© 2016 Integro Insurance Brokers

TOP 10 WAYS TO PROTECT YOUR COMPANY’S DATA You know how important data is to your business and you have heard all about data breaches,

but where do you find a simple, straightforward summary of how to protect your company? This

is a question frequently asked, but rarely well-answered, so we rely on our experience helping

companies protect their data to draft the following checklist. Adoption of these measures will help

set you on the path to resilience and help address the risks inherent in our data-driven world.

1. Know what you need to protect § Customer data: Social security numbers, payment card information,

protected health information, transaction and account records,

contact information, and other personal data.

§ Your “crown jewels”: The information critical to the development,

performance and marketing of your company’s core businesses

(e.g., information about your most valuable relationships, financial

records, marketing plans, and trade secrets).

§ Confidential information: Negotiated rates and information

required to be kept in confidence.

§ Employee records

2. Know where it isWhen thinking about how to protect your data, you need to understand

where the data is created, where it is collected and where it resides,

which can include:

§ Your servers

§ Cloud server providers with which you have contracts

§ Mobile devices

§ E-mail, Wi-Fi and other transmissions

3. Protect it, reasonablyYour answers to these questions can help reveal how securely you keep

your critical data. If you find yourself answering ‘no’ more often than

‘yes,’ it may indicate a need to strengthen your security regimen.

§ Do you encrypt the most important data at rest or in transit?

§ Do you require strong passwords?

§ How do you use anti-virus software, firewalls and intrusion

detection (e.g., to prevent or detect malware)?

§ How do you know when your data is leaking, being accessed

without authorization or taken?

§ Is cardholder information handled exclusively by a secure payment portal?

§ How and how often is your data backed up?

4. Limit access and educateOne of the keys to protecting your company against data theft is by

tightly controlling access to critical data. The following questions can

serve as a mini-audit; use them to help you determine how careful you

are in your decisions about who has the right to access your company’s

important data.

§ Do you have the ability to limit access to your protected data

to those who need it, and terminate their access when they no

longer need access?

§ How do you authenticate users?

§ Do you make security awareness education mandatory and

compelling for your employees (e.g., to avoid phishing attacks

and to use strong passwords)?

§ What physical security do you have in place?

§ Do you know, at all times, who has and/or who has had access to

your protected data?

5. Control vendors’ access to your dataWhen you rely on vendors to protect your important data, contracts matter,

especially for small and medium-sized businesses, which generally have

difficulty keeping pace with constantly changing threats to data. Ensuring

contracts have the right protections with suitable secure cloud platforms

is critical to protecting your important data. Cloud offerings vary widely

in their security and related assurances, so it is important to pick the right

one first, and then protect yourself with appropriate contractual provisions.

Particularly important questions include:

§ What does the vendor offer in terms of third-party audits and

certifications?

© 2016 Integro Insurance Brokers

§ What else can the vendor promise about its safeguards?

§ Will the vendor know if there is unauthorized access to your data?

Will the vendor inform you at the first signs of such access?

§ What rights, if any, will you give the vendor in your data, or to any

data derived or created from your data?

§ How, if at all, can the vendor share your data with any other entities,

and under what conditions?

§ How will you get your data back at the end of the contract, or how

will the vendor protect the data it retains?

§ If a vendor has access to your systems, have you limited the vendor’s

access to correspond to the scope of services to be provided?

6. Know your privacy policy(ies)Your company’s privacy policies are the promises you make regarding

the protection of personal data to which you may be held accountable.

You almost certainly need one posted on your website, and a very

different one – both in terms of the issues, the people addressed and the

rights granted – in your employee handbook. Then you need to think

about what the rules are for the mobile apps you may provide to your

customers and employees. You may need additional policies, notices

and provisions, depending on your business, relating to different types

of customers and vendors.

7. Plan for data loss, theft and other incidentsWithout regard to how comprehensive your company’s security posture

is, data loss and theft will occur. The key to preserving your customer

relationships and the value of your business as well as preventing

lawsuits is often a deliberate, prepared and expedient response. At a

minimum, that response should include the following:

§ Your employees and contractors must know where they must

immediately report any suspected loss or theft of your data or

unauthorized access.

§ You need to have a team ready to respond, who can deal quickly

and effectively with:

§ Containment and prevention of harm;

§ Communication with customers, other stakeholders and media

§ Notification of insurance carriers, law enforcement, regulators

§ Affected individuals

§ Remediation and improvement of safeguards.

If you respond well, an incident that could otherwise really hurt your

business can instead be leveraged to build trust.

8. Get coverageThe risks of lost or theft of data and business interruption are precisely

the type that insurance best addresses. This is primarily because

incidents will happen to your data that are substantially beyond your

control. When you understand what your risks are, and have taken basic

steps to prevent and prepare for security incidents, you can choose the

coverage that best addresses your risks and needs.

Today, that coverage almost certainly includes a network security and

privacy liability (“cyber”) insurance policy in addition to standard E&O,

crime / fidelity and commercial general liability coverages, with special

attention paid to issues such as:

§ Extortion loss

§ Tech E&O

§ Business interruption loss

§ Data recreation

Companies should also review their D&O and cyber-risk policies to

determine whether there is coverage for shareholder actions arising

out of breaches or security events. That determination is best made

following a review of any insurance offer. When reviewing an offer of

insurance, companies should consider the following:

§ Definition of Computer Network: This definition lies at the heart

of all cyber policies and should accurately reflect your systems,

including how you and your employees and contractors exchange

data (e.g., cloud computing, use of employees’ own mobile devices).

§ Acts by Employees: Many cyber policies preclude coverage

for intentional acts of past or present employees. This policy

exclusion often extends across both the first-party and third-party

(i.e., liability) coverage parts. In addition to the intentional acts

exclusion, some policies include broad exclusions that could be

read to apply to employee negligence. Business leaders must have

a full understanding of the extent of coverage for acts by their past

and present employees and other members of their organizations.

§ Minimum Requirements: In some instances, policies contain

exclusions that require the maintenance of minimum levels of

security. In other instances, carriers avoid coverage by relying

on conditions within the policy that require policyholders to

implement certain security measures that were disclosed on the

application for insurance.

§ Coverage Parts (policy limits and sub-limits): Cyber policies

include multiple coverage parts; the limit or sub-limit applicable

© 2016 Integro Insurance Brokers

to each coverage part is dependent on the carrier’s underwriting

appetite and the specific needs of an individual insured. It is essential

that the insured understand the limits and sub-limits available for

each coverage part.

§ Coverage for Bodily Injury and Property Damage: If a cyber-event

involving your important data could be associated with bodily injury

or property damage, you need to pay attention to that exclusion

in most cyber policies and know how, if at all, you are covered.

Increasing coverage needs in this area are expected.

9. Get practiceOrganizations cannot allow their cybersecurity programs to gather

dust. Once adopted, the policies and procedures must be regularly

tested, reviewed and revised to address an ever-changing threat

environment. Organizations that do not routinely assess their security

procedures and safeguards against their changing threats are not only

likely to experience more cyber events, but to have more challenges in

responding effectively to those events.

10. Expect new threats and solutionsNew threats to the integrity of your systems and the safety of your data

are developing on a regular basis. Most malware attacks come in waves

and affect similarly situated organizations. Due in large part to the

speed at which these threats materialize, organizations have become

dependent on industry groups and friends to serve as a de-facto

early-warning-device for impending attacks.

In the last few years, we have seen an increase in technology that

can protect the data created and stored by small and medium-sized

businesses. New encryption solutions, secure development platforms

and limitations on where sensitive data can be processed are all

technologies integral to a robust cyber security posture.

It is safe to assume that the threats to the security of our data will

continuously change and become more sophisticated. To counter these

changes, we must remain vigilant, adopt better business procedures

and safeguards for protecting data, continue to make advancements in

technology and develop risk transfer solutions that address the unique

exposures faced by organizations in specific industries.

About IntegroIntegro is an insurance brokerage and risk management firm. Clients

credit Integro’s superior technical abilities and creative, collaborative

work style for securing superior program results and pricing. The firm’s

acknowledged capabilities in brokerage, risk analytics and claims are

rewriting industry standards for service and quality. Launched in 2005,

Integro and its family of specialty insurance and reinsurance companies,

some having served clients for more than 150 years, operate from

offices in the United States, Canada, Bermuda and the United Kingdom.

Its U.S. headquarter office is located at:

1 State Street Plaza, 9th Floor

New York, NY 10004

877.688.8701

www.integrogroup.com

Kilpatrick Townsend is a leading knowledge asset protection law firm

that helps its clients protect their most important information. The

firm’s Cybersecurity, Privacy & Data Governance Practice takes a

comprehensive, multidisciplinary, and integrated approach to helping

clients anticipate and obviate information risks, appropriately monetize

information, comply with law, and contain and obtain coverage for

incidents. Jon Neiditz co-leads the practice, is listed as one of the Best

Lawyers in America® in Information Management Law, and blogs at

datalaw.net and linkedin.com/in/informationmanagementlaw.

For more information, contact:

James Sheehan, J.D.

Integro Insurance Brokers

617.531.6865

james.sheehan@integrogroup.com

The content contained herein is not intended as legal, tax or other

professional advice. If such advice is needed, consult with a qualified adviser.

CA Lic. #0E77964