By Meaghan Tyndale-Williams, Vice President – Commercial Lines
Do You Know Your Organization’s Responsibilities Before and After a Cyber Breach?
Many states have established their own laws regarding the actions a company must take after a cyber breach. In New Jersey, according to the NJ Identity Theft Prevention Act:
- Businesses in New Jersey are required to respond to a data breach quickly.
- The business must notify those impacted through email or written notice.
- If the breach aﬀects more than 1,000 people, the business owner must notify all consumer-reporting agencies.
Complying with these procedures needs to be taken very seriously. The Consumer Fraud Act enforces data breach notiﬁcation statutes in New Jersey, and if a business willfully, knowingly or recklessly violates this act, the business may have to pay the injured parties three times the damages (plus attorney fees and court costs). Most recently in New Jersey, the Attorney General ﬁned Virtua Medical Group $418,000 for failing to protect the privacy of 1,650 patients’ medical information. Virtua was not the cause of the breach; the information became exposed by a vendor. However, Virtua had not conducted a risk assessment, had not instituted a workforce security awareness program and had no contingency plan in place for information recovery, which are violations of the NJ Consumer Fraud Act and HIPAA.
In 2018 so far, cyber breaches have aﬀected the following private companies, federal agencies, and local school districts in New Jersey:
Best Buy – April 13, 2018
Under Armour/MyFitnessPal – April 5, 2018
Saks Fifth Avenue and Lord & Taylor – April 5, 2018
Panera Bread – April 5, 2018
Carefirst – April 5, 2018
Orbitz – March 23, 2018
Walmart Partner MBM Company Exposes Data On 1.3 Million Customers – March 23, 2018
Applebee’s – March 12, 2018
2,844 New Data Breaches Containing Over 80 Million Records Discovered – March 12, 2018
Equifax – March 2, 2018
Nis America – March 2, 2018
United States Marine Corps Forces Reserve – March 2, 2018
23,000 Digital Certificate Private Keys Compromised – March 2, 2018
Bongo International/Fedex – February 16, 2018
Us Immigration and Customs Enforcement – January 25, 2018
Most organizations have no idea that cyber-attacks can wreak such havoc on their bottom lines. The current laws place the burden squarely on the shoulders of each organization to regularly assess their risks, implement extensive cybersecurity systems, and enforce similar processes at their third-party service providers. Penalties are especially harsh if regulators believe that a hacked organization failed to take appropriate precautions to safeguard personal data. Post breach, a company may face a combination of ﬁnes and mandates to improve cybersecurity programs.
With the updates in the current cybersecurity laws, sole reliance on your IT professionals is not enough. In addition to having an insurance policy in place to help pay for some or all of the costs associated with a breach, all businesses need a written cybersecurity plan. Such a policy should cover a regular process for identifying potential risks, practical measures to prevent those risks from materializing, and reference plans to respond and recover from potential incidents as soon as they occur. An insurance broker knowledgeable in this area can help you with both.