According to Brad Gow, Vice President, ACE USA Professional Risk, critical data becomes especially vulnerable to compromise when it migrates beyond a company's own security and risk control protection measures. When common business practices include outsourcing data management or storage services to third-party vendors, risk managers must be especially vigilant.
"Outsourcing data services like transaction processing, billing and collections is common across many industries and businesses. Because the responsibility for protecting customer information can't be outsourced, savvy risk managers should select their third-party vendors with care. Consumer backlash, negative publicity, class action suits, significant fines and diminished investor confidence are likely to occur regardless of who is standing watch when sensitive data is compromised," said Mr. Gow.
According to Mr. Gow, best practices call for risk managers to thoroughly examine the protections surrounding sensitive consumer data at every stage of its lifecycle. Compiled by ACE Professional Risk underwriters and claims experts, the recommendations that follow can help minimize your organization's exposures and maintain data integrity.
Strategic Tactics for Ensuring Data Integrity, Minimizing Loss & Curbing Liability:
-- How frequently are independent assessments of the vendor's security procedures and processes conducted? Regular assessments, and subsequent action to correct deficiencies, indicate that the vendor is serious about data security, as does implementation of ISO or other voluntary data management standards.
-- Once outside the company's security controls, data can be extremely vulnerable. Encryption at the front end, before data is exported, is an effective tactic, and has been proven to deter fraudulent data use.
-- Demand that vendor candidates prove themselves capable of protecting your organization's sensitive consumer data. Explore the vendor's credentials, track record, and security standards and processes.
-- Ask questions: what controls and security processes does the vendor have in place? Ask for, and thoroughly review, copies of network security policies and procedures.
-- Ask potential vendors to detail their formal records management process. When working with vendors, have them issue status reports and other documentation regularly. Don't wait until data is compromised to request a paper trail.
-- Does the vendor comply with legal and regulatory standards? Has the vendor been sued, fined or cited for legal or regulatory shortcomings?
-- Does the vendor run criminal background checks on its employees? Data theft and tampering is not always the work of outsiders. A part-time data processor or senior executive with database access can compromise sensitive data as readily as the most skilled cyber hacker, and with equally devastating consequences.
-- Like all cargo, records, documents and back-up tapes are most vulnerable while traveling from point A to point B. Ask potential shipping vendors to detail the technologies (for example, barcodes or radio frequency identification tags) used to continuously monitor access to data and to track its location. What other loss control measures are in place?
-- Consider more than price. Remember, you get what you pay for. When vendor pricing reflects a minimal investment in essential security controls, the potential exposure for your organization could be considerable. Penny pinching is not worth the risk.
-- Does the vendor candidate carry an adequate amount in professional and cyber liability insurance coverages? Vendor candidates who don't have adequate insurance clearly do not understand the potential exposures involved in handling proprietary consumer data. Don't trust them with yours.
Substantial fines, the cost of informing affected customers, damage to your company's reputation, and declining consumer and investor confidence are among the consequences when sensitive consumer data is breached or compromised. Risk managers can rein in liability before loss occurs through careful evaluation and assessment at the vendor-selection stage, and throughout the lifespan of subsequent vendor relationships.
ACE USA, the U.S.-based retail operating division of the ACE Group of Companies, provides customized risk management solutions designed to help businesses and organizations of every size address key network security and consumer data exposures.
Through its comprehensive ACE Digital DNA(SM) (Data*Network*Availability) network risk insurance program, ACE covers* losses including:
-- The cost of replacing, restoring, or recollecting data that has been corrupted or destroyed due to a network security failure.
-- Costs arising from a criminal extortion threat to release sensitive information or bring down the insured's network unless demands are met, including extortion monies.
-- Costs of complying with identity theft legislation, including customer disclosure.
-- Loss of income and extra expenses that result when the insured's network is interrupted by attack. Covers criminal hackers, malicious insiders, and distributed denial-of-service (DOS) computer attacks.
-- Loss of income and extra expenses that result when key service providers cause network interruption. Coverage includes co-location companies, web-hosting companies, and outsourced e-commerce providers.
* The information provided is for illustrative purposes only and does not amend or alter in any way the terms, conditions, exclusions and limitations of the policy delivered. Please consult the policy for exact terms and conditions.
For additional information about first-party digital insurance and other strategies and tactics for managing digital risk, please contact Brad Gow, Vice President of ACE Professional Risk at (215) 640-1949 or visit: www.ace-ina.com.
ACE USA is the U.S.-based retail operating division of The ACE Group of Companies, headed by ACE Limited (NYSE:ACE), and is rated A (Excellent) by A.M. Best Company and A+ (Strong) by Standard & Poor's. ACE USA, through its underwriting companies, provides insurance products and services throughout the U.S. Additional information on ACE USA and its products and services can be found at www.ace-ina.com. The ACE Group of Companies provides insurance and reinsurance for a diverse group of clients around the world.
(1) "Recent developments in data security law in the United States," by Lynne B. Barr and Jacqueline Klosek. Goodwin Proctor LLP. http://www.goodwinprocter.com/publications/barr_klosek_5_05.pdf