Let’s take a look at data breaches that have occurred over the past week and what, if anything, can be done to prevent (or insure against) them.

• A report by Wake Forest Baptist Medical Center to the state attorney general’s office explained that 357 people were affected by documents from an 11-year period taken from the medical center due to a security breach, the Winston-Salem Journal is reporting. Wake Forest Baptist issued a statement early last month that it had fired an employee, Linda Bowden Turner, who had taken medical records and documents from 1995 to 2006 from the medical center to her own properties.
• If you used a credit or debit card at Margarita’s restaurant over the past three months, a virus might have culled your information before it could be encrypted and then sold to underground markets, Huntsville police said. At least 200 people over the past two weeks have reported incidents of stolen bank account information, and authorities said they suspect there are many more cases that have not been reported and many potential victims whose numbers have not yet been used by thieves.
• Nearly 700 Toshiba customers’ emails and passwords have been stolen from the company’s U.S. servers, the latest company to be hit by hackers, although it doesn’t appear to be the work of the same groups that have infiltrated Arizona law enforcement, Orlando tourism or PBS. TechEYE.net reported that the hacker VOiD targeted Toshiba and claimed “to gain usernames and passwords on 450 of the company’s customers” as well as about 20 re-sellers and 12 administrators on the company’s Electronic Components and Semiconductors and Consumer Products sites.
• Lady Gaga has called in police after thousands of her fans’ personal details were stolen from her website. Her record label acted after the site was hacked into by US cyber attackers SwagSec. A source said: “She’s upset and hopes police get to the bottom of how this was allowed to happen.” The group struck on June 27 but did not make the information, which included names and email addresses, public until this week.
• Anonymous, a group of “hacktivist” computer-savvy attackers, has already speared a number of big fish: credit-card companies, the church of Scientology, and Monsanto, a biotechnology firm. And the hackers have flaunted their skills by successfully attacking computer-security expert firms, like HBGary. Its latest victim is Booz Allen Hamilton, a big consulting firm to America’s government, including on cybersecurity, with bigwigs like a former CIA head and a former director of national intelligence on its payroll.

So how do companies work to prevent or mitigate the effects or data breaches? One option is cyber liability insurance. Major insurers like Chartis, ACE and Hiscox have been in the cyber liability insurance game for several years now and smaller insurers are entering the market at a rapid pace. But what types of coverage does a cyber liability policy include? According to Dave Navetta, partner at InfoLawGroup and contributor to Fox News, the following may be included:

• Breach Notice Costs. Coverage now exists for direct costs incurred by an insured to provide notice to individuals in the event of a security breach, as well as expenses to set up a call center and provide credit monitoring services. These costs involve a multiplier effect. For example, credit monitoring can cost anywhere from $10 to $200 per year, per person impacted by a breach. If one million individuals are at issue, costs could run in the millions of dollars. These costs also include attorney fees and forensic investigation expenses to determine the cause of a breach and whether notice is required under law.
• Damages and Defense Costs. Provides coverage for information security and privacy breaches and technology professional liability. This element of the insurance plan is specifically designed to provide coverage for damages and defense costs arising out of lawsuits or claims resulting from a data security breach or an act, error or omission in the rendering of professional technology services (like data storage services). Some cyber policies will also protect your business against the cost of regulatory investigations or actions due to a security or privacy breach.
• Service Provider Breach.With more companies outsourcing their data processing to third parties or the “cloud,” it is important that a cyber policy provides coverage if the security breach happens to one of the insured’s service providers. That will protect your company against many types of expenses. However, these policies are unlikely to provide any coverage for the personnel hours expended internally to address the breach.
• Crisis Management, Business Interruption and Data Restoration. This insurance can also help cover the costs for getting the network back up and running and restoring lost data. Public relations services may also be included to help restore the company’s reputation.
• Denial-of-Service Attack. If your company or a service provider, such as a web host, is shut down by a denial-of-service attack or other type of hack, some insurance policies will cover lost income and the costs of repairing the network.
• Cyber Extortion. In a case where a hacker decides to hijack your website, network or database, and demands money to restore it, a cyber extortion clause in an insurance policy can help to cover the settlement and the cost of hiring a security firm to track down the hacker.

Does your company have cyber liability insurance coverage?

Thirty five percent revealed they just don’t get around to using a password on their business phones and smartphones, even though they know they should as they contain sensitive and confidential information! Surprisingly, IT professionals are only marginally better at using passwords than the general population, as a survey conducted earlier in the year by CREDANT found that 40% of all users don’t bother with passwords on their mobile phones.

The sorts of information that IT professionals are storing on their smartphones and mobiles, many of which are totally unprotected with a password, include:

• 80% Business names and addresses
• 66% Personal names and addresses
• 23% Business emails
• 16% Personal emails
• 12% Bank account details
• 12% Business diary with details of all their appointments and meetings
• 7% Personal diary
• 5% Credit card information
• 4% photos
• 1% Passwords and Pin numbers

Andrew Kahl, Sr. VP of Operations & Co-Founder from CREDANT Technologies explains “It is alarming to note that the very people who are responsible for IT security are not much better at protecting the information on their business phones than most of their co-workers, who don’t necessarily know any better. If a mobile or smartphone goes missing and isn’t protected with a password, and contains business names and addresses and other corporate data such as business emails, then the company is immediately in breach of the data protection act by failing to meet some of its principals on electronic data.”

A scary thought, considering that last year alone saw 656 different security breach incidents, an increase of 47% over 2007′s total of 446, according to the Identity Theft Resource Center. ITRC also claims that the bulk of breached data was unprotected by encryption or passwords.

If IT professionals are failing to protect sensitive data, who is succeeding?

And as reported today, the company has agreed to pay $9.75 million to 41 states as part of its settlement.

Framingham, Mass.-based TJX Cos. said Tuesday it will pay $2.5 million to create a data security fund for states as well as a settlement amount of $5.5 million and $1.75 million to cover expenses related to the states’ investigations. But TJX stressed that it “firmly believes” that it did not violate any consumer protection or data security laws.

Under the settlement, TJX must also prove that its computer systems meets stringent data security requirements.

Eleven people were charged with hacking into the systems of TJX and other retailers to steal credit card information. The legal proceedings for those individuals are still under way.

The chief finding is that 38% of Fortune 500 companies surveyed do not explicitly mention privacy/data breach in the risk factors section of their SEC 10-K filings, which when broken down by sector is even more alarming: 46% of diversified financial companies, 50% of telecommunications firms and an astounding 80% of utilities. 

Worse still is that, according to Whetstone, many of even those that do realize the financial and reputational risks associated with a potential security breach deem the easiest solution, encryption, to be too cost-prohibitive to use even though they realize it would largely mitigate the threat altogether. You see, currently around 45 states now have laws that require any organization that loses confidential consumer/patient/student/etc. data to notify anyone who was affected. And that’s when the lawsuits, complaints and horror stories of identity theft begin. Not only is this a huge financial burden — the costs of hiring computer forensic specialists, mailing notifications, setting up call centers and offering free credit monitoring adds up very, very quickly — but the comparable reputational fallout is nearly impossible to quantify.

All this could be averted in most cases, however, with data encryption since almost all those same state laws also include a “safe harbor” provision that allows companies who safeguarded the data to forego the onerous notification process.

To put this all in proper perspective, all Whetstone had to do was ask me one question: “You know why a car has brakes?” 

Since I learned this fact around first grade, I thought to myself “I got this one…to stop, right?”

But before I said anything he answered his own question: “So it can go fast.”

Most companies are prioritizing innovation — and rightly so. They’re trying to gather as much consumer data as possible to put this to use in sales, development and improved customer relations. But in making these technological advances, it’s also important to ensure you have the right safeguards in place. “It’s a constant battle between technology and the brakes on the car,” said Whetstone. “Companies are trying to be innovative — they’re trying to push the envelope — and that’s always dangerous.”

Whetstone has no delusions that any company should stall innovation for the sake of encryption and data security, however. On the contrary, he thinks gathering all this data is huge advantage for companies. They just have to be careful and understand their vulnerabilities. And all it takes is glancing at a few of the colorful charts in Hiscox’s report to realize that most companies are failing at the latter endeavor. In TJ Maxx’s infamous data breach, for example, the company was attempting to improve its store’s operations by implementing a wireless network yet it failed to realize that sub-par security opened up the location to nefarious data thieves.

Of course, it is indeed true that encryption is still expensive in some cases — back-archiving old legacy systems, for instance. But using encryption doesn’t have to be an all-or-nothing proposition and Whetstone believes that, at a minimum, companies need to at least encrypt the data stored on laptops, USB drives and back-up tapes. He includes this in what he calls a “defense-in-depth approach” to IT security. By securing those physical items that can be left at an airport or in a taxi cab, you allow risk managers and legal counsel to rest easy knowing that their employees at least won’t be giving confidential data away. Hackers can still breach the network and that will remain a concern, but protecting the physical storage devices provides a first level of defense.

And most importantly, risk managers need to be involved in the IT discussion. The ideal balance between the legal team, IT and risk management is unique for each company. But unless everyone is talking and understands the priorities and recommendations of the others, data breaches are only going to happen more often.

Hiscox found that only 7% of US companies have implemented end-to-end encryption on their confidential personal data.