Your Liability in the Digital Age

On Wednesday, February 19th, Infinity, Inc. will host a networking breakfast and panel discussion on Cyber Liability and Business Risk at the Charles Morris Center. The event is open to business owners and IT professionals.

Liability Panelists

The panel consists of industry experts Cindy Robinett, Sterling Seacrest Partners; Nicole Pope, HunterMaclean; (moderator Chuck Brown, Infinity, Inc.); John McBride, Green Cloud Technologies; and Matt Scully, Datto.

Click on the image to see more photos from the event.

 

Takeaways

The panelists shared a lot of great information on how to uncover, manage, and mitigate your liability. There were too many great points to include them all, but here are a few. We recommend printing this list and sharing it with your leadership team. You can cross off the items you’re all clear on, and work together to resolve the rest so your business is better prepared and protected.

• SMBs are being targeted by cyber attacks; it’s not just the big guys. Why? SMBs are usually easier to get into, which means less time and effort required by the cyber criminals, which makes them more money, faster. This is big business for them.
• Find out exactly what your insurance covers. Don’t just guess or assume. Speak with an insurance provider who can customize policies to suit your particular risk exposure.
• Note the difference between Effective Dates and Retroactive Dates on your policies. This is especially important because the origin of a breach can go back months before anything was noticed.
• Understand all the various costs that can be associated with a breach, such as forensic investigators, privacy counsel for federal and state laws, communication expenses to notify those impacted, ransom fees, regulatory fines, downtime, etc. And make sure you know if there are certain authorized vendors you need to use in the event of a breach in order to have your claim approved.
• Get a security firm to perform a risk assessment of your company. Or use this step-by-step guide as a starting point. Keep in mind that this should not be a strictly digital exercise. You may find that your company’s biggest risk is someone in an air conditioning uniform being allowed to walk right into the building and be left with unsupervised access to workstations or server rooms.
• Take a fresh look at your disaster recovery plan. Use the risk assessment to create (or update) it, and then run drills. Don’t just leave your plan on paper and find out after you’ve been locked out of your system that there are no printed copies (or any other similar examples that would prove you never tested the plan).
• Consider sending a security questionnaire to your vendors so you know how they handle various data and situations. Ask them if they have ever been under investigation for regulatory issues.
• Make sure you know the reporting deadlines for any compliance regulations that apply to your business. Some can be as short as 72 hours to notify.
• If your website does not have a privacy policy on it yet, add one. And be careful not to simply pull a free template off the internet. You want a policy that speaks to the kinds of data you actually collect and how you use it. Facebook and Google both collect massive amounts of data; but you can be certain they don’t handle everything the same.
• CCPA and GDPR are relevant to us even here in Georgia. These regulations passed in California and Europe, respectively, do not just apply to businesses operating in those areas. They can apply to anyone doing business with residents of those areas. So if you sell your products or services to anyone in California or Europe, your business needs to comply with their data privacy terms or be prepared to face some hefty noncompliance fines.

The panelists shared so many illuminating (and entertaining) stories throughout this discussion. We heard about the Atlanta ransomware attack asking for $51,000 in bitcoin that has resulted in downtime costs totaling just under 52 million dollars…a company that was breached and handled it according to their plan and policies and was shocked to find their multi-million-dollar insurance claim denied because they didn’t realize they had to choose vendors from an authorized list…plus lawsuits that can crop up after you think a breach has finally been dealt with…and the user error that makes ordering a simple rare hamburger come out differently everywhere you go.