Small Business Insurance For Data Loss and Security Breach

The Hartford has recently announced a new insurance product specially tailored to fit small business for data loss and security breach. It has been touted as more affordable for the smaller business owner.  More and more small businesses are experiencing the devastating effects of a security breach incident or data loss.  The statistics and stories are well reported from various sources.  Experts agree that costs can exceed $200 per lost page of data.  This can cripple a small business and leave it exposed to lawsuits and litigation.

The front line defense to data loss and security breach risks should always be a good security and privacy plan. A technology attorney working in conjunction with your IT support can develop and help implement an effective security and privacy plan. The process of developing and implementing such plans often reveal the problem areas for any business.  Nevertheless, at the end of the day, there is no 100% fail safe plan to secure data, whether the data is on the cloud or in a server in the office.  There are also unavoidable risks associated with paper documents.  Likewise, there is no plan to provide 100% protection to paper documents.  That is why insurance is a good choice to cover the unavoidable risks.

In addition to providing valuable financial protection in the event of a covered incident, the underwriting and application process for data loss insurance will often require best practices.  This process alone will substantially reduce the likelihood of a significant data loss incident. Accordingly, small businesses should consider a three step process for data loss and security breach:

1. Develop and implement a security and privacy plan

2. Implement best practices as part of insurance application process

3.  Purchase and maintain data loss insurance

New Privacy Report From Federal Trade Commission (FTC)

The FTC released its 122 page Privacy Report today.  This Report has been anticipated for some time. The FTC Chairman, Jon Leibowitz, summed up the purpose behind the FTC’s involvment in data privacy and security with release of the Report stating:

Technological and business ingenuity have spawned a whole new online culture and vocabulary – email, IMs, apps and blogs – that consumers have come to expect and enjoy. The FTC wants to help ensure that the growing, changing, thriving information marketplace is built on a framework that promotes privacy, transparency, business innovation and consumer choice. We believe that’s what most Americans want as well.

The Report is issued as "A Proposed Framework For Business and Policymakers."  The Report is intended to "inform policymakers, including Congress, as they develop solutions, policies, and potential laws governing privacy."  It is also intended to be a framework for how companies should address privacy. 

The biggest news making aspect of the Report is the endorsement of a Do Not Track system that would permit consumers to limit or control the amount of information given to advertisers that track consumers’ online behavior.  This would be similar to the Do Not Call registry. 

For an excellent review of this far reaching Report, and its implications, read this post on the Privacy and Security Law Blog.  For more information on the Do Not Track and online behavior tracking aspects of the Report, here is a post from Electronic Frontier Foundation.  In the days ahead, there will be many more blog posts about the Report.

For now, if you are a company that collects data for online behavior tracking or stores personally identifiable information (PII such as name, address, ss#, date of birth, etc),  this Report should be reviewed albeit with the understanding that it is a proposed framework and will not be a final report until sometime in 2011.  The Report will be subject to much debate and critical comment, but might also serve as a best practices guide post. 

My general take away points from the Report are that the FTC: 

  • Endorses a Do Not Track system
  • Expects privacy policies to be based on notice and choice for consumers
  • Opines that many companies "do not adequately address consumer privacy"
  • States privacy policies should reflect the level of sensitivity of the data it seeks to protect
  • Wants companies to promote consumer privacy throughout development of its services and products or adopt "privacy by design"
  • Wants Companies to make it easier for consumers to understand privacy policies and data collection
  • Wants consumers to have more choice on opt in or opt out for data collection

The FTC will take public comment on the Report (click here) until January 31, 2011.

Wondering Where The Line Is On Internet Privacy – – Just Watch Facebook

My firm receives many calls from new or existing businesses with Internet privacy questions.  Many calls come from e-commerce businesses, start ups, or businesses that want to utilize information gathered from users accessing their Web sites. Some business owners have ideas or concepts that test the limit on use of user profiles, preferences, and content.  The question becomes, just what are the limits for user expectations on privacy?

Take Facebook for example.  Facebook has a reported 400 million users.  Facebook is constantly in the headlines over its privacy policies and security settings related to its user’s profile information.  Whether it is a class action lawsuit in California  or the recent $10 million settlement for its Beacon program, you can count on Facebook to have dealt with any number of privacy issues in litigation.  

Recently, another lawsuit has been filed over Facebook’s "opt out" setting concerning the instant personalization feature.  Wendy Davis on  Online Media Daily reported on the story.  This feature automatically shares user information with three outside companies, Microsoft Docs, Pandora, and Yelp.  The lawsuit was filed in U.S. District Court in Rhode Island for violation of the Stored Communications Act (Download here).  By my count, Facebook has been sued at least 30 times in Federal court in recent years.

In the Internet privacy area, Facebook tests the outer limits of what is acceptable for privacy rights and user expectations.  When Facebook makes a change or tries something new, everyone pays attention.  As a result, Facebook’s privacy policies get vetted by 400 million users, numerous industry and trade groups, leading technology blogs like TechCrunch, and even the federal government. 

If you want to know what crosses the line when it comes to privacy on the Internet,  just watch Facebook.