Risks of Technology in Your Business
No matter the size of your business, you are most likely using some form of technology in your day to day operations. Increased use of computers for bookkeeping, human resource tracking, email, websites, e-commerce and social media have created new risks for businesses.
In the days before technology, it was common to ask your insurance agent to insure your tangible assets (building and business personal property) and insure the loss of use of those assets (loss of business income). Now it is also common to have a discussion about the loss of intangible assets (data loss, data breach, business methodologies, copyrights, brand recognition) and what might be the cost of losing those intangible assets.
The loss or breach of data is the concern that affects the broadest number of businesses, and a risk that is generally insurable with the use of a Cyber Liability or Cyber Security Policy. These policies are meant to cover a broad range of costs associated with data loss/breach including the costs required to notify customers that their data has been breached. These costs are currently estimated at $210 per record. The two most common reasons for data breach are human error or rogue employees. However, there are also accounts of hacking, theft of digital assets, cyber extortion and malicious code which create a variety of first party and third party cyber breaches for businesses. Here are some possible scenarios:
●Hacker gains access to credit card information of a restaurant chain
●Government employee losses his laptop which has 3 million student loan records on it
●A hospital employee accidentally posts a link online to patient files
●An angry employee leaves with a thumb drive containing proprietary information
●A juvenile releases a worm that creates a computer company shutdown
●A hacker who finds a system vulnerability extorts that he will blog their employment records
There are a variety of factors that are considered when purchasing cyber liability insurance. These include but are not limited to: your particular risks and the controls you have put in place to mitigate those risks, your media liability controls, and your privacy controls. I would suggest that if you have questions about your vulnerability to a cyber event, filling out the cyber liability underwriting questionnaire can be an enlightening experience. An insurance company will be using the information on this questionnaire to determine what your risk of loss is. This same information can give you insight on vulnerabilities in your computer system.
For instance, one common question on a cyber liability questionnaire concerns credit card usage. You will be asked if you are in compliance with Payment Card Industry Data Security Standard (PCI DSS). A quick Google search will bring you to the site where you can perform a Self Assessment to find out if you are indeed compliant with this standard. There are also questions that will review your virus controls, policies for removal of outdated records and encryption of data.
Another concern for businesses has to do with the increased use of social media for employers and employees. Social Media Liability is an emerging term for claims that include libel, slander, harassment, invasions of privacy, and improper employment practices resulting from the use of social media sites. Traditional Commercial General Liability policies would use the established terms of “Personal and Advertising Injury” which covers most businesses for accusations of libel, slander or invasion of privacy. This coverage was originally used to cover print media comments but has recently been broadened to include “material placed on the Internet or on similar electronic means of communications” in its definition. It used to be that this type of loss would occur with a couple of employees hanging out at the water cooler. The effect of the internet and social media is that damages can be far more substantial with the far reaching nature of such comments causing the possibility of multiple jurisdictions being involved.
Although “Personal and Advertising Injury” is the coverage most commonly used for libel, slander and privacy claims, there are a few notable exceptions. If you are in the business of advertising, website design or other professions which have a higher incidence of these types of claims, this coverage may be excluded for your business. Another caveat is that most insurance policies do not cover “intentional acts”. Many policies include exclusions for “Knowing Violation of Rights” and “Knowledge of Falsity” and courts are still working out how these exclusions may apply to claims.
“What about my employees? They are bad mouthing me on Facebook. Don’t I have the right to discipline or terminate them?” This is a common question these days and far more complicated than you might think. The National Labor Relations Board (NLRB) has been reviewing company policies and employee terminations that were due to violations of company policies and, in many cases, finding on behalf of the employee. The National Labor Relations Act of 1935 was created to protect employees’ rights to organize into trade union, engage in collective bargaining for better working conditions and take collective action if necessary. Recent court cases involving social media allegations have been found to be protected activities. For instance, if an employee comments that his employer has unfair employment practices or working conditions and other employees chime in, then the activity is viewed as employees trying to improve their working conditions and is therefore protected activity.
One interesting case study involves a business that had a promotional event and many of the employees did not agree with the food offered and the advertising and felt that it reflected poorly on the business. One employee took photos of the event and posted them on his Facebook page with disparaging remarks. After his termination, the employee sued the employer. The NLRB found on behalf of the employee as it was determined through testimony that many of the employees felt the same way about the event and had discussed their frustration at a staff meeting. So, the employee who posted the photos (although appearing to be on his own) was actually expressing the sentiment of the group and therefore his actions were a protected activity.
In summary, regardless of how your business uses computers, internet and social media, chances are your risk of lawsuit has increased. Creating sound social media policies and extensive reviews of your exposures is a good beginning to properly protecting your business.
If you have any questions about the risks of technology in your business, please all us today at 877-352-2121, or e-mail us at beready@clark-mortenson.com.
**As published in Valley Business Journal - March 2014
