ISO Products Perspective
Big data and small businesses
Proper risk evaluation is critical to understanding a firm's cyber-risk exposure
By Shawn E. Dougherty
The concept of big data has been around since the advent of computers, though the term itself has become widely used only in the past several years. But what does it really mean, how important is it to small business risks, and how can you help your clients assess and guard against their exposures?
According to Intel, one definition of big data is "huge data sets that are orders of magnitude larger (volume); more diverse, including structure, semistructured and unstructured data (variety) and arriving faster (velocity) than you or your organization has had to deal with before." In the 1990s, data warehousing was an early form of big data, with data sets described in terms of megabytes and gigabytes. Today, while we use the term "big data" often (if not somewhat loosely), data sets easily reach sizes measured in terabytes (1,000 gigabytes), petabytes (1,000 terabytes), or larger. As technological advancements accrue, what we consider to be big data tends to change.
What has changed most significantly is the type of data contained in those data sets and how we use them. Data sets 25 years ago may have included primarily corporate statistics (for example, revenues, expenses, and so on). Today's data sets more likely contain information such as a record of every click made on every Web page by every visitor to a firm's Internet site; a record of every customer purchase; and information about those customers, including their personal identifiable information (PII) and/or protected health information (PHI). Just as important, those firms may also store corporate trade secrets and intellectual property that, if released to the wrong hands, may place the firm at a competitive disadvantage.
Companies strive to gain any competitive edge they can from mining that wealth of data. They analyze the data they collect to gain a better understanding of customer shopping patterns and habits. That provides them with better business intelligence in hopes of increasing sales and lowering expenses.
Access to big data is no longer only the purview of large companies. Several factors contribute to small and mid-sized businesses now being able to access and analyze similar types of data. The availability of affordable cloud computing services, which many businesses utilize in one fashion or another as part of their operations, is one factor. Other factors include the availability of larger amounts of data being in the public domain and affordable technological tools and software programs that give smaller firms the ability to process and analyze large volumes of data quickly and easily.
But having all that data potentially places businesses at risk, especially if they experience a data breach. For example, technology-oriented companies such as Facebook, Google, Microsoft, and Twitter have experienced data breaches. Even governmental agencies, credit card processors, hospitals, religious organizations, and colleges and universities—organizations known to accumulate and manage large volumes of sensitive data—have been breached as well.
Small commercial firms also get attacked. A recent survey conducted by the Ponemon Institute on behalf of a prominent insurer cites that 55% of small businesses in the United States have experienced a data breach, with a significantly large percentage of them having suffered multiple breaches. In March 2013, The Wall Street Journal reported on a hearing held by the U.S. House Small Business Subcommittee on Health and Technology on the topic of "Protecting Small Businesses Against Emerging and Complex Cyber-Attacks." The report stated that 20% of all cyber attacks were against small businesses with 250 or fewer employees.
The tangible and intangible costs associated with a data breach can be significant and can easily affect a smaller firm's long-term ability to survive. All businesses are susceptible to a data breach, but smaller firms are particularly vulnerable. If they experience a loss to or corruption of data, their reputation with customers or within the industry can suffer, which can lead to a loss of income. Further, the breach and release of confidential data belonging to another party could expose the business to liability claims. Regulators and the Payment Card Industry (PCI) may also assess penalties and fines.
A cyber liability insurance policy can protect businesses from data breach loss exposures. The policy forms available through ISO's E-Commerce (cyber insurance) Program, for example, are designed to provide first- and third-party insurance coverage for computer and Internet-related exposures, such as those generally associated with a data breach. Cyber liability policies typically provide the following types of coverage:
• Web site publishing liability—Coverage for errors, misstatements, or misleading statements posted on a Web site that infringe on another's copyright, trademark, trade dress, or service mark; defame a person or organization; or violate a person's right of privacy.
• Security breach liability—Addresses a company's liability following a data breach resulting in a hacker having access to a third party's confidential information from within the insured's computer system, or if the firm's computer system transmits a virus to a third party.
• Programming errors and omissions liability—Liability coverage that typically applies when the programming error or omission is responsible for the disclosure of a client's confidential information held within the insured's computer system.
Replacement or restoration of electronic data—The cost to replace or restore electronic data or computer programs damaged or destroyed by a virus, malicious code, or denial-of-service attack.
• Extortion threats—Generally covers against threats to: introduce a virus, malicious code, or denial-of-service attack into the insured's computer system; divulge the firm's proprietary information contained in the system or a weakness in the source code within the firm's computer system; and inflict ransomware or publish confidential personal information of clients.
• Business income and extra expense—The loss of business income a firm incurs as a result of ceasing Web site business activities because of a virus attack or extortion threat.
• Public relations expense—Expenses associated with restoring a firm's reputation following a data breach.
• Security breach expense—Provides for the cost of investigating the breach and expenses to notify victims of the breach, establishing call centers, and implementing credit monitoring services.
Here are some questions you can ask your clients to help them evaluate the need for a cyber liability insurance policy:
• What types of data does your client collect and why? Does your client's privacy notice match up with the types of data the client collects and the intended use of the data?
• How and where does your client store collected data (for example, on site or off site)? Does your client utilize the services of a third-party data storage provider (for instance, cloud computing)? How well is the data protected, and does the service agreement provide your client any protection in the event that the storage provider's system is breached?
• How long does your client maintain collected data? Does your client retain outdated data and, if so, why? How does your client eliminate data?
Such questions only scratch the surface but can provide a good foundation to initiate discussion about the issues.
Big data is here to stay, and customer data will remain the lifeblood of many businesses. Technological advancements will continue to further enable smaller firms to analyze and make better use of data they amass. It is evident that businesses of all sizes need to be concerned about safeguarding the data they collect and the potential exposures they face should they suffer a data breach. Make it your business to know how to deal with big data.
The author
Shawn Dougherty is assistant vice president, Specialty Commercial Lines at ISO, a member of the Verisk Insurance Solutions group at Verisk Analytics (Nasdaq:VRSK).