only applyto commercial businesses.” Currently, in addition tofederal regulations, more than 45 states have enacted legislationto protect consumer privacy. These state and federal requirementsapply to for-profit and not-for-profit organizations, includingpublic entities. Both state and federal agencies may investigateand take action against any organization that is negligent in thehandling of confidential personalinformation.

5. “If we had a data breach, we could handle thenotification requirements ourselves.” Most publicentities would have difficulty complying with state and federalnotification requirements in the event of a data breach. It is alsocommon for goodwill purposes to provide credit monitoring servicesand identity theft education and assistance for the affected party.Most public entities would not have the expertise and staff toprovide these types of additional goodwill services for theaffected party.

So how can public entities protect themselves?

First, assess the exposure. Start with a comprehensive review ofthe public entity's entire computer system and safeguards,with an internal review by a dedicated individual or team,or by an independent firm specializing in computer systemsecurity evaluation. In either case, every aspect of the computersystem should be analyzed to determine any weaknesses or areas ofsusceptibility that need to be addressed.

Once the evaluation is complete, all improvements to secure thecomputer system should be undertaken as soon as possible. This mayinclude improvements and formalization of internal safetyprocedures, as well as the purchase of new or additional hardwareand/or software to safeguard the computer system and integrity ofthe confidential information.

Second, every public entity should consider pubchasing crisismanagement/notification expense coverage and cyber liabilitycoverage. For first-party crisis management/notificationexpense coverage, the product and services available vary fromcarrier to carrier, but coverage for a public entity shouldinclude:

Read related: “10 Tips When Considering CyberInsurance.”

• A computer forensic analysis to determine the cause and extentof the privacy breach
• A crisis management review and advice from an approvedindependent crisis management or legal firm
• Expenses associated with notifying affected parties to maintaingoodwill or comply with any notification requirements imposed bylaw
• Call center services for credit monitoring as well as identitytheft education and assistance for affected individuals.

Third-party cyber liability coverage is typically provided toprotect the public entity for the following:

• Liability arising out of the unauthorized access ofconfidential information from the public entity's computer systemor the accidental release of confidential information from itscomputer system
• Liability arising out of the transmission of malware from thepublic entity's computer system to a third party.

This combination of crisis management and cyber liabilitycoverage can help protect a public entity's image and assets in theevent of a cyber attack.