Wednesday, March 28, 2012

update! Cyber Liability

Yesterday I sent an email to all of you about cyber liability. Please see response I got from one person. I think they express the thinking of many of you. I want to address the insurance issues they raise. First most general liability policies do not cover cyber liability. Depending on the company they may by endorsement add coverage for first party[ you] and third part[ a claimant]. Very few companies provide this.

As far as Errors and Omissions cyber liability is usually not covered. There may be some exceptions to this if you area tech company where they wrap in this coverage Most of you of course do not have Errors and Omissions coverage. The writer does give some good recommendations on risk management practices you should consider.

Scott Hauge
Small Business California
2311 Taraval Street
San Francisco, CA 94116



I don't ususally weigh-in on the emails I read, but I just can't let this one go. Cyber Liability Insurance? Isn't it difficult enough for a small business to manage their cash flow. It sounds to me like another money-grab aimed at driving small business out of California.Doesn't your general liability insurance already cover these kinds of fraud or theft? I would imagine retail business pay a higher premium because of fraud risk. And what about those of us who carry E&O insurance? Existing insurance policies should already cover those things, shouldn't they?

As a accounting professional I have guidelines I have to follow in order to ensure my clients' sensitive information is protected. The labor board requires all personnel records be stored in locked cabinets. Or at least a locked room, and are not unattended.The merchant services regulartory boards require software which only display the last 4 digits of credit cards on receipts. Accounting programs like QuickBooks and MAS90 protect employee information by printing only the last 4 digits of the social security numbers.

You asked about processes and procedures for handling this kind of information:

I carry E&O insurance for myself and any employees I have. When working on a client file, all information stays in my office. When we are finished with a file it goes back in the locked cabinet.I would be out of business if my clients didn't think I was protecting their information.

Small retail outlets, should be aware that their merchant service provider must be compliant with the confidentiality regulations. They should also require their staff be bondable. While you can't predict the creditabity of some people, this would be a good first indicator of the reputation of the prospective employee. Background checks are also an available tool for hiring new employees.Having set procedures in place, like they do in the banks, would go along way to minimize the risk. When handling cash/credit or personal information, two people must be present. This removes the temptation for most people.

Not allowing sensitive company information to leave the office is another.

Not allowing employees to take that kind of work home are two rules which will help miminize the risk.

If we are talking specifically about the risk of computer theft, there are security levles that can be set for certain groups of employees. Those employees who have access to sensitive information, should be required to hold a bond.

It is up to the merchant providor or accounting professional to protect their clients.

It is up to the business owner to ensure they have taken the necessary steps.

If you are putting together a list of questions, here are a few you might want to consider passing on to small business owners.

Do you require staff to be bondable when working with money?

Do you conduct background checks on all employees who handle money, or sensitive information?

Is your merchant machine SSN compliant?

Do you have secure storage for your employee records?

Do you have a process in place for staff when handling money merhcant services or peronal documents.

Do you have the correct security setting on your software to protect your clients/employees?

Do you require password reset's every 90 days?

I enjoy receiving the emails you send, as they keep me informed.

Thank you for keeping us up to date.

No comments: