If you think your business is not at risk, think again. Reflect on how central computers and IT have become even to "old fashioned" businesses. I can remember practicing law without a computer in my office. In those days, you relied on a dictaphone or even a legal pad to compose letters and write legal briefs, and, although our assistants had computer terminals for the mainframe, the good old IBM Selectric typewriter was there in case of a computer failure. Lawyers just a few years older than me can remember when there were no computers, and copies of letters were actually produced on carbon paper.
Law is not considered a particularly high tech profession, but those days are long gone. We are now completely dependent on our computers and computer networks. The vast majority of communications are by email. Court filings are either exclusively electronic in the federal courts or are gradually going that way in the state courts. Most law firms have dispensed with law libraries and now rely on computer services such as Lexis/Nexis and Westlaw.
If this is true for a somewhat stodgy profession such as the law, it is true for just about every business. Computers and the Internet have become to most of us in business what a hammer and saw are to a carpenter: Key tools that are necessary to get anything done. Even for those of us who remember doing things the old way, there is no going back. Steve Jobs and Bill Gates aimed to change the world, and they did.
Despite the importance of computer systems and IT to businesses, many businesses have not taken basic steps to secure their information, much less prevent against outside attack. Tough management that asks the right questions and implements the right policies and procedures will help minimize the risk. The IT security professionals that I have spoken to stress that the vast majority of incidents they see -- resulting in data loss, trade secret theft, or system failure -- could be prevented by better procedures.
If your company has outsourced, for example, to a cloud services provider, it needs to know what the services provider is expected to do in the event of an outage. If the cloud provider goes down, your business may go down with it. You need to understand the risks. Hint: Most form terms and conditions from providers limit any meaningful liability.
No matter what steps are taken, however, businesses will remain at risk for data loss and hacking. The costs associated with a data breach can be staggering. If you think your insurance will protect your business, you may be in for a nasty surprise. As the New York Times recently pointed out, insurers will try to avoid coverage for data loss and data breach under most conventional policies. As the article also points out, insurers are responding to the need by making new policies available that provide coverage.
If your business has not considered these issues thoroughly, what should you do? Start with the following:
1. Do a thorough review of your IT policies and procedures. If you use a cloud provider, understand what the contract provides and what the provider will do in the event of an outage. Consider engaging counsel and an IT security expert to help assist. This is not an area I am an expert in IT policies and procedures, but have followed this area closely. If you need help, contact me and I will put you in touch with one of our firm's experts or an outside expert.
2. Review your existing insurance coverage and consider purchasing insurance for added protection. This is not an area that you want to trust to a small time agent who mainly writes auto policies. There are many different products out there and they all cover different things. You need to consult with an expert in the field. If your business is at all complex, you may also want to involve coverage counsel in reviewing your company's situation. Again, if you need help, feel free to contact me.
3. If you have a breach or a data loss, you still may have coverage even if you have not purchased special insurance. Although insurers who write commercial general liability policies have tried to limit coverage for such losses, an experienced coverage lawyer may still be able to help. It depends on the type of loss, the policy, and the jurisdiction. In addition, some policies contain endorsements that may provide at least some level of coverage. Note: I am not suggesting that you simply take a chance and assume your existing coverage may be adequate. You should still review it. However, if you do have a loss, as always, do not believe your insurer's statement (or your agent's statement) that there is no coverage until you consult with an experienced coverage attorney. Again, if you need help, contact me and I will try to assist.
We live in a world that has become dependent on computers and the Internet. Although technology changes and opens new opportunities, human nature and human fallibility does not change. Anything that is made by human beings can fail and there will always be crooks and rogues among us looking to steal and disrupt. As always, the rest of us have to adapt and be vigilant.