This post originally appeared on Tressler’s Privacy Risk Report blog
In assessing the risks related to cybersecurity, insurers have closely examined the technology put in place by insureds to safeguard data or other private information. This is because privacy and data security tend to focus on sophisticated hackers in other countries that have the latest technology at their disposal.
While professional hackers, hacktivists and terrorists undoubtedly pose an enormous threat, we have recently seen an uptick in the number of data breach stories involving employees. At present, it appears an insured’s technology is only as good as the training provided to an insured’s employees.
Just last week, it came out that employees with the St. Louis Cardinals hacked into the network of the Houston Astros. Even if the Cardinals organization had no knowledge of the hacking, the allegations against its employees still puts the Cardinals in the hot seat.
On June 12, employees of Cuesta College in San Luis Obispo, California were notified of a database breach where employee names, addresses and Social Security numbers were sent to a private email account. After investigating the breach, the main suspect was an employee of the College who accessed the College’s network while she was at her home on medical leave.
By June 18 employee Lacey Fowler was charged with a felony count of improperly accessing computer data. Fowler was a Human Resources Manager at the College.
In another unfortunate example, Crain’s New York reported that the Montefiore Health System in New York was informed by law enforcement on May 15 that it had a breach of the private information of more than 10,000 of its patients. The breach, occurring between January 2013 and June 2013, appears to have been committed by a former assistant clerk.
The Manhattan D.A. prosecuting the case against the former employee said, “We’ve seen how theft by a single company insider, who is often working with identity thieves on the outside, can rapidly victimize a business and thousands of its customers.”
The investigation showed the employee was selling private patient records for as little as $3 per record. The article states that, “Montefiore has a reputation among hospitals for its significant investment in technology and analytics.”
The fact that the employee in the Montefiore case was willing to jeopardize his job for $3 per record demonstrates the potential threat created by employees regardless of the investments made in an organization’s technology and security. Consequently, when providing insurance coverage for data security, an insurer’s investigation should go beyond merely looking at the technology the applicant has in place.
Further, in Columbia Cas. Co. v. Cottage Health Sys., an insurer held that the insured misrepresented its technology in the application for cyber insurance. While having the most advanced technology is important, a substantial factor in the integrity of an insured’s security is based on the training and monitoring provided to an insured’s employees.