Part 3: Data Security – A Growing Threat for IT Businesses

Data breaches have gone mainstream – that’s the takeaway from the last year of headlines about breached retailers, lost laptops, corrupted files, and rogue employees exposing reams of confidential information after fleeing the company (and in some cases, the country). This means that IT businesses – even those whose owner is its sole member – need to pay attention and take steps to strengthen the security of the data they work with.

Many IT contractors may assume they don’t store or process enough client data to be at a real risk of suffering a security breach – and often, they’re right. But many face a significant threat from data breaches that happen to their clients, thanks to what’s called third-party cyber liability exposure.

First-Party vs. Third-Party Cyber Risks

Here’s a brief overview of how different cyber liability exposures work and why, as an IT professional, you should pay attention to them.

  • First-party cyber risk: This is the exposure faced by businesses whose networks are attacked. Businesses that store customer data (in the form of credit card numbers, names, addresses, Social Security numbers, medical information, and more) have a higher first-party cyber liability risk.
  • Third-party cyber risk: This is the exposure faced by IT professionals who work with businesses that might be targeted by a data breach. For example, imagine a systems integrator who’s hired to link a hospital’s billing platform with its new digital patient records platform. She completes the project and it works well, but a month later the hospital suffers a terrible data breach. It turns out, the systems integrator set up a login system that failed to properly compartmentalize employee access to data. The hospital has to notify affected patients and pay HIPAA and HITECH fines, and it sues the systems integrator for liability.

So to summarize: if you’re doing information technology work for clients (and by definition, you probably are), you most likely have some cyber liability exposure. How much? And from where? Read on to see where small IT businesses are most exposed.

Third-Party Cyber Liability by the Numbers

When asked on the TechInsurance application whether they’re responsible for client data, 25 percent of applicants replied “yes.” But it’s unclear whether that number is accurate – in other words, it’s not clear whether applicants realize to what extent they may be legally responsible for client data based on the work they do. (For a more detailed look at what kind of third-party cyber exposures small IT professionals have, see the chart below.)

For example, imagine a database administrator (DBA) responsible for migrating a client’s records to a cloud-based system. The DBA was responsible for researching cloud platforms as well as actually migrating the data. A month after the successful migration, the cloud software platform is hacked, exposing the client’s data. Because it was part of the DBA’s professional role to research and recommend the software, the client could sue the DBA for liability for the breach.

That’s the scary reality of third-party cyber liability: it’s much more all-encompassing than many IT professionals realize. Any time the work you do in a professional capacity exposes one of your clients to a data breach, you open yourself to liability.

You may be wondering how likely you are to be found liable for damages associated with such a breach. In a perfect world, any judge who heard the case would say something like, “We all know that no IT professional has time to monitor the ongoing security practices of every service he recommends. Of course this breach was not the professional’s fault.” But as we noted earlier in this report, we don’t live in a perfect world, court-wise. The likelihood of being found liable for a third-party cyber damages will depend largely on the strength of your contracts and the ability of your attorney to defend your position.

Note: While the majority of small IT businesses have exclusively (or primarily) third-party cyber exposures, a significant minority also have first-party exposures. In addition to those who work in data mining and similar industries, 11 percent admit to storing or transferring data without encrypting it. Businesses like these are valuable targets for hackers. We’ll address risk management for both first- and third-party exposures in the next section.

Managing Cyber Liabilities

It’s easy to feel overwhelmed by the cyber risk exposure you face as an IT business owner. After all, hackers are everywhere and they’re always innovating. And very few people take adequate measures to protect their data – in fact, a recent Consumer Reports survey found that 34 percent of Americans do nothing at all to secure their smartphones. Yikes.

But there is some good news. According to Verizon Enterprise’s 2014 Data Breach Investigations Report (DBIR), data breaches aren’t totally random. Each industry is prone to certain types of intrusions. For example, retail businesses and restaurants, which tend to process a high volume of customer data from transactions, are highly susceptible to point-of-sale intrusion. Healthcare businesses, on the other hand, are more likely to experience a breach after a device containing information is lost or stolen.

IT business owners can maximize the return on investment of their data breach prevention activities by focusing on preventing the breaches most common in their clients’ industries. And certain best practices are important for clients in any industry. These include the following:

  • Use strong client contracts. Contracts that limit your liability for data breaches can help prevent the court system from finding you liable of wrongdoing in the event of a breach.
  • Establish strong in-house security. Data security best practices (including using strong passwords and keeping tabs on your flash drives) go a long way toward preventing breaches of your system. For more tips, check out our blog post Security Recommendations for Technology Businesses with Retail Clients.
  • Educate clients about data security. Your clients probably aren’t as tech-savvy as you are. Assisting them in keeping their network, machines, and data secure helps minimize the chances they’ll be breached and turn to you to collect damages. (Related reading: How to Talk Cyber Security with Your Clients.)
  • Be prepared. Having policies in place for getting client approval of projects and resolving any client disputes that arise can greatly reduce your risk of facing a lawsuit when something goes wrong.
  • Invest in proper business insurance. When all else fails – that is, when your client is breached and you’re named as a guilty party – business insurance can pay the costs of defending you in court. IT professionals can manage their third-party cyber exposures with Errors & Omissions Insurance, which usually includes a third-party cyber clause for tech businesses. Those with first-party exposures can purchase Cyber Risk Insurance as an endorsement to an existing technology Professional Liability or General Liability policy. Keep in mind, though, that insurance doesn’t protect you against everything. Your best bet financially is to prevent claims whenever possible.

Client Education Resources

Both data breach problems and disputed work outcomes are, at their core, client communication issues. As we compiled this report, that message kept hitting us over and over: the most important thing IT professionals can do to lower their risk of expensive lawsuits or data breach incidents is to proactively manage client relationships.

But because we also know that most of the people we work with are one-person operations, we understand that you don’t have time to train your clients in data security practices or draft legally rigorous contracts for every project you take on. To help you achieve the goals of client communication without spending all your time and money on it, we’ve decided to expand TIMI to include informational materials you can distribute to your customers about how to keep their data safe.

Stay tuned to TechInsurance for our client education packet. It will be available for free download, and you’ll be able to share it easily with your clients for a simple win-win: they’ll have lower exposure to data breaches and hackers, and you’ll have lower exposure to lawsuits over your performance. Oh, and because we sell insurance, we’ll benefit, too: the fewer claims incidents our clients have, the happier we are.

70% of businesses raise prices or cut hiring when sued