Computerworld - Word of upcoming security-related legislation and a recent security incident at my company have prompted me to investigate cyberinsurance. I had to review how well my organization is positioned to deal with a lawsuit or the need to file a claim as a result of a cybersecurity incident.
Like many security professionals, I have been so focused on keeping up with the fast-changing IT security landscape that I haven't thought much about how those changes affect potential insurance-related issues at my company.
For example, in California, Senate Bill 1386 will become law next month. It will require companies to disclose to consumers any event in which data pertaining to them was possibly compromised as a result of a security breach. Under SB 1386, not only California companies will be required to notify customers of security breaches; instead any company that does business in California will have to disclose security breaches to California customers. So if your business is located in Boston or New York and you have customers in California, you will have to comply with this law.
Possible Loopholes
I'm told that there are several loopholes in this bill that give us some flexibility and protection. For example, the law will apply to instances when a customer's data is "reasonably believed" to have been compromised. In my experience, any time that phrase is used, there is room for interpretation. The term reasonable seems to take on different interpretations depending on whom you talk to. Even so, defending interpretations favorable to our company in court could require an army of lawyers and lots of time and money.
Another loophole involves a possible exception if the stolen customer data was stored in encrypted form. My company keeps all of its customer data in an encrypted Oracle database.
Of course, the bill doesn't specify the type of encryption. It could be weak or strong. So the question becomes this: If a hacker is able to compromise a data store and decrypt the data, does that require disclosure? And how do you know whether the hacker did in fact decrypt it?
There's also a provision that says a company doesn't have to disclose a breach if a law enforcement investigation or inquiry is under way. Such investigations can last for years.
Besides situations involving the new California law, there are other instances when we might want to file an insurance claim.
Recently, an employee, prior to leaving the company, created several new accounts on a huge, publicly accessible FTP server that serviced some
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
