In the wake of the most recent cyber security attack at Time Warner Cable, all executives should have one question on their mind right now:
“Is my organization next?”
If these sophisticated hackers are smart enough to infiltrate and dismantle the most well thought out security controls and safeguards at large organizations like Target, Home Depot, and even our own government – the United States Office of Personnel Management – then they surely can do the same to your organization. It’s just a matter of time before they select you.
This should not discourage you, but rather start you down the road to ensure that you have sufficient protection. The technical safeguards, authentication processes and limiting the amount of sensitive data that can be downloaded are all ways to prevent what you can’t control – the hackers. (And while, as MicroAutomation's director of finance and administration, I'm no lawyer, these are some of the most common concerns I've seen, and how they've been addressed successfully.)
Control Legal Exposure
What you can control is your legal exposure. The first step to protect your organization from a cyber security attack is to ensure that you have a cyber security insurance policy that covers the type of business your organization is engaged in. And since there is no "one-size-fits-all" cyber security insurance policy available, you should consult with an insurance broker with this kind of specialty. Not only can they help you select the right option for you, they can help you navigate the often incomprehensible sea of insurance jargon.
For instance, you may be purchasing a policy you believe will protect your organization from being hacked and having sensitive data stolen, when in actuality your policy only covers sensitive data that is downloaded to media such as a CD or thumb drive. This is why it is imperative to discuss these policies with a broker – you'll be able to better understand the possible different scenarios and determine which policy is the best fit for the needs of your organization.
Ensure Proper Legal Protection
Next, you need proper legal protections in place. Cyber security or data breach liability is often covered within a combination of the Indemnification Clause and the Limitation of Liability section of a Master Agreement – an overarching legal agreement between any two organizations, which includes the legal terms and conditions designed to protect organizations from lawsuits.
The Indemnification Clause essentially states that one party shall protect (compensate) the other party for losses or damages set out in the provision. The Limitation of Liability section states the total liability the guilty party, once proven, may be expected to pay to the harmed party.
The key is to develop language in your MA that will protect your organization from data breach activity that is out of your organization’s control, as well as limit your liability to levels that won’t put you out of business.
Limit Your Liability
At MicroAutomation, we design and implement automated call center solutions. Our solutions don’t have direct access to the data source (the potential sensitive data), and our solutions are stored in the customer’s environment under their control. Therefore, we make sure that the language in our MA states specifically that we are only to be held responsible for any gross negligent activity by our employees. We can’t be held responsible for negligent activity beyond our organization’s control (i.e. customer leaving passwords unprotected or not enforcing automatic password resets on a regular basis).
In addition, we limit our liability to levels that won’t put our organization out of business. Initially, we try to limit our liability to the total value of the "Statement of Work." When doing business with larger companies, however, their general counsels typically won’t agree to those terms. If you find yourself in a similar situation, try to limit your liability to the amount of your cyber-security insurance policy. Let the insurance policy pay, that’s why you pay premiums.
"Will This Really Protect My Organization?"
In the end, if hackers want sensitive information from you they will obtain it. It’s not enough to just have secured environments. Without the proper cyber-security policy and legal protection, your company may be the next Time Warner Cable. But, unlike them, you may not have the capital to overcome such an attack. It’s just a matter of time, so be proactive and protect yourself now.