The number of cyber attacks and data breaches has increased significantly in recent years, and public entities are not exempt. These “cyber events” include the theft or release of personally identifiable information such as Social Security numbers from a computer system, the transmission of malware from a computer to a third party or a “denial of service” attack that results in the inability to use computers or websites.
These incidents can have a considerable financial impact on a public entity, including the cost of lawsuits, crisis management and notification of the affected parties. They can also lead to a public relations nightmare.
But despite these facts, some public entities continue to believe they are not truly susceptible to a cyber event. Why?
Here are some of the more common misconceptions held by public entities concerning their vulnerability:
- “Public entities are not a target for cyber attacks.” Actually, public entities are a perfect target for cyber attacks considering the amount of confidential information in their possession. There is probably no other type of organization, other than a bank or financial institution, that stores more personally identifiable information. It's not uncommon for a public entity to have an individual’s Social Security number, income statements, bank account numbers, driver’s license number and even credit card information. In addition, public entities typically have confidential personal medical and health information for all of their employees.
- “We have the latest technology and software available to protect our electronic information and systems.” The growing number of cyber attacks (more than 500 million records breached since 2005) at both large and small organizations--even those with the most sophisticated software protection--demonstrates that no organization can be sure they are not susceptible. One of the most common causes of privacy information breaches today is not hacking, but human error. When confidential information is stored outside the network system on laptops, smartphones or other electric storage devices, it can be compromised when the device is lost or stolen.
- “Even if our network is breached, we are covered under our general liability or other insurance policies.” General liability insurance commonly provides coverage for “bodily injury” and “property damage.” Property damage typically means physical injury to tangible property, including the resulting loss of use of that property. However, electronic data is not tangible property and is not covered. In addition, property insurance, crime insurance and professional errors and omissions insurance do not typically provide coverage for cyber liability and notification requirement expenses.
4. “Cyber liability notification requirements only apply to commercial businesses.” Currently, in addition to federal regulations, more than 45 states have enacted legislation to protect consumer privacy. These state and federal requirements apply to for-profit and not-for-profit organizations, including public entities. Both state and federal agencies may investigate and take action against any organization that is negligent in the handling of confidential personal information.
5. “If we had a data breach, we could handle the notification requirements ourselves.” Most public entities would have difficulty complying with state and federal notification requirements in the event of a data breach. It is also common for goodwill purposes to provide credit monitoring services and identity theft education and assistance for the affected party. Most public entities would not have the expertise and staff to provide these types of additional goodwill services for the affected party.
So how can public entities protect themselves?
First, assess the exposure. Start with a comprehensive review of the public entity’s entire computer system and safeguards, with an internal review by a dedicated individual or team, or by an independent firm specializing in computer system security evaluation. In either case, every aspect of the computer system should be analyzed to determine any weaknesses or areas of susceptibility that need to be addressed.
Once the evaluation is complete, all improvements to secure the computer system should be undertaken as soon as possible. This may include improvements and formalization of internal safety procedures, as well as the purchase of new or additional hardware and/or software to safeguard the computer system and integrity of the confidential information.
Second, every public entity should consider pubchasing crisis management/notification expense coverage and cyber liability coverage. For first-party crisis management/notification expense coverage, the product and services available vary from carrier to carrier, but coverage for a public entity should include:
- A computer forensic analysis to determine the cause and extent of the privacy breach
- A crisis management review and advice from an approved independent crisis management or legal firm
- Expenses associated with notifying affected parties to maintain goodwill or comply with any notification requirements imposed by law
- Call center services for credit monitoring as well as identity theft education and assistance for affected individuals.
Third-party cyber liability coverage is typically provided to protect the public entity for the following:
- Liability arising out of the unauthorized access of confidential information from the public entity’s computer system or the accidental release of confidential information from its computer system
- Liability arising out of the transmission of malware from the public entity’s computer system to a third party.
This combination of crisis management and cyber liability coverage can help protect a public entity’s image and assets in the event of a cyber attack.