Questions & Answers:
Below are the questions submitted during the live webinar, along with the answers provided by Muhannad Malki. If you have questions of your own or require further information regarding You, the Cloud and Cyber Liability,
feel free to contact intouch Insurance Services. (see contact information to the left).
If I am hacked and a virus email is sent out in my name, am I liable?
No, unless you are the one that sent it out. If you receive a phishing email, which is basically a virus email, and you forward it to other people, yes, you could be liable. If somebody hacked your account and took over your identity to send that email, no, you are not.
Which policy carrier pays for extortion?
There are several of them that do. A lot of them are starting to do it. CNA is offering it. Chubb is starting to offer it on their policy form. Philadelphia Insurance is offering it as well. Philadelphia is kind of a unique carrier. They are nationwide, in 49 states. They have a reputation for insuring non-profits and NGOs. They also have a pretty robust cyber liability form and cyber liability division, so they’ve been up-and-coming in this field. ACE, which is now referred to as Chubb, because they bought out Chubb, they offer that as well. Travelers will offer it on a case-by-case basis. Hartford as well. A lot of what we call surplus lines carriers that you have to access through a wholesaler are starting to offer it, but it’s something you have to specifically ask for. You won’t automatically see it on most forms.
What data do I need to protect? Is an employee’s name and address considered sensitive information? How about salary, pay, and birthday?
Yes, the name, date of birth, social security number, and home address are the four PIIs (personally identifiable information) that people look for and that you need to protect. Just have a centralized way of doing things. If you’re going to protect some data, protect all data. You shouldn’t have anything exposed.
And there was another add-on to that about performance reviews. I would take it that’s another potential source of sensitive information that you’d want to protect as well.
Potentially, it could be. That’s actually a question that you should discuss with your labor attorney. I know that different states have different guidelines. A lot of times, I know with some of our California clients where I’ve worked with their labor attorney and their HR consultants, I see that they actually have four different files for each employee. Not everything goes in the same file. They have their medical applications in one file, their personal information in another, their reviews in a third, and so on, and so forth. Now, if you’re all digital, you should be protecting all of it. If you’re still using paper files, you should have them separated and you should lock them up.
If I don’t have a big budget, but I’d like to protect the company, what can I do and where should I start?
We talked about affordability. Pricing depends on the size of the company and its revenues. It depends on what you do, how many records you have, and how big of a company you are. I’ll give you examples on a smaller scale. I deal with a growing number of non-profits. Some of them are really small; we’re talking about a couple of employees. I’ve seen premiums as low as $700 a year. So, they are very affordable, especially when you are a smaller company. It’s not something that’s outrageous. But if it’s still not in your budget to purchase coverage, the more important thing is, internally, to do the things you need to do. Talk with your IT person. Make sure they’re doing everything that they need to do. Make sure you’re encrypting your data. That doesn’t really cost much to do, as opposed to purchasing coverage. You should be doing both, but if there’s no budget to purchase coverage, then at least take the measures internally that you should be taking.
If my employee is on FMLA or Workers’ Comp and they were told not to work, but they log into their work account and cause problems, who’s responsible?
Both of you are. You for giving them access to it, and them for accessing it. Don’t forget that you’re still the employer. Whatever records were accessed were given to you for safekeeping. It’s your obligation to safe keep them, and it’s also the other person’s obligation. They’re going to be liable, but you’re also going to incur some defense costs in this situation. If they’re not supposed to have access, then you need to restrict or cut off their access.
Should I block my employees from using social media to reduce risk?
That question—whether you can actually block your employees’ access to social media—can be better answered by your labor attorney. I know various state laws differ on this, but what you should have is a written social media policy. And if you currently work with a labor attorney, they usually have samples of those available for you to use. But before thinking of cutting your employees’ access off completely, take a look at having a formal social media policy. If you decide that your policy is to block access, then obviously anybody who violates it can be terminated or written up or whatever the case may be. But to simply cut off social media access, I’m not sure about that. That’s more of a legal question—whether you even have the ability to do that—and it depends on the state where you’re located.
Does cyber security insurance cover data leaks from cell phones?
Yes. Portable device coverage can be included in your cyber security insurance. What you need to consider in this type of situation is who the cell phones or tablets belong to. Do you have a BYOD (Bring Your Own Device) policy whereby you load software on your employees’ devices? Or do you distribute the devices yourself? Either way, these devices need to be encrypted. But yes, if the data is taken from a portable device, it can be covered under the policy.
If it’s a cell phone or tablet that’s being utilized for work, and let’s say it’s a personal cell phone or tablet, then that should be covered. But let’s say that it’s a personal cell phone that wasn’t utilized for work, but somehow the individual was using it for work, who’s liable for that?
Both. Again, you’re basically facilitating an environment that allows access to your data, whether it’s through your WiFi signals or whatever the case may be. You’re allowing that to happen, so you will be incurring some costs. You will not get away without incurring costs, even though the employee is the one who caused the claim or whatever the case may be. Both of you are going to be involved in this type of scenario.
If an organization has a policy in place that restricts personal cell phone use for company business and somebody goes ahead and utilizes their cell phone for company business and there is a breach, I take it that the individual would be responsible for any cyber liability.
They would be, but you also could be if it was easy for that person to access the system using their personal cell phone. Basically, you’re not encrypting your data or your firewall is not sufficient. We’re seeing scenarios locally with restaurants that offer free WiFi and they say, “No, we have a separate WiFi password for guests and a separate WiFi password for employees and management.” Well, they’re all on the same network, so the free WiFi could be a point of access.
If my employee uses a public WiFi and gets hacked while working in the airport public area, is my company liable?
Yes. At our company, for example, we have a policy that prohibits the use of public WiFi for company business for precisely this reason.
Can you recommend a labor attorney?
It depends on what state you’re in. Email me.